Your employees are very important to cybercriminals who would like to gain access to your business or facility, your systems, and your client or patient data. Instances of phishing and social engineering attacks increased dramatically in 2014 and all indications are that we should expect more of the same in the new year. Businesses and healthcare organizations are increasingly concerned that the biggest security threats they face may actually come from within. If they are not aware of the important access and information they have, your employees may be easy targets for such attacks.
Our December Security Tip can help you remind employees that they are vital to the security of critical data and the safety of the company, its employees, and patients. To keep it simple, our latest tip explains the value of the access and information they possess that may make them a tempting target.
I recently stumbled upon this disturbing little how-to article explaining how to worm your way into an office building without legitimate access. The article is introduced as a guide to going unnoticed to “serve yourself a drink refill at a restaurant” or to surprise someone on their birthday. But this thinly veiled (blatant, actually) guide to social engineering is an excellent primer for would-be malefactors of all kinds. The article explains how easy it is to gain access if you seem confident and fit in, prey on good-natured people, and have reasonable answers prepared if you happen to be questioned. Your company, like any company, is drawn to good natured, helpful people in the hiring process. I believe most people fall into this gullible category and that explains why these tactics so often work. This is especially true in hospitals and healthcare facilities where most employees are, by nature, kind and helpful people. We don’t want to train employees to be ugly, just cautious. If they understand the risks to valuable data and systems, and even to the physical wellbeing of everyone inside, they will be more prepared to tactfully question someone they see who they may not be familiar with or who may not have appropriate credentials to be where they are.
Employees should all be made aware of the value of their access card or security pass. Whatever method your company uses to manage physical access, whether it be an access card or a security code they use to unlock doors leading to secure areas, employees should guard this carefully. They should also be made aware of a practice called tailgating where someone trying to gain access may simply catch the open door behind an authorized person. A trusting, good natured employee could innocently put your company, critical systems, staff and patients in danger.
In the same way a trusting employee may be targeted to help a bad guy gain entry into secure areas of your business or facility, an unwitting staff member could be the target of phishing or other types of scam emails. The dangers are varied and the tactics cybercriminals are developing to gain access to your systems by stealing or hijacking valid user credentials have become quite sophisticated. Be sure your employees know not to click links in emails that may be fake, download software that may be dangerous, or use unsecured public Wi-Fi connections from mobile devices.
Like phishing, vishing scams may try to trick employees into divulging information over the phone. Your star employee who always goes out of her way to help colleagues, customers, and patients may easily fall victim to someone who calls with a believable story to glean little pieces of information about your company, your security, and your processes that can open doors for them to go deeper within your organization either physically or virtually. Be sure they know that your IT team will never call (or email) to ask for their login credentials. They should not share even seemingly innocuous information with someone they are unfamiliar with. And if a question or request seems unusual or suspicious in any way, it should be reported immediately.