Focus on Phishing to Deter Cyberattacks, Experts Say
Companies that collect customer data should strengthen their defenses against phishing, since it remains among the top cyberattack tactics, said panelists during a Practising Law Institute cybersecurity conference Monday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Bob Lord, senior vice president for digital security strategy at the Institute for Security and Technology, said phishing is a “classic form” of attack, though phishing-resistant multi-factor authentication (MFA) can help protect against it.
“The system is designed so that when you eventually fall for the attack -- and make no mistake, we will all fall for the attack at some point -- … and you do exactly what the attackers tell you to do, you have still not given them enough to take over your account,” he said. “That's not to say that the bad guys aren't going to find a way in, but they're not going to be able to get in the old-fashioned way, and we're going to raise the cost of attack, and ultimately, that's all we can do.”
Lord said he's mystified why "major organizations" that collect customer data that's important to their business lack phishing-resistant MFA gating, which "forces the attacker to retool."
David Wong, director at Mandiant, now part of Google Cloud, noted that such MFA can be difficult or expensive to implement, and so companies will often use other types of MFA that is more easily circumvented. “As companies react and build higher walls for defenses, the attackers find ways to climb these higher walls,” he said.
Lord agreed and said this is why “raising the cost of attack is key.”
Any MFA is better than no MFA, said Kyriakos Vassilakos, assistant section chief in the cybercriminal operations section of the FBI’s Cyber Division. When it comes to the associated cost, “It's understanding what are your crown jewels and what are you going to protect.”
“Making sure that folks are mindful when they're looking at a message, [by] just giving it that one second of scrutiny” is important, he added. “Don't click on that [Microsoft] Teams invite before 7 a.m. First, have a sip of coffee, go for a workout [and] be mindful of kind of who's engaging you.”
Lord said that although “sometimes we hear the phrase that the attacks are getting increasingly sophisticated … a lot of the evidence shows that the bad guys are just really using the golden oldies.” He noted that “almost all the unforgivable vulnerabilities from 2007" still top the list in 2024, so “while the attackers may be increasingly well-funded, it's not always the case that they use very ... nuanced tools.”
The attack-response plan “may be very different for different organizations, but having a robust conversation, trying a bunch of different ideas on for size and selecting the one that really fits the best for that organization is really key,” he said.
While some attackers are “doing their research to understand ‘what is that sensitive data?’” and “trying to extort that,” others “will smash and grab,” and not “understand the value of the data,” said Vassilakos.
“The tech solution is one piece," he said. But it's also crucial to educate people within the organization about what phishing attempts look like and to make "sure that folks understand that everybody is a target.”