The chief information security officer (CISO) at investment firm Old Mutual Wealth has revealed that phishing attacks against staff are becoming more subtle and are increasingly aimed at all areas of a business, not just top-level executives, underlining the threat posed to firms.
Ben de la Salle explained at the Investment Week Cyber Security Strategy Briefing event, in partnership with V3 sister title Computing, that top level staff are still targeted but so too are more mid-ranking employees.
“We have had experience where a PA has responded to what they think is an email from the CEO asking for the CFO and then they reveal that person is away, at the hospital or something, and that provides additional information to [the hacker],” he said.
“But we’ve also found them working much further down the chain. They impersonate people in a position to ask for something to be processed and they sometimes even follow up an email with a phone call saying ‘as per my email’ and so on.”
De la Salle said his firm aims to make all staff aware of the threat, including by sending fake phishing emails to employees to see who responds.
“We are educating them and telling them what to look out for and not to reply, but it’s hard to stop sometimes because it’s so simple,” he explained.
De la Salle went on to discuss security in the cloud, revealing that he still has concerns about losing control of company data.
“There are lots of cloud security providers offering protection from zero-days and so on and they do that by saying they will inspect files and ID them if they appear malicious," he said.
"That’s great, but then you say to them: ‘What happens to that file when you’ve processed it?’ and they say: ‘Oh we keep it’. So then you have to ask: 'How do you store that? Where is it kept?' and so on and you’ve lost control over that data.”
The CISO of market research firm IHS Markit said at the same event that companies should make top-level staff understand the risk from phishing attacks by showing them how attackers comb social profiles to find information for social engineering attacks.
Q3 losses reverse Q2 gains
FBI briefing US companies to dump Kaspersky, claiming intelligence prove it a 'threat to national security'
Kaspersky rejects FBI accusations that its products are a 'threat to national security'
But breached contractor says that it simply didn't have that much data
EE follows Three in threatening legal action against Ofcom - but for entirely different reasons