Following the breach of Saint Agnes Health Care, in which the details of 25,000 patients were accessed, James Moore, senior security consultant for Phish’d at MWR InfoSecurity, writes:
"The Baltimore health system breach is, unfortunately, just one of many recent high-profile attacks that continue to show an upward trend in attackers using phishing attacks to exploit poor employee security behaviour that bypass technical controls upon which organisations continue to place a huge over-reliance.
“Whilst Saint Agnes should be commended on the transparency with which it has disclosed the breach, the health services' approach to preventing further attacks looks to be heading in the direction of working with their email provider to employ more technical controls - rather than approaching the root problem which is employee security behaviour.
“Time and time again we see firms look to technical controls to fix the phishing problem, only to then find phishing attacks are still effective despite these additional controls. A well-crafted & targeted email, sent from a 'clean' mail server will almost always get through spam and anti-phishing filters; at which point it's down to employees to identify and report the attack.
“Organisations need to understand that a multi-layered approach to security is needed to reduce the risk from attacks targeting employees. Technical controls, employee security behaviour programmes and robust incident response processes all need to be implemented. In doing so, the number of threats facing employees will be minimised, and the majority that do make it through traditional defences will be detected, reported and handled effectively."