At the end of last year, I wrote about how Phishing attacks are one of the biggest threats. Instead of telling people “Hey, watch out for phishing attacks!”, what is one of the best ways to train people to be on the look out for phishing e-mails? Test them by sending them a fake phishing e-mail. Yep, you basically send them a fake, fake e-mail (if that makes sense) and see what they do. Do they open it? Do they click on the link? Do they enter sensitive information into the web form that the link sent them to?
CT Business solutions in currently testing itself using Security Awareness Training by Webroot. This product allows one to set up a phishing campaign targeting users within your practice. You can select when phishing e-mails will be sent randomly to your practice employees. Even better, Webroot has a selection of templates on how you want the phishing e-mail to look. For instance, if you use ADP for payroll, you can send an e-mail that looks like it came from ADP. That is, looks like if the employee is cruising along in their busy work day and not paying attention to some of the technical details.
If practice employee does click on e-mail, whoever you select will be notified and more importantly practice employee will be redirected to a site with tips and tricks on what technical details to look out for in the future. I would advocate giving practice employees a heads up on this. Meaning, just don’t do the campaign and demean them when they “fall for” the phishing e-mail. After giving them a heads up, and then a few days later, they do fall for it, I recommend touching base with them, having a laugh about it, and then seriously making sure they are clear on what to look for going forward.
This Security Awareness Training has two purposes. One, to educate them on some of the technical details and tactics of cyber criminals sending e-mails. Two, and maybe most importantly, keeping them vigilant and getting in the practice of contacting their HIPAA Security Official (which CT acts as for its clients) if they are unsure of an e-mail.