As the lazy days of summer wind down slowly at first, and then all at once, now is a good time for a reminder that your own employees returning to work full steam may pose the biggest threat to your cybersecurity. According to the U.S. Department of Health and Human Services Office for Civil Rights, July was the worst month this year for healthcare data breaches. So far in 2018, more individual records have been exposed than for all of 2017, including 1.4 million individual records exposed in the biggest breach from July, which was attributed to a phishing attack. These statistics back up a Verizon report on PHI data breaches that came out earlier this year and found that 58% of PHI data breaches involved insiders, and that healthcare is the only industry in which internal actors post the biggest threat to organizations.
But that doesn’t mean healthcare alone is vulnerable to insider threats, as a Department of Justice criminal complaint filed in June and released earlier this month demonstrates. That complaint alleges that an $81 million bank heist suffered by a Bangladesh bank was carried out by North Korean cybercriminals and started with the criminals sending spearphishing emails to targeted individuals. In those emails, a purported job applicant would ask for a personal interview and attach a .zip file that the applicant claimed was a resume. When opened, the .zip file automatically downloaded malware to the recipient’s computer, which ultimately made its way to the bank’s IT system. This allowed the hackers to allegedly impersonate bank employees, access the SWIFT network, and transfer funds from the bank’s account to an account in the Philippines. Additional malware was used to cover their tracks.
While certain manipulation of a network as seen in the Bangladesh bank heist may take some skill and expertise, phishing and its targeted variant of spearphising are straightforward exploitations of human error. They demonstrate that allocating budget to pay for cybersecurity technology may not be enough, and resources also need to be spent on employee training and culture shifting. Certainly, layered technology solutions that address different weak points, including two-factor authentication, are important and helpful, but organizations need to take a wider view of cybersecurity and risk reduction to both account for, and attempt to correct, human error.