Mimecast Research: 90 Percent of Healthcare Organizations Hit with an Email-Borne Attack in the Past Year
Healthcare organizations hold massive amounts of medical and personal information, making them lucrative targets for threat actors. While many organizations are investing in people and technology to improve cybersecurity defenses, attackers have also up-leveled their tools and tactics to evade detection and more effectively land their exploits. According to the research, the top attack types targeting healthcare organizations’ email are malicious URLs and broad phishing attacks. Even though 3-in-4 organizations reported having or are in the process of rolling out a comprehensive cyber resilience program, only half of respondents disclosed high levels of confidence with their current email security deployment.
In fact, 72 percent of organizations experienced downtime as a result of an attack, with productivity (55 percent), data (34 percent) and financial (17 percent) being the three most common types of losses. Healthcare organizations experiencing the most disruptions over the course of the last 12 months were hit more frequently by attacks impersonating trusted vendors or partners (61 percent) and credential harvesting focused phishing attacks (57 percent) in comparison to other kinds of email-borne attacks.
“The popularity of email as a communications channel makes it one of the top attack vectors used to target healthcare organizations. All the reasons it is effective for legitimate use, makes it a key path for threat actors to use maliciously, often with minimal efforts and a high return on investment,” said
Additionally, employee training is a key element of a comprehensive cyber resilience program – one that is often overlooked. Seventy-seven percent of respondents agreed that employee-focused security awareness training is essential to protecting their organization against email-borne attacks, yet 40 percent indicated that their organization provides security training less than once per quarter. Shockingly, 11 percent admitted to only offering trainings during onboarding or ad hoc after a negative incident had occurred.
“Organizations are better off doing five minutes of training once a month, instead of 15 minutes of training once a quarter,” said Gardiner. “Even though it’s the same amount of time, it’s better to do the training more often so the information stays top of mind.”
Cyber Resilience Think Tank member,
Read the full whitepaper based on the results of How
Visit Mimecast’s new Threat Intelligence Hub for more reports and research.
HIMSS Media conducted this research in
Source: Mimecast Limited