Phishing clearly works and is on the rise. It's often the first step in targeted attacks – so-called Advanced Persistent Threats (APTs). Why has it become so popular with attackers? "I think that you're attacking the soft underbelly of the organisation, which is the human," explains Joe Ferrara, CEO of Wombat Security Technologies, in this interview. While everyone is focusing on securing the infrastructure, says Ferrara, the attackers are finding it easier to go after people.
Phishing is a curse that affects both personal and business use of the net, but this also offers an educational opportunity. Firms can show how awareness about phishing can help keep employees safe in their personal lives – and this has benefits for business too. Nonetheless, training in most organisations remains poor. One problem is how you measure the impact of the training – what metrics are available to enable to create an 'improvement loop'? Ferrara believes awareness is achieved using simulated attacks to create a 'teachable moment'. And so that people don't feel victimised, it's important to associate training directly with the attacks. If you just take a pen-test approach, there's no value in it – the value for the employee lies in the training, which makes it a form of personal development.