Prevent costly data breaches with phishing simulations

2023 03 23 21 53 3345 2023 03 24 John Trest 400

Now is the time for dental practices to beef up their employees' awareness of spear phishing attacks, which account for 91% of successful data breaches. Team members need to know the various threats that practices face. And as you know, cyberattacks are becoming more prevalent and more sophisticated, so older training techniques just do not get the job done.

John Trest.John Trest.

One strategy to boost your employees' resistance to a cyberattack attempt is to regularly conduct a phishing simulation. Dental practices can easily set up third-party simulations using a variety of emails that mimic actual attacks. Research shows that businesses that conduct simulated phishing attempts monthly have 27% fewer employees who fall victim to such attacks.

Because dental practices have important information stored in their systems, they are a likely target for hackers. The following article reviews the best practices for running a simulation and other information you need to know to get the most out of your security awareness and HIPAA training.

What to consider when preparing a simulated attack

You may have options about the type of phishing attack you want to test depending on the vendor or solution you plan to use. For example, in addition to email phishing, you could attempt a smishing (a short message service phishing attempt through text) attack or voicemail phishing, which is known as vishing.

Then there is USB baiting, which is done by seeding bogus, infected USB drives that have been planted around the office or in the parking lot, that can communicate back to hackers once they are plugged into a computer. Employing optional simulations such as these reduces a practice's susceptibility to phishing attacks. Additionally, it allows you to change the training techniques to give employees a wider range of real-world hacks for which they should be on the lookout.

Getting the most impact

How do you integrate simulated cyberattacks into a training program that will have the most impact on employees? Start with the concept of learner retention. Information learned during training can quickly become lost. It is called the forgetting curve.

Employees can lose half of what they are taught within three weeks, 90% of it in two months, or worse. Do not take a one-and-done approach with your training. Retention requires regular reinforcement. Remembering becomes easier with repeated reinforcement.

Phishing simulations bolster employee training

Phishing simulations allow employees to practice what they have been taught. Continued practice can dramatically reduce one's susceptibility to phishing attacks.

Sometimes employees feel tricked if they fail a phishing encounter. You do not want this, because employees need to feel comfortable reporting cybersecurity issues. Instead, provide phishing training ahead of the simulation and give employees some warning that they will be tested on their cybersecurity knowledge.

If an employee fails a simulation, immediately follow up with them to provide additional training while it is still fresh in their minds. However, be careful about using the same simulations repeatedly, as employees can get inured and pay less attention to the training materials. Change up the training each time. This also may work better for a particular employee.

Employees should feel safe to fail. Some team members may take longer than others to defend your practice against phishers. Consider more focused help for these individuals through a supervisor or your information technology consultant or department. Many phishing solutions can prioritize training for at-risk employees.

How to choose which email templates to use

For your phishing email, use the most commonly phished brands, such as LinkedIn, Amazon, and DSL. Consider several types of options. For example, set up a fake login page to mimic credential theft or include an attachment.

A malicious link embedded in an email is the most popular option with some hackers. For other organizations, attachments have a higher chance of success and are more challenging for people to identify as scams, so they may be worth using more often.

Also, change the level of difficulty in the phishing simulations you choose. First, ease learners into exercises by starting with easier templates. Then move progressively to more difficult templates, moving from easy to medium, then hard. For example, the more misspellings or bogus logos you include in your email, the easier it is for someone to determine that it is a phishing attack. Make it more challenging by using fewer of those elements.

Is the email you are sending out plausible for a particular employee? Does the email relate to the target's work responsibilities? Sort simulations by groups of employees -- this is an excellent way to be more targeted in your phishing simulations.

Allow employees to be proactive in reporting phishing attempts by using email software tools, such as a plugin for Outlook. Doing so also gives you another metric to measure the success of your phishing simulation.

Follow up a failure with a learning opportunity

Once everything is in place, determine when to launch your simulation campaign. Midweek is a good time to test employees because they are focused on work and their guard is down, so to speak, but it is good to randomize the days and times of simulations.

Once a campaign is deployed, track and report its progress. Many phishing simulation tools provide an automatic report. Inform your team what you achieved through the simulation, and encourage those who failed to step up their game, but do this in a positive way.

Your dental business has enough challenges. With just a few easy steps, you can improve the security of your sensitive data and educate your teams on good cyberhygiene. Prevent phishing attacks at the source with education and awareness.

John Trest is the chief learning officer of Inspired eLearning at Vipre Security Group.

The comments and observations expressed herein do not necessarily reflect the opinions of, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.

Page 1 of 522
Next Page