Cybersecurity is a constant priority at St. Jude Children’s Research Hospital. Hundreds of phishing emails arrive in the email boxes of hospital employees every day.

Some are easy to spot by misspellings, poor grammar or odd phrases. Others are cleverly cloaked in the form of prize winnings, well wishes or greeting cards.

Last year, hundreds of employees received an email with a subject line that appeared to be a spring greeting card from a friend. One click on the card revealed otherwise. Employees were greeted with a phishing warning.

The email was a test—one of many that St. Jude Information Security sends to employees throughout the year. The email directed employees to learn more about phishing, its potential risks and ways to avoid it.

Cybersecurity is an organizational priority

Employees must take phishing seriously, said Brian Elrod, St. Jude chief information security officer. All it takes is one person opening an email to unleash an attack.

“When you think about it from an attacker’s perspective, I can spend hundreds of hours trying to break through a firewall or defeat some type of a defense that most companies have, or I can trick just one person into clicking into an email,” Elrod said. “That’s why most cyberattacks start with a single phishing email. It’s so critical for our employees to tell us when they receive those types of emails so we can take action.”

Partnership of employees and cybersecurity

Karrie Thrall of St. Jude Financial Services is the top reporter of phishing emails among employees. Her department has prioritized phishing training in staff meetings. She reports emails several times per week.

“The email address and the subject line are the first things I notice. I try to do all I can to help prevent any cyberattacks,” Thrall said.

Information Security Director Lynette Larkins echoes those words, emphasizing the importance of the partnership between employees and cybersecurity. Prior to the pandemic, the department hosted regular discussions to stress the risks and threats St. Jude faces. Each October during National Cybersecurity Month, the team hosts fun and educational activities to raise awareness about phishing and cybersecurity.

“We’re all reading many emails every day, and it can become mundane,” Larkin said. “But it comes down to exercising good judgment, being careful and realizing that you’re an extension of our team. We have to have a strong partnership to keep the hospital’s information confidential.”

Constant phishing and incident response

Because St. Jude receives so many phishing emails around the clock, the hospital contracts with a third-party group that classifies emails sent to nearly 5,000 employees each day. If an email is classified as malicious, the St. Jude cybersecurity team receives an escalation email. In the past, the team spent large amounts of time processing those emails to determine whether links were clicked or if information was compromised. Each email took about 10 minutes to remedy.

Andrew Dedmon is one of four cybersecurity analysts at St. Jude. He focuses on incident response and vulnerability management. When he first arrived at St. Jude in 2018, he spent a large part of his day working on these emails.

Dedmon proposed a solution—a method to automate the repetitive work. The original version was a manual tool that streamlined phishing remediation. Soon, it also became repetitive.

Encouraged by his colleagues, Dedmon wrote new code—an automation engine that performs the actions of an analyst when an email is classified as malicious.

“It performs all of that grunt work,” Dedmon said. “The tool has set procedures to document how many people received the email, determine if any links were clicked and then remove the email from employees’ inboxes.”

Educating employees about cyberattacks

From July 2019 to July 2020, the team tallied more than 1,300 phishing incidents. The automated tool saved the team more than 218 hours, the equivalent of 5.5 work weeks. With the additional time, Dedmon and his colleagues now interact with employees more often to learn why employees click certain phishing emails. This feedback has been valuable as Information Security staves off attacks from around the globe.

“We are collaborating with our users more to talk about these things,” Dedmon said. “By being more proactive, we are helping to reduce the risk to the organization.”

The tool also reduces the risk of a cybersecurity term known as dwell time, which refers to how long a threat remains in an environment.

“St. Jude has employees working all over the globe. People report phishing emails at 2 a.m. our time, but there isn’t an analyst there to remediate them after they are classified as malicious,” Elrod said. “This automation cuts down on dwell time while also allowing us to pursue other work and better serve our employees.”

Dedmon presented the project at a virtual cybersecurity conference in September. St. Jude, a longtime innovator in medicine and research, joined other well-known organizations in the field. It was a showcase of the hospital’s pioneering culture.

“St. Jude is a unique place where we are encouraged to be innovative,” Dedmon said. “My colleagues and I on the cybersecurity team work hard. It’s an environment where creativity flourishes.”