Email phishing attacks against high-level executives increased at Tri-Counties Regional Center last year. To combat and boost awareness of the problem, CIO Dominic Namnath turned to user training videos.
“Your user is the most vulnerable point,” Namnath said. “Spoofing the CEO’s email asking him to check out a website, which is an attack website — it wouldn’t be hard to imagine something going wrong.”
Tri-Counties Regional Center, a nonprofit healthcare services provider in Santa Barbara, Calif., takes a layered approach to desktop security, using Sophos for endpoint protection and network security. But phishing attacks — which fool users into clicking a link to a malicious website or file — are still quite concerning, Namnath said.
The organization first hired an IT consultant to provide annual anti-phishing training sessions for users, but that wasn’t sufficient, Namnath said. Now, Tri-Counties uses Ninjio, a security awareness training company that provides animated videos based on real-life security breaches. Users watch one three- to four-minute video a month that explains how a specific type of threat occurs and how to avoid it.
For instance, one video shows a hospital network become infected with ransomware because a phishing attack duped an employee. The employee learns how to prevent an attack by hovering the cursor over a link in an email to see a preview of the URL.
At Tri-Counties, IT tracks how many anti-phishing training videos users watch and assigns them a quota to reach in a certain timeframe. If users don’t meet the goal, Namnath restricts their access to certain websites.
“Basically, they won’t be able to get to any fun stuff,” Namnath said. “Those who aren’t being educated are our biggest risks.”
Thirty percent of attempted phishing emails get opened by users, according to the Verizon 2016 Data Breach Investigation Report.
Zack Schuler, a former network engineer and founder of Ninjio, started the company in 2015 because other anti-phishing training videos were 45 minutes long and not very engaging, he said.
“If we could just educate people so they knew what they were doing and knew what to look out for, then we’d have this massive dent in security vulnerabilities,” he said.