Malicious actors know employees are their easiest point of entry, says Enterprise Strategy Group Analyst John Grady.
“Employees are absolutely the weakest link through no fault of their own. They have other focus areas, especially in healthcare,” Grady says. “With ransomware, all it takes is a user mistakenly clicking on something. A fundamental mind shift must take place, and the only way to do that is through user education.”
Admittedly, organizations across industries note that poor user training can impact cybersecurity: 31% of IT decision-makers cited insufficient or ineffective employee training as a major concern for their strategy, according to the 2024 CDW Cybersecurity Research Report.
Improving Training to Prevent Successful Phishing Attempts
Like all University of California campuses, UC San Diego Health requires annual cybersecurity training, which it performs through a learning management system. The organization supplements that with monthly phishing simulations; for example, sending fake phishing emails as a test.
More recently, Currie has ramped up a third training experience: in-person sessions customized to specific departments.
That’s in response to a recent study on UC San Diego Health employees that found that two common forms of training — annual security awareness training and simulated phishing attacks — offer limited value. In fact, in those simulated phishing exercises, trained users had, on average, only a 1.7% lower failure rate than untrained users.
Currie assisted in the study because he wanted to understand the best way to train employees. Now, he’s increasing face-to-face sessions to improve training. He conducts these department-specific trainings either in person or through video calls and tailors them to specific job risks.
For example, a compromised business partner can send an email asking for banking information related to an invoice payment. “We are trying to do more of these in-person sessions. I think that is by far the most effective means of getting people to understand the risks,” he says.
READ MORE: Understand customized phishing in the age of generative AI.
Currie still sees merit in simulated phishing exercises, so he continues to do them. “Even if it’s marginal or negligible, there is still some value in training because, at the very least, it allows us to continue to have conversations and raise awareness with staff and faculty throughout the year,” he says.
UC San Diego Health has deployed Proofpoint’s secure email gateway, which inspects email and blocks spam and malicious email. Proofpoint also enables Currie and his team to conduct monthly phishing simulations.
“Those who click are directed to an explanation on what should have tipped them off that it was a fake phishing attempt,” he says.
Increased media coverage of breaches and employees’ personal experiences with social engineering attempts help reinforce formal training, Currie adds. As a result, more employees now forward suspicious emails to the IT security team, which has been recommended in training.
“We’re going to look at it and give you a verdict,” he says. “We’re never going to slap you on the wrist. We’re going to congratulate you for being cautious.”
