Phishing your pharmacy to counter ransomware
By Neil Trainis
PUBLISHED: September 28, 2017 | UPDATED: September 28, 2017
Businesses should provide cyber-security training and community pharmacies are no exception, says Matt Rhodes from Quiss Technology…
Organisations across the world have been subject to mass cyber-attacks over the past few months, with the WannaCry ransomware causing chaos to NHS trusts and hospitals back in May.
More recently one of the largest pharmaceutical companies in the world, Merck & Co, found its systems compromised by the ‘Petya’ virus.
Both attacks exploited vulnerabilities within operating systems, using flaws in software and sending ‘phishing’ emails to seed themselves and spread across networks.
With two major global attacks in the space of just two months, ransomware is an escalating trend among hackers looking for a quick payout. Yet, despite the warnings from businesses who have been at the receiving end of such attacks, individuals are still being caught out.
Pharmacies – an easy target?
Businesses should provide cyber-security training as part of each new employee’s induction but as criminals are constantly approving their methods, this is not enough to protect organisations against potential threats.
Until an actual attack takes place, it is impossible to predict how employees will react and unfortunately it only takes one wrong click to bring businesses to a standstill.
As community pharmacies strive to deliver better support care and treatment, more are likely to start accessing patients’ summary care records. This could make them more vulnerable to criminals, who know all too well that pharmacy owners will probably pay a substantial sum to prevent being locked out of systems or avoid confidential information being leaked.
Prevention is most definitely better than cure and it begins with raising awareness of potential threats and testing defences across the business should a phishing attack strike.
Phishing under a microscope
Phishing is the method criminals use whereby seemingly credible, personalised emails are created to imitate communications from sources known to the target. The emails look convincing as they may include information like friends or colleagues’ names or birthdays, which the hacker can often find on the target organisation’s website or personal social media channels.
The recipient is encouraged to carry out an action, such as confirm account details, check order or delivery instructions, or click to open attachments or harmless-looking links that direct the reader to malicious websites.
Phishing is an effective, low-risk method of attack and;
• 10% of people targeted will fall victim to a phishing attack
• 30% of phishing messages are opened
• 23% open the message and 11% will click on the attachments
• 91% of hacking attacks begin with a phishing or spear-phishing email
• 55% increase of spear-phishing campaigns targeting employees
Although regular training will undoubtedly reduce the risk, there will always be some who remain ignorant to the threat.
To help overcome this issue, owners must first examine how employees will react. Specialist service providers can help by working with the pharmacy to conduct simulated phishing attacks; creating credible emails that appear to come from contacts employees recognise, like colleagues or customers.
Replicating the ‘fake’ phishing attacks of those used by real criminals, they will compose different emails including ‘toxic’ attachments.
Building immunity to phishing
All responses and actions are recorded to reveal which recipients opened an attachment, clicked a link, etc. Whilst they will initially be unaware they are being tested, they will be notified whenever they react inappropriately to a test email and will be reminded to be more vigilant in future.
Comprehensive reports identify the individuals who require the most support so training can be focused more effectively.
Worryingly, initial failure rates are usually around 33% and whilst training could reduce this to approximately 5%, a zero response is likely to ever be achieved as we are dealing with humans, who sometimes simply make mistakes.
The impact of just one wrong reaction to a phishing email could be catastrophic for any business, let alone a pharmacy with customers who rely on them as a trusted source of help and information for their medical needs.
Testing defences is therefore crucial to help overcome any potential weaknesses that could leave a pharmacy wide open to attack. Phishing your employees will help but do it fast, before the real criminals do.”
Quiss is a provider of IT support services.