Phishing Emails Undetected by 97 Percent of People
Today, phishing emails are behind 97 percent of cyberattacks, yet recent research reveals 97 percent of people cannot identify those phishing…
August 29, 2017 at 02:37 PM
4 minute read
The original version of this story was published on Law.com
Today, phishing emails are behind 97 percent of cyberattacks, yet recent research reveals 97 percent of people cannot identify those phishing scams, putting the companies they work for at risk. In fact, out of 5,000 emails, one of them is likely to be a phishing email that causes damage. Victims may not know they've become one for up to a year.
Blake Darche, co-founder and CSO of Area 1 Security, sat down with inside Counsel to discuss how businesses can protect themselves with a new model for cybersecurity that uses a preemptive strategy to keep attacks from happening.
These days, phishing is the attack of choice because it's effective – It relies on social engineering tactics that people don't know about or recognize. By the time they realize they've responded to a malicious message, it's too late—the damage is done.
“But phishing isn't an email only problem. It's an organizational problem,” explained Darche. “People are a curious, impulsive bunch; nine times out of ten, they'll go ahead and click. That's why awareness and training are so ineffective—and why you need to take action at the time that matters most: before the attack reaches and breaches you.”
The reality is that if your company has customers and does business electronically, you are at risk. The more data that's created; and the more places that data lives, the more numerous the opportunities for successful hacks.
He said, “If a hacker wants credit card numbers, for example, why bother hacking a major, well-defended corporation like Visa or Amex when they can quickly find a retailer, restaurant, or hotel that is easily breached and has the same desired user credentials and credit card information?”
Unfortunately, by the time organizations discover they've become a victim, months have passed since the initial attack, according to Darche. Part of the problem is placing complete trust in the traditional “perimeter-mounted” defense so common in cybersecurity – phishing attacks sail past these defenses with mind-boggling ease, and once inside your perimeter, they hide for long periods by masquerading normal traffic patterns. Meanwhile, damage is ongoing.
So, how can businesses can protect themselves?
The first thing businesses can do is get more aggressive about best practices like patching software promptly and running the latest updates. In addition, they should work toward becoming more preemptive. For instance, Area 1 Security, has developed solutions that target phishing attacks when they're still out “in the wild,” which means beyond the business's perimeter. Preemptive technology takes the burden and pressure off employees and puts it where it belongs—on protective technology.
“Legacy solutions that rely on reactive defense and post-attack detection, containment and remediation aren't effective,” explained Darche. “Take a glance at the headlines—and don't forget, plenty of attacks go unpublicized because, frankly, what company would want to reveal its vulnerability and misfortune?”
This new model is preemptive and proactive. It identifies and monitors attacker activity, methods, and phishing infrastructure. It processes and analyzes historical phish data along with hacker behavior and uncovers emergent patterns of future attacks. This not only levels the playing field; it puts the element of surprise on your side rather than the hacker's. You can take decisive action against and neutralize the phish before it's even launched—right on its own doorstep.
“We see preemptive approaches increasingly being used by organizations to get ahead and stay ahead of the attackers,” he explained. “Proactively patching known software vulnerabilities before an attacker can exploit it, engaging in whitehat hacking or bug bounty exercises to identify application bugs and employing Runtime Application Self Protection (RASP) tools to proactively close out application exploits during development cycles—are all examples of preemption being applied to cybersecurity.”
So, what are the vulnerabilities of companies? People, per Darche. People are a company's biggest asset; yet people remain their biggest vulnerability. The attackers know that and are persistent in going after that vulnerability. We have a saying in our ranks – 'People can't be patched'. And it's never been more true.
Another vulnerability is a lack of knowledge and recognizing that any organization can be a target. Many companies are infected right now and don't know it. Everyone needs to understand that each of us are potential targets. Just because you operate a smaller business or are in a less prominent area doesn't mean you're safe from hackers' notice and attacks.
“I can't emphasize this enough: phishing has to be stopped at its source, before phishing attacks are launched, and not after they've breached your defenses,” Darche said. “The model of detecting a breach after it's happened doesn't work. And the damage can be catastrophic.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Trump Likely to Keep Up Antitrust Enforcement, but Dial Back the Antagonism
5 minute read
A Blueprint for Targeted Enhancements to Corporate Compliance Programs
7 minute read
Trending Stories
- 1Infant Formula Judge Sanctions Kirkland's Jim Hurst: 'Overtly Crossed the Lines'
- 2Trump's Return to the White House: The Legal Industry Reacts
- 3Election 2024: Nationwide Judicial Races and Ballot Measures to Watch
- 4Climate Disputes, International Arbitration, and State Court Limitations for Global Issues
- 5Judicial Face-Off: Navigating the Ethical and Efficient Use of AI in Legal Practice [CLE Pending]
- 6How Much Does the Frequency of Retirement Withdrawals Matter?
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
