Phishing clearly works and is on the rise. It’s often the first step in targeted attacks – so-called Advanced Persistent Threats (APTs). Why has it become so popular with attackers? “I think that you’re attacking the soft underbelly of the organisation, which is the human,” explains Joe Ferrara, CEO of Wombat Security Technologies, in this interview. While everyone is focusing on securing the infrastructure, says Ferrara, the attackers are finding it easier to go after people. Phishing is a curse that affects both personal and business use of the net, but this also offers an educational opportunity. Firms can show how awareness about phishing can help keep employees safe in their personal lives – and this has benefits for business too. Nonetheless, training in most organisations remains poor. One problem is how you measure the impact of the training – what metrics are available to enable to create an ‘improvement loop’? Ferrara believes awareness is achieved using simulated attacks to create a ‘teachable moment’. And so that people don’t feel victimised, it’s important to associate training directly with the attacks. If you just take a pen-test approach, there’s no value in it – the value for the employee lies in the training, which makes it a form of personal development.
We also spoke to Colin Tankard of Digital Pathways about another sort of awareness – and why the general public doesn’t seem to care much about security. It’s not just them – many organisations don’t seem to be getting the message either. We’ve just seen some of the LulzSec hackers jailed, but are some organisations guilty of contributory negligence? Many companies that get hacked have security systems, but maybe they’re not paying attention to what these systems are telling them. Tankard believes management needs to take more of an interest in security and get more involved. And achieving this is going to require education – and maybe some kind of shock. “The only thing that’s going to start worrying companies is their reputation,” says Tankard. And we, as the public, are not putting sufficient pressure on organisations to get their act together. This needs to be backed up by stronger regulation – or more stringent application of the regulations we already have, especially in Europe. As a starting point, perhaps we need mandatory disclosure of breaches, more teeth to the ICO, and better enforcement of PCI DSS. But it’s pressure from an enlightened public that is most likely to be effective.