Phishing Simulation Tests: Low Tech, High Value

U.S. healthcare organizations were the victims of over 1400 cyberattacks per week, on average, in 2022, resulting in nearly 50 million people, or 1 in 7 Americans, whose healthcare records were compromised from data breaches. To put that in perspective, you are more likely to get your healthcare record compromised this year than you are to get the flu.

According to Deloitte, 91% of cyberattacks begin with a phishing email, and the reason cyber attackers leverage email is that it is easier to trick humans than it is to trick firewalls and identity management services. When it comes to reducing the risk of employees falling victim to phishing schemes and social engineering attacks, sometimes the most effective solutions are the simplest or more low-tech solutions, specifically, security awareness training through simulated phishing attacks.

Simulated phishing is a process where an organization sends deceptive emails that simulate malicious emails to its own employees to gauge how the workforce will respond to real email attacks. Industry-leading tools in this space, like KnowB4 and PhishGrid, also provide real-time training for users who fail the simulated tests.

Consider the risk your healthcare organization is currently facing without an effective phishing simulation process and platform. While email filtering and protection solutions, such as Proofpoint or Darktrace, are effective and necessary tools in all computing environments, they still have a conservative failure rate of 10%, meaning 10% of malicious emails sent to an organization with an email filtering tool in place are not detected and blocked by the tool. Here is a directionally accurate calculation of the phishing opportunity risk for a typical 1,000-employee healthcare organization:

• The average person receives about 140 emails a day;

• In an organization of 1,000 employees, that equals 140,000 emails a day, and at 260 working days, approximately 36,000,000 emails per year

• If 25% of those emails come from external domains, that is 9,000,000 emails that your email protection solution has to evaluate for safety

• According to Astra, the cybersecurity SaaS company, about 1.2% of emails sent are malicious, which means that in a 1,000-employee organization, approximately 108,000 a year are malicious

• If even the best email protection tools do not identify 10% of those 108,000 as malicious, that means nearly 11,000 malicious emails have made their way into the email environment

When you extrapolate numbers like this for larger organizations, the level of risk is sobering. Even more sobering is when you consider the difference between organizations that have a phishing simulation tool and process vs. those that do not.

According to KnowB4, for a healthcare organization with more than 1,000 employees, the average phish-prone percentage score after running its first phishing simulation campaign is 47%, which is calculated as the percentage of employees who are prone to clicking on a phishing link. After implementing a standard, regular process of phishing simulation tests and dynamic training for failures for a full year, the average phish-prone percentage for that same-sized healthcare organization goes down to 5%.

In other words, if you are a healthcare organization that does not run phishing simulation tests with real-time training, you are nine times more likely to be at risk for an email-originated cybersecurity event than an organization that does. These are not just scare tactic statistics used to sell products, as first-hand experience with phishing simulation tests in my organization mirrored these numbers.

The benefits of phishing simulation tools are tangible. And though phishing simulation tools are not as difficult to implement as many other cybersecurity solutions, they do require thoughtful process and people considerations. Here are some important tips if you are considering a phishing simulation solution deployment:

• Remember that the goal of the phishing simulation exercises is to teach your employees, not punish them

• Commit to a regular cadence of phishing simulation exercises with content that is customized to your organization

• Choose a tool that provides immediate, educational feedback to employees who fall victim to the simulated attacks

• Use the tool to gain a baseline understanding of your organization’s susceptibility to phishing attacks and set realistic improvement goals that target areas of weakness

So many organizations still view cybersecurity training as an annual event where the information security team is pressured to create content that can be clicked through rapidly, a “check the box” exercise deemed more of a nuisance than an educational opportunity. The phishing simulation tool changes that dynamic by providing real-time education based on quantifiable organization weaknesses and is arguably one of the most undervalued tools in the crowded and complex landscape of cybersecurity technology solutions.