Tips For Setting Up Phishing Simulations For a Dental Practice
By John Trest, chief learning officer, Inspired eLearning at VIPRE Security Group
Dental practices must beef up their teams’ awareness of spear-phishing attacks, currently accounting for 91% of data breaches. Your team members must understand the threat landscape and know that hackers are trying to infiltrate the practice. Dental practices face many threats. Attacks and phishing attempts continually evolve and become more sophisticated.
As a dental practice leader, you can mitigate these attempts through a security and privacy awareness training program. eLearning is a good option here. Unlike in-classroom meetups, internet-based classes are delivered on-demand and as needed. Using online platforms also expand your training and reinforcement options such as threat simulations. Third-party phishing simulations, for example, provide various scenarios that mimic real-world attacks and attempts. Doing so matters because research shows that businesses that set up simulated phishing attempts once a month have 27% fewer employees falling victim to such attacks.
In any care setting, those numbers are too high. Because dental practices have valuable patient information in their systems, dental practices are rife for an attack. That said, let me provide some best practices you need to know to get the most out of your security awareness and HIPAA training.
What to Consider When Preparing
You may have options depending on your simulation solution. In addition to email phishing, consider sending SmiShes (phishing to employees via text messaging). Or try voicemail phishing, known as Vishing.
Then, there is USB Baiting, done by seeding bogus, infected USB drives around the workspace or parking lot that can communicate back if plugged into a computer. Employing optional simulations reduces a practice’s susceptibility to phishing attacks. In addition, it allows you to change training techniques to give employees a more comprehensive range of threats they should look out for.
Getting the Most Impact
How do you work your simulations into a training program with the most impact? Start with the concept of learner retention. Information learned during training can quickly become lost. It is called the “forgetting curve.”
Employees can lose 90% of what they learn from a training session in a matter or weeks, or worse. Do not take a one-and-done approach. Retention of information requires regular reinforcement. Remembering becomes easier with repeated support.
Phishing Simulations Support Training
Phishing simulations allow employees to practice what they have been taught. Continued practice can dramatically reduce a learner’s susceptibility to phishing attacks.
Sometimes, employees feel tricked if they fail a phishing encounter. You do not want this because employees must feel comfortable reporting cybersecurity issues. Instead, provide some phishing training ahead of time and give employees some warning of impending simulations.
If an employee fails a simulation, follow up with training while it is fresh, but be careful about using simulations repeatedly. Change training each time. With that said, users should feel safe to fail. Consider providing focused help to those individuals who need extra attention through a supervisor or your IT department.
How to Choose Which Email Templates to Use
Consider several types of options and templates. For example, set up a fake log-in page to mimic credential theft or an attachment. Attachments show a greater chance of success against the user, so they may be worth using more often.
Change difficulty levels often and ease learners into exercises by starting with standard templates. Then, move progressively to more difficult templates, from easy to medium, then hard. For example, the more misspellings or bogus logos you include, the easier it is to determine if it is a phishing attack. So, make it more challenging for users by using fewer of those.
When checking the quality of your training, evaluate whether what tests you’re sending out are plausible for a particular employee. Does the test make sense to that individual’s work responsibilities or roles? Sort simulations by groups of employees — an excellent way to be more targeted in phishing simulations.
Employees should be proactive in reporting phishing attempts by using email software tools for reporting, such as a plugin for your email program (Outlook, Gmail, etc.). It also gives you another metric to measure the success of your phishing simulation. Finally, follow up a failure with a learning opportunity to better imprint knowledge.
With everything in place, determine when to begin your simulation campaign. Randomize simulations to minimize employee awareness of the campaign. However, even if employees do find out about the simulation and talk about this, it is still increasing awareness of the threats they face. Thus, there is still a positive outcome even if your campaign is discovered. Once a campaign is deployed, track and report progress. Many phishing simulation tools contain an automatic report to save time. Let your broader team know what you have achieved through these simulations and encourage those who failed to step up their game but do this in a positive approach. There is no need to call out those who are failing. Instead, focus on congratulating those who are doing well and ask the others to also join these efforts.
Your dental practice has more than enough challenges that you must manage. Still, with just a few simple steps, you can improve the security of your sensitive data and educate your teams on good cyber hygiene. Prevent phishing attacks at the source with education and awareness.