Inside Track - getting to know the vendors

Editorial Type: Interview Date: 2016-07-01 Views: 2,331 Tags: Networking PDF Version:
Ray Smyth explored a new approach to an old problem during a recent discussion with Tim Lonsdale, CEO of SpearSec

In the fast moving and relatively young IT security sector it's reasonable to expect threat vectors to arrive, be remediated and usurped. When you add to this the evolution of technologies that prevent, thwart and remediate the attendant threats, you can see that things can change fast and often. This doesn't amount to a flawed conclusion but it does explain why one attack vector - Phishing - is all the more remarkable.

Phishing used to be nothing more than a convenient term for the theft of information. But as a security threat vector, Phishing has evolved, expanding its scope, reach and, to those actors with malevolent intent, its usefulness and value.

Tim Lonsdale is the CEO and main developer of a new to market company, SpearSec. From the outset of our conversation Tim presented some interesting statistics, explaining that while technology can be considered highly effective at preventing Phishing attacks, 10 per cent of attacks succeed. While a 90 per cent success rate would be considered successful in many contexts, a Phishing campaign only needs one successful attack for it to triumph.

Tim explained that Phishing is now considered a gateway attack vector, and therefore not an end in itself. With the initial breach complete, it's not long before the attacker is moving laterally and assembling the means to facilitate deeper network penetration: this all too often leads to the launch of a Ransomware attack. Such an attack can totally disable business operations in an instant, and without some specialised recovery capability in place the only option is to pay the ransom. And remember, this happens because just one human being clicked on, for example, a phishing email link.

Focused on those attacks that technology does not prevent, SpearSec has created a service that aims to challenge and train employees in a realistic but totally safe way. Tim explains, "We decided to build a service that could engage safely with users while at the same time expose them to a range of realistic Phishing attacks, in real-time and critically, on a continuous basis." This approach is in sharp contrast to more formal training. Tim adds, "It is live training delivered as needed. Clicking a safe link means that our service can present some quick, relevant, and highly effective training so that users can understand what they did wrong and the alternatives." Clearly, this is about changing behaviour.

It is commonly accepted that in a successful cyberattack, regardless of vector, the success will have been assisted by, if not caused by, the action of a human being. Tim says, "Technology alone cannot address everything - we need to change the culture and help users to learn and change their behaviour in a safe, non-threatening environment."

As well as delivering relevant in the moment training, the SpearSec service is building a profile so that a company can measure its vulnerability to Phishing, its progress in reducing that risk and activity trends. In the case that an individual or group are showing an unacceptably high level of risk, a more focused and constructive training response can be crafted.

As you can see this response is targeted at people not technology and it is clear to see its potential to drive significant cultural reform because HR, departmental managers, suppliers and staff will all understand the power of working together in this way. The SpearSec approach enables people to experience a range of highly specific Phishing attacks without the risk, augmented by timely, specific training to change human behaviour and create the correct human reflex. The bold claim is that in this way 100 per cent of Phishing attacks can be blocked. NC