Organizations that are successful in preventing phishing attacks follow recognized best practices that address the threat from phishing from multiple angles. Just a few years ago, a spam filtering solution and antivirus software provided small businesses with sufficient protection against attacks. Today, however, those traditional anti-phishing defenses are not sufficient by themselves.
Phishing is now the most common way that cybercriminals gain initial access to healthcare networks and patient data. Phishing is used to steal credentials for accessing email accounts and cloud services, for distributing malware, and ransomware gangs often get the access they need from phishing. Many of the largest and costliest healthcare data breaches had their roots in phishing, such as the cyberattack on Anthem Inc that was discovered in 2015. That attack allowed hackers to steal the protected health information of 78.8 million health plan members. The attack was made possible due to a response from an employee to a spear phishing email.
Phishing has long been the biggest cyber threat faced by healthcare organizations and attacks have continued to increase. The Federal Bureau of Investigation reported a doubling of phishing attacks in 2020, and in 2021, Proofpoint reported that 70% of businesses experienced at least one phishing attack.
Phishing attacks have also increased in sophistication and are now much harder to identify and block. To mount a robust defense against phishing, multiple overlapping layers of protection are required, including software solutions, good cyber hygiene, and a solid security awareness training program.
There are four main components to an effective anti-phishing strategy, and all should be adopted by healthcare organizations. These are listed below along with several other best practices for preventing phishing attacks.
Phishing is a type of social engineering that involves the psychological manipulation of people to get them to take certain actions. The most common actions are tricking people into clicking a link in an email and visiting a malicious website or opening an email attachment and executing malicious code. Cyber threat actors often provide compelling reasons why these actions should be taken, such as to prevent fraud, correct security issues, or get a great price on a purchase. Phishing emails often mimic legitimate emails, such as shipping notices, resumes, and collaboration requests. They often spoof legitimate contacts and trusted businesses and can be hard to distinguish from the genuine communications they impersonate. There are, however, usually tell-tale signs that everything is not as it seems.
Employees need to be made aware of the threat of phishing and be instructed on how to identify phishing attacks and other cyber threats. They should be trained on how to work in a cyber-secure way, how to practice good cyber hygiene, and risky IT practices need to be highlighted and eliminated. Security awareness training is one of the most important best practices for preventing phishing attacks, but many organizations fail to get the full benefits.
To get those benefits, security awareness training needs to be a continuous process, not a once-a-year training session. In order to develop a security culture, training needs to be provided frequently and in small doses that can be easily assimilated and applied. Training should be engaging and include varied content, ideally with a combination of media such as videos, CBT, infographics, posters, and cybersecurity newsletters. It is also important to send simulated phishing emails to the workforce. These fake emails closely mirror genuine phishing emails and can be used to test the effectiveness of training. If an employee responds to a phishing email, it should trigger additional training. These simulations provide evidence of how susceptibility to phishing is improving. Without these simulations, gaps in knowledge and weaknesses in defenses are unlikely to be identified.
Security awareness training is concerned with preparing employees for threats they may encounter. Technical defenses are also required to block as many phishing threats as possible. Since the majority of phishing attacks are conducted via email, robust email security solutions are essential. A secure email gateway or cloud-delivered email security solution should be implemented to block phishing emails. These solutions will greatly reduce the volume of phishing emails arriving in inboxes – They typically block around 99% of spam emails and phishing threats. They will block known phishing content, communications from bad IP addresses, and will score emails on the probability of them being malicious. More advanced solutions feature AI and machine learning technology that further improves protection by predicting new threats.
Phishing is commonly used for malware delivery. Email security solutions incorporate signature-based detection mechanisms, such as antivirus engines, but fail to block novel malware threats. Choosing a solution that incorporates behavior-based detection mechanisms such as sandboxing will help to ensure that zero-day malware threats are also blocked. Email security solutions should also incorporate anti-impersonation mechanisms to identify spoofing, such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).
Web filtering is an important additional protective measure for preventing employees from engaging with phishing content on the Internet. Web filters are used to filter out malicious Internet content, such as web pages hosting phishing forms or malware. These solutions are constantly updated with the latest threat intelligence, so when new malicious content is detected, it will be automatically blocked for all users. Web filters complement email filtering solutions by improving protection against malicious hyperlinks in emails. They will follow those hyperlinks and assess web content for threats in real-time. They can also be used to exercise control over the types of web content that can be accessed by employees.
Protecting against the web-based component of phishing is an aspect of phishing defense that is often overlooked by healthcare organizations but is vital since cyber threat actors are constantly developing new methods for bypassing email security solutions. DNS-based web filters are the best choice, as they perform filtering with no latency, so Internet speed is unaffected.
Preventing phishing attacks best practices are primarily concerned with blocking threats, but what happens if a phishing attack is successful and credentials are stolen? If a password is the only method of authentication, it can be used to remotely access an account. Single-factor authentication is often exploited by cyber threat actors and is a security weakness at many healthcare organizations. Implementing more robust authentication controls is important for blocking phishing attacks, and this is best achieved with multi-factor authentication.
Multi-factor authentication requires an additional factor to be provided by an individual for authentication purposes, and this protects against stolen credentials from being used to access accounts. Microsoft claims that 99% of automated attacks on accounts are blocked by multi-factor authentication. MFA should be implemented on all email accounts and all accounts with administrative privileges at a minimum.
There are several other best practices for preventing phishing attacks that should be considered, each of which can further improve defenses and block attacks.
Antivirus software should be installed on all endpoints and be configured to update automatically, with the gold standard being an intrusion prevention and detection solution that can analyze behavior to identify attacks in progress.
Password managers are useful tools for improving password security, but also play a role in phishing defense. These solutions autofill passwords when a user lands on a website, but only if the domain exactly matches the entry in the password vault.
Popups are often used on websites for redirecting visitors to malicious web content. A web filter will block many of these redirects, but a popup blocker is also recommended for improving web protection.
Links in phishing emails often direct users to websites hosting exploit code. Scripts on the website probe for unpatched vulnerabilities and automatically exploit them to install malware. Promptly patching and updating browsers will help to prevent vulnerabilities from being exploited.