The chief information security officer (CISO) at investment firm Old Mutual Wealth has revealed that phishing attacks against staff are becoming more subtle and are increasingly aimed at all areas of a business, not just top-level executives, underlining the threat posed to firms.
Ben de la Salle explained at the Investment Week Cyber Security Strategy Briefing event, in partnership with V3 sister title Computing, that top level staff are still targeted but so too are more mid-ranking employees.
“We have had experience where a PA has responded to what they think is an email from the CEO asking for the CFO and then they reveal that person is away, at the hospital or something, and that provides additional information to [the hacker],” he said.
“But we’ve also found them working much further down the chain. They impersonate people in a position to ask for something to be processed and they sometimes even follow up an email with a phone call saying ‘as per my email’ and so on.”
De la Salle said his firm aims to make all staff aware of the threat, including by sending fake phishing emails to employees to see who responds.
“We are educating them and telling them what to look out for and not to reply, but it’s hard to stop sometimes because it’s so simple,” he explained.
De la Salle went on to discuss security in the cloud, revealing that he still has concerns about losing control of company data.
“There are lots of cloud security providers offering protection from zero-days and so on and they do that by saying they will inspect files and ID them if they appear malicious," he said.
"That’s great, but then you say to them: ‘What happens to that file when you’ve processed it?’ and they say: ‘Oh we keep it’. So then you have to ask: 'How do you store that? Where is it kept?' and so on and you’ve lost control over that data.”
The CISO of market research firm IHS Markit said at the same event that companies should make top-level staff understand the risk from phishing attacks by showing them how attackers comb social profiles to find information for social engineering attacks.
Would you settle for door locks or invest in a burglar alarm too?
Australian government to require technology and communications companies to provide access to messages
New bill avoids demanding 'backdoors' in encryption, but includes measures to compel companies to provide access to encrypted communications
Indonesian overclocker Ivan Cupa (with the aid of a lot of liquid nitrogen) achieves record overclock on AMD's latest Threadripper
Ssupermassive black hole is so big it corresponds to four per cent of the galaxy's total mass