What proportion of NHS staff are susceptible to phishing attacks? A proactive group of English trusts asked Gemserv to help them find out how many of their employees would expose their system credentials to hackers. Chief information security officer Andy Green reveals all…
We have all become used to receiving emails that claim our bank details have been compromised, or a postal delivery has been held up. If we just click a link and enter a few details, we can get the account released, or the package on its way.
Most of us recognise that these emails come from hackers and ignore them. But what if we were at work and an email arrived from our head of department, asking us to log-in to a portal and sort out a problem? Or a flyer arrived from a conference that we’d been to, inviting us to enter a couple of details in order to download a report?
Would we click then? Recently, a proactive group of NHS trusts asked us to run an ethical phishing exercise to find out how susceptible their staff might be to this kind of approach, which is increasingly being used by hackers to obtain valuable details. Did they fall for it?
Phishing and the threat to the NHS
Well… before we get to that, it might be useful to recap on what phishing is and why it matters. Phishing is a form of cybercrime, in which a target or several targets are contacted by email, telephone or text message, and lured into handing over useful information.
There’s a common misconception that what hackers are after is sensitive personal data or financial details; but that doesn’t have to be the case. What criminals who target companies, government departments and public services want is user credentials; details that will allow them to get into systems and then move around a network.
That’s because the nature of cybercrime has changed. Back in the day, hackers wanted to steal information. Now, they want to stop organisations having access to it – so they can charge a ransom to get systems up and running again.
Unfortunately, that makes healthcare vulnerable. In September last year, police launched a ‘negligent homicide’ investigation after a ransomware attack disrupted emergency care at Dusseldorf University Hospital in Germany – and a patient died as she was being transferred to another unit.
There are technology solutions that can be deployed to try and stop phishing emails. There are security gateways and email filters. However, we did some work for a FTSE company recently and they were getting 40,000 malicious or spam emails a day.
Even though they were catching 99% of them, 400 were getting in. Which is where ethical phishing comes in. The purpose of exercises like the one we have just run for an NHS region is two-fold: first, to make people less susceptible to opening these emails, and second to make people more likely to report them.
The FBI estimates the average hacker spends 149 days in a network before they do anything. If malicious emails are reported, it’s possible to stop them, to track the hacker across the network, and to reduce the potential harm that they can do.
So, how does Gemserv conduct an ethical phishing exercise? We use the same kind of techniques that hackers do. We don’t use a template. We don’t put out the ‘your bank account has been compromised’ or ‘your parcel is held up’ emails that people have got wise to.
We sit down and we look at an organisation with a criminal’s eyes. We think about who is most likely to be targeted – which people have influence or privileged access. For example, executives are targets, because they have authority and an email that comes from them is likely to be acted on; and IT administrators are targets, because they have more systems access than ordinary users.
Then, we identify individuals within those groups, and set out to find out useful things about them. We have a look at their professional profiles. We read their social media. If they have been tweeting about a conference, we might use that to create a spear phishing campaign that targets them and their contacts.
Then, we craft an email that uses the kind of influencing factors that hackers use – authority, urgency, the implication that bad consequences that will follow if that link is not clicked. And then we send that email to an organisation or to a group of individuals within it.
Education, education, education
We crafted a number of emails for the group of NHS trusts that we are working with and they picked two to send. The first email has been sent to the first two trusts and around 2,000 people.
And now is the moment to reveal that … the results underlined the very serious nature of the risk faced by the NHS. A third of the people who received these emails, at all levels of those two organisations, opened them. If they were real phishing emails, hundreds of details would have been compromised.
The good news is that effective ethical phishing exercises don’t just catch people. They help to put them on their guard against further attacks. If somebody clicks on one of our emails, they are taken to a portal, that is mocked up to look like the portal or the conference site or whatever it is pretending to be.
If they enter their details, they are taken to some training about cyber security, and then back to the original email, where we show them all the “red flags” that could have spotted. Education of this kind is very effective.
We can prove that by re-running these campaigns over a matter of months, susceptibility can be reduced from very high percentages of users to low ones. One reason for that is that this resonates with people.
We might all think we can spot a dodgy email, but we don’t want to see our bank account emptied or the pictures of our children held to ransom. People are keen on ethical phishing because they can use what they have learned in their personal lives to stop this happening.
Ethical phishing delivers value to them as well as their organisations; which in this case means the NHS and the services and patients it needs to keep safe.