Throughout 2015, there have been numerous reports regarding different health care companies being compromised and losing personally identifiable information (PII). Over the summer, one particular company reportedly lost data such as names, email addresses, phone numbers and health care subscriber numbers – payment and medical data were not believed to be taken. Unfortunately, we are getting used to this kind of news when we wake up in the morning. As we scan these articles, we peek to see if we are going to receive a new credit card or have to check our statements for fraudulent charges. So no payment information has been taken, this isn’t that bad… right? Of course not!
Spear phishing
The hacking we see in movies where someone slams on a keyboard for a few seconds and gains access to the system is comically false. The majority of system compromises start with a phishing email. Phishing is the attempt to trick a recipient into believing they are reading a legitimate email with the end goal of stealing information or gaining access to a system.
I’m smarter than the average user
We all get those spam-like phishing emails: Click this link for $500/week! Open this file for free movies! Some of us have gotten good at smelling the rat. But what if you receive an email from admin@yourhealthinsurance.com with images from their website, addressed to you and includes your subscriber number for confirmation? At the bottom is a link saying you need to change your password due to the recent data breach and the link takes you to a legitimate looking website.
What can a person do in this situation? Here are some things to consider:
- Are you expecting this email?
- Hover over the link you are about to click. Is it the same exact web address of where you expect to go?
- If you are unsure, call the company.
The tactics used to trick people into giving up payment information and login credentials are also used by advanced adversaries to penetrate corporate networks and reach protected company information.
What do we do about it?
Companies need to make this a priority. The human factor is the hardest type of vulnerability to protect against. There is no single system that can prevent people from doing damaging things. The most we can do is educate our people to be aware of the risk and maintain vigilance. Repeatedly. To succeed at stemming the tide, companies must invest money and time in training users to identify risky behavior and always take a stance of skepticism. This isn’t a one-time seminar – it must be a recurring theme in all security communications and security programs. Train them every year – or every 6 months if you can do it without desensitizing them.
Our people are both our greatest asset and our greatest liability when it comes to protecting our data. We must do everything we can to arm them with the tools they need to stay ahead of the curve, or our customers will go elsewhere to find someone who can.
