October 30, 2020
Phishing has arguably been the single most devastating cybersecurity threat to the world since its inception in 1990. Let’s take a look at this area and all the various cybersecurity products that play in the space.
Terms You Might Also Hear
- Business Email Compromise (BEC) (phishing meant to compromise business functions like wire transfers)
- Spear Phishing (highly targeted phishing attacks against a company or person)
- Smshing (Phishing attacks over SMS/Text)
- Vishing (Phishing attacks over the phone)
- Phishing targets organizations of all sizes and people of all walks of life. The attacks can be both opportunistic and targeted depending on the motives of the attackers.
- Phishing attacks are largely based on financial motives, and no one is immune to receiving this kind of security threat in business and personal life.
- Many experts cite phishing as the first phase of most attacks leading to ransomware, business email compromise, extortion, and fraud.
- Some studies purport that phishing attacks account for 90% of all data breaches.
- Identifying, preventing, and responding to phishing attacks is a priority for most organizations, but little can stop the ebbing and ever-changing flow of malicious emails.
- Phishing and email attacks are not only increasing, but they’re also evolving. They are a part of life on the Internet.
Enter the Anti-Phishing product market space.
- Phishing, and people’s susceptibility to it, means the product market space views this issue as a “human problem.”
- Solutions either have to teach humans how to not be tricked so easily or they have to accept that humans will be tricked and try to address the problem with technology behind the scenes.
- Solutions in the anti-phishing space can take on different forms, and many organizations use most or all of these:
- Content Disarmament - by far the most common approach, these tools are designed to be in the flow of mail (between the person sending and receiving the email) to intercept, inspect, unpack, and potentially detonate malicious payloads like links or attachments. These tools prevent bad emails from arriving at the recipient. This is often cloud-based and happens per link.
- Simulated Attacks - platforms that allow a company to send “safe” phishing emails, SMS, and phone calls to employees as a means for training and awareness. These simulations are used to show how susceptible people are to phishing attacks.
- Phishing Awareness Training - learning and development platforms that educate employees using an online course format and simulated exercises to spot signs of phishing. These courses are tailored to an individual organization to train employees on spotting phishing attacks and handling them at their company.
- Job Supplementation - digital and physical assets like posters, signs, stickers, and desk cards to give employees constant reminders to be aware of phishing. Anti-phishing requires constant vigilance, so the goal here is to ingrain awareness and how to safely respond.
Players in the Space
- Area 1 Security
- Blackfin (part of Symantec)
- Cofense (formerly PhishMe)
Product Space Predictions
- With COVID-19 and remote working becoming more of a norm, many companies will have to extend the reach of their security capabilities into employee home networks, which is arguably more hostile compared to a traditional corporate network with unmanaged and untrusted routers, printers, gaming consoles, and home IoT devices. A successful phishing attack that compromises one part of the home network can pivot to other devices on the network, including the corporate managed laptop.
- Since phishing doesn’t have a work-life balance, remote employee protection, especially for high-profile executives, will be on the rise. Look for a rise in vendors and products that can serve both corporate laptops and personal devices with the same level of visibility and protection. There are obvious privacy concerns here.
“The best offense is a good defense”
Unknown, on Anti-Phishing (probably)
Product Space Opportunities
- Go multi-threaded. As a buyer in this space, you’ll need to deploy social, psychological, and technological means to keep your organization safe from phishing. One solution will not be enough, so think Defense in Depth.
- Look for bundles where it makes sense. As mentioned in a previous issue, corporate buyers can rarely buy the best of the best. Bundling anti-phishing with Endpoint Detection and Response (EDR) platforms can increase your security observability where most attacks happen by volume - on an employee’s computer.
- Make simulation content dynamic. Most phishing simulation platforms are just versions of MailChimp. Instead of sending a singular email campaign to a list of users, make a platform that allows for randomization and customization. Send multiple emails with variations of domains and email bodies to make them harder to detect like real phishing emails.
- Make it interactive. Train employees the same way you train developers to not write insecure code. Solutions that can offer immediate feedback and training at the time of click or in the email clients will teach users at the point that it matters the most. This will be far more effective than the once a year training that employees speed click through to the end.
- A good anti-phishing program is still only a small piece of the overall cybersecurity puzzle. This is one of the most important pieces, but you can’t overlook or neglect strong identification and protection defenses elsewhere.
- Anti-phishing solution implementations require nuance. Disrupting the user experience for the sake of security has a high trade-off of risk vs. reward, but it just might be worth it to reduce phishing attacks.
- Rolling out a successful anti-phishing program is more about constant change management than about the technology itself (as with most technology rollouts). You want behaviors to change, which is the hardest thing to do. Take a page from the experts on change management.
- Don’t “name and shame” with phishing simulation metrics to drive better end user compliance and awareness. Showing month-over-month click rates by department or line of business isn’t useful to anyone.
- The History of Phishing - for those who like to understand origin stories.
- Business Email Compromise - definitions and examples.
- Phishing and Email Fraud Statistics 2019 - the numbers only ever go up.
- Verizon 2020 Data Breach Investigations Report - the gold standard for data breaches and cybersecurity trends across all industries.
- Tackling Phishing and BEC Attacks - more on how to prevent attacks like this.
- Defense in Depth - the standard that cybersecurity principles are built off of in enterprise companies.
- What is Machine Learning? - a beginner’s guide.
- More Than 8 in 10 Fell Victim to Phishing Attacks in 2018 - this is a hard game.
Looking for more insights and analysis? Check out the Pro version of this newsletter, where you’ll find:
- 4 Predictions for the product space (100% more)
- 8 Opportunities for the market to capitalize on (100% more)
- 6 Key Insights for players and buyers to win (50% more)
When you subscribe to the Pro version, you’ll get access to the pro version of this issue and all past and future issues.