Britton White is a cybersecurity & HIPAA Compliance advisor. The following article is reproduced with his kind permission.
Email is the bane of our existence and the number one threat vector….. there’s no other way to say it.
I’ve rummaged through over 30 hospitals and hundreds of clinics (some multiple times) in my time conducting undercover risk assessments, so I’ve seen, read, and heard plenty related to e-mail practices, policies, procedures, technology in place, and phishing training.
The first place to begin is an organization’s policy and associated procedures directly related to e-mail. Be sure to not forget about Business Associates that might have e-mail accounts with your organization. Questions to ask right off the bat:
1) Do we offer the opportunity for our employees to update/change credentials through an e-mail by clicking on a link embedded within the body of the e-mail message? This question must be applied to every system and application the organization uses whether it’s hosted on the organization’s premise, in a third-party data center, or in the “cloud”.
2) Do we tell our employees to never update or enter their credentials through an e-mail link or document embedded within the body of the e-mail message?
3) Do we allow employees to use their business e-mail address for personal use? I’m talking Amazon, FedEx, UPS, USPS, Gas Station Rewards, Starbucks Rewards, etc.
4) Do we allow employees to access their Yahoo e-mail, Gmail, Hotmail, etc. via company provided computing devices?
5) What e-mail do we allow through, what do we block, how do we block it, do we block by country, can we block by country, so forth and so on.
6) Have we set up two-factor authentication (2FA) for e-mail? Same question holds true for network access, but the focus here is e-mail.
7) Training. Do we offer cyber-security training, which includes phishing examples, once a year, monthly, never?
8) Have we recommended to all staff, including executives, boards of directors, etc. that they implement 2FA on their personal e-mail accounts? While you can’t enforce this, it’s wise to make the recommendation.
9) When it comes to any financial transactions, updating employee benefits, updating direct deposit information, etc., do we conduct these transactions solely via e-mail without any sort of verification via phone or other methods to ensure it’s not a bad actor attempting to divert money to their account(s)?
10) How much electronic protected health information (ePHI) do we e-mail internally, externally, etc.? Can we or should we adjust the current way in which we e-mail patient information?
11) Are employees aware of “lateral phishing”? Lateral phishing is the use of an internal compromised email account/accounts to send phishing emails to other individuals in the organization.
12) Should we purchase a managed phishing service to test our employees on a regular basis?
RELEVANT SCENARIOS
1) I once had a conference call with a prospective client where they said they’d already purchased phishing training from a MSSP, so I walked through the first three questions with them. They quickly realized their phishing training was going to end up with very poor results because they offered their employees the opportunity to update/change credentials through an e-mail, and that they allowed business e-mail addresses to be used for personal use. This combination is a perfect recipe for disaster.
2) In another example, I worked with an organization on this very topic uncovering the same areas for improvement however, they weren’t implemented in time. The organization had several employees enter their credentials through a phishing e-mail resulting in an e-mail breach and subsequent notification to potentially impacted patients and OCR. To make matters worse, the organization had implemented 2FA, but the bad guys/gals got past it and the organization still doesn’t know how. This is why processes, procedures, and training are so important.
3) In a third example, an organization sent out phishing e-mails to their ten-thousand plus employees. Of those, over one thousand entered their credentials.
4) And in a final example, I was once asked what other organizations were doing with employees who failed phishing tests as this organization was looking to potentially fire repeat offenders. I said that no one I knew of was firing employees for repeated offenses as it was already too difficult to find people. I then went into, again, the first three questions outlined above. Pretty quickly they realized they needed to make some corrections on their policies and procedures before contemplating enforcement measures.
RECOMMENDATIONS TO CONSIDER
1) Conduct a full review of the systems and applications (in-house, outsourced, hosted, etc.) to understand the password update/change process.
2) Serve notice to all employees and business associates that no one should ever update/change their credentials through an e-mail. Everyone is to go directly to the site or application to make the update/change.
3) The only caveat to number two above is if/when the user initiates a password reset whereby they are sent an e-mail to click on a link to update their credentials. This should be the ONLY time where a user does this. If a user receives a password reset e-mail they know they didn’t generate, they should be instructed to report the e-mail to IT security immediately, then delete it.
4) Implement two-factor authentication on all business e-mail accounts. While you’re at it, add 2FA for all remote network access.
5) Prohibit employees from using their corporate e-mail address for personal use in signing up for Amazon, FedEx, UPS, Starbucks Rewards, Gas Station Rewards, etc. We all receive personal e-mails, which is ok, but no one should ever use their corporate address when signing up on websites related to personal use.
6) Prohibit employees from accessing their personal e-mail from organization provided computing devices as Yahoo e-mail, Gmail, etc. aren’t protected by the expensive corporate e-mail security appliance currently in place.
7) Employees come and go, so training should be constant. Cramming security awareness training into employee onboarding bears little to no fruit as the employee is overwhelmed with information. Cyber-Security training and phishing training need to be separated out from all other training. From there, training must be ongoing. Don’t forget to include your volunteers.
It doesn’t matter if you have the Bugatti or Ferrari of spam/e-mail filters, malicious e-mail WILL still get through. This is exactly why your employees are the LAST LINE OF DEFENSE.
Everyone needs to understand that an e-mail account takeover and/or ransomware can and will wreak havoc not only on your organization, but your business partners as well. Don’t forget that the main delivery mechanism for ransomware is e-mail. Maybe this article will make a difference in your organization?