Today, phishing emails are behind 97 percent of cyberattacks, yet recent research reveals 97 percent of people cannot identify those phishing scams, putting the companies they work for at risk. In fact, out of 5,000 emails, one of them is likely to be a phishing email that causes damage. Victims may not know they've become one for up to a year.
Blake Darche, co-founder and CSO of Area 1 Security, sat down with inside Counsel to discuss how businesses can protect themselves with a new model for cybersecurity that uses a preemptive strategy to keep attacks from happening.
These days, phishing is the attack of choice because it’s effective - It relies on social engineering tactics that people don’t know about or recognize. By the time they realize they’ve responded to a malicious message, it’s too late—the damage is done.
“But phishing isn’t an email only problem. It’s an organizational problem,” explained Darche. “People are a curious, impulsive bunch; nine times out of ten, they’ll go ahead and click. That’s why awareness and training are so ineffective—and why you need to take action at the time that matters most: before the attack reaches and breaches you.”
The reality is that if your company has customers and does business electronically, you are at risk. The more data that’s created; and the more places that data lives, the more numerous the opportunities for successful hacks.
He said, “If a hacker wants credit card numbers, for example, why bother hacking a major, well-defended corporation like Visa or Amex when they can quickly find a retailer, restaurant, or hotel that is easily breached and has the same desired user credentials and credit card information?”
Unfortunately, by the time organizations discover they’ve become a victim, months have passed since the initial attack, according to Darche. Part of the problem is placing complete trust in the traditional “perimeter-mounted” defense so common in cybersecurity - phishing attacks sail past these defenses with mind-boggling ease, and once inside your perimeter, they hide for long periods by masquerading normal traffic patterns. Meanwhile, damage is ongoing.
So, how can businesses can protect themselves?
The first thing businesses can do is get more aggressive about best practices like patching software promptly and running the latest updates. In addition, they should work toward becoming more preemptive. For instance, Area 1 Security, has developed solutions that target phishing attacks when they’re still out “in the wild,” which means beyond the business’s perimeter. Preemptive technology takes the burden and pressure off employees and puts it where it belongs—on protective technology.
“Legacy solutions that rely on reactive defense and post-attack detection, containment and remediation aren’t effective,” explained Darche. “Take a glance at the headlines—and don’t forget, plenty of attacks go unpublicized because, frankly, what company would want to reveal its vulnerability and misfortune?”
This new model is preemptive and proactive. It identifies and monitors attacker activity, methods, and phishing infrastructure. It processes and analyzes historical phish data along with hacker behavior and uncovers emergent patterns of future attacks. This not only levels the playing field; it puts the element of surprise on your side rather than the hacker’s. You can take decisive action against and neutralize the phish before it’s even launched—right on its own doorstep.
“We see preemptive approaches increasingly being used by organizations to get ahead and stay ahead of the attackers,” he explained. “Proactively patching known software vulnerabilities before an attacker can exploit it, engaging in whitehat hacking or bug bounty exercises to identify application bugs and employing Runtime Application Self Protection (RASP) tools to proactively close out application exploits during development cycles—are all examples of preemption being applied to cybersecurity.”
So, what are the vulnerabilities of companies? People, per Darche. People are a company's biggest asset; yet people remain their biggest vulnerability. The attackers know that and are persistent in going after that vulnerability. We have a saying in our ranks - ‘People can’t be patched’. And it’s never been more true.
Another vulnerability is a lack of knowledge and recognizing that any organization can be a target. Many companies are infected right now and don’t know it. Everyone needs to understand that each of us are potential targets. Just because you operate a smaller business or are in a less prominent area doesn’t mean you’re safe from hackers’ notice and attacks.
“I can’t emphasize this enough: phishing has to be stopped at its source, before phishing attacks are launched, and not after they’ve breached your defenses,” Darche said. “The model of detecting a breach after it’s happened doesn’t work. And the damage can be catastrophic.”