Employees of all levels can be harnessed to help protect their organisations from falling victim to the next big phishing attack, leading security experts have said.
Speaking to TechRadar Pro this week, Aaron Higbee, CTO of Cofense, says it’s not just the responsibility of IT teams or security experts to spot threats - particularly as many phishing attacks now target low-level employees.
“What (companies) are not paying attention to is that today’s phishing attacks are quite different,” he told us. “The things that our customers are facing today are remarkably different than what they were facing a year and a half ago.”
Cofense operates a range of services that lets anyone within an organisation flag potential phishing threats, and Higbee notes that in contrast to recent reports, the company has detected a rise in hackers going after low-level employees rather than the traditional c-level targets.
“It's that social engineering aspect where these guys are just getting smarter and smarter, which means we need to continuously adapt the way in which we're educating our workforce of what to look at.”
Finance-related emails remain a popular tactic, with businesses in all verticals capable of falling victim to a payroll or benefits-related scam email. But worryingly for many companies, that’s not all.
“There's innovation happening from the attackers perspective - the attack are quite different even to just a year ago,” Higbee says.
“What ends up happening is an attacker will have some degree of success with a tactic until they're sufficiently frustrated by some defense automated awareness - and at that point they have to change,” he adds - noting that this is often when organisations can be most at threat.
“An organisation is exposed because they have to wait for the defense technologies to notice that to implement effects to test the effects, roll it out - and during that dwell time, those phishing attacks are successful.”
Higbee notes that Cofense looks to help bring different areas of the workforce together in helping keeping everyone safe from phishing threats.
“The problem is, you're never done - threat actors are relentlessly innovating to develop new ways to bypass the gate, so you have to continuously evolve your approaches.”
“One of the mantras that I think we've done a good job at destroying was the human is the weakest link,” he says. “We want to help you identify who is good at spotting phishing away from just IT people...If you can figure out who your stars are, and operationalise their insight and their intuition, you can stay on top of that.”
“If you double click into what the phishing threat landscape is, it has changed remarkably, and it continues to evolve,” Higbee says, “For an infosec person, it's almost tedious, it's an annoyance that we still haven't solved this problem!”
- Best backup software of 2019