The increase in cybercrime in not uncommon in the current climate; particularly the hijacking of a corporation or an organization’s network being held ransom for a payout via ransomware. What may seem surprising is that the focus of cyber criminals is not always large corporations. In fact, there is a growing trend in health care organizations and systems being targeted. One recent example is the attack on the Health Service Executive of Ireland in May 2021, which affected both national and local systems that are involved in all core services.
Why is health care targeted more frequently? Ultimately, it would seem health care organizations and systems are enticing to cyber criminals since there is an increased level of motivation to remedy situations as rapidly as possible. Two major reasons for this motivation are that health care organizations:
- are the holders of highly sensitive information such as personal health information (PHI);
- rely on their systems being functional to provide timely care to patients—any disruption to their services due to an attack can have serious implications.
For these reasons, there is a higher likelihood that an organization under attack would pay the ransom and do so quite quickly.
So, how can we proactively protect ourselves? Taking a proactive approach prevents undesirable consequences with a potential to be very serious in nature.
Although there are several ways that cyber criminals can infiltrate a system, particularly if the network infrastructure is vulnerable, they tend to focus on the easiest link: employee credentials. This makes employees a major component of an organization’s first line of defense and is an excellent place to focus part of its cyber security efforts for the best return on investment in an area that is not too costly.
Focusing on investing time and resources in employee awareness and education can boost an organization’s line of defense. Here are a few ways this can be done:
- Staff awareness/education on email phishing, i.e. how to spot it and what to do about it.
- Reminding staff to regularly apply updates to their devices.
- Providing guidance on picking strong passwords.
- Implementing multi-factor authentication.
Studies show that, although not a comprehensive measure on its own, the best investment an organization can make is to provide its staff with education on email phishing. Even though awareness of cyber security is on the rise, 93% of malicious breaches still come from social engineering. Social Engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes (i.e. login credentials).
It is strongly advised for an organization to invest in an education campaign for employees related to email phishing, and other security basics, as listed above.
One way to implement an impactful process within an organization is to use a platform such as the one developed by Beauceron. This platform provides organizations with a range of automated services to assist with ongoing simulated phishing attempts, as well as cyber security education.
Cyber security awareness and education should not be considered a one-time activity. To ensure ongoing recall of the importance of this information by staff and to ensure that new staff learn these fundamentals, it is highly recommended that organizations develop an ongoing cycle of education and awareness activities.