Casting a Wide Net to Deal with Phishing
“Criminals cast a huge net. They’re not just looking for Fortune 500 companies, they’re also looking for mom-and-pop accountants,” said Steven Shapiro, Supervisory Special Agent of the Federal Bureau of Investigation’s Intellectual Property and Criminal/Cyber Integration Unit (USA) yesterday.
Speaking at Session CSA52 Holy Mackerel! Identifying and Addressing Phishing of Your Employees and Customers, Mr. Shapiro added that information garnered from smaller companies can be used to catch bigger fish.
Michael Lashlee, Deputy Chief Security Officer at MasterCard (USA), said, “If you’re a criminal and you can send out 10,000 emails at the click of a button and get even a half percent return, that’s still a good day for you. It’s very rudimentary but very effective.”
“Don’t think you can’t be a victim,” warned Mr. Lashlee, noting that even the spouses of MasterCard International Incorporated (USA) employees have fallen victim to scammers who told them their spouses were arrested and they should go to a bitcoin ATM to send money.
MasterCard’s first line of defense is technology, closely followed by employee education, such as mandatory training and phishing test emails.
“For the most part, culture change is what we’re trying to achieve. Culture eats strategy for breakfast. We can put all the policies out but if we don’t change the culture, we’re not going to be successful,” he said.
Employee education takes a carrot and stick approach: the company operates a phishing tournament where the employee who’s been most diligent in reporting phishing emails is rewarded US $10,000.
“In the grand scheme of what the potential damage to our company could be, it’s a minuscule amount,” said Mr. Lashlee.
On the “stick” aspect, MasterCard employees who click on phishing emails are warned by the security team, with potential disciplinary actions taken down the line.
At first, there was a 30 percent failure rate for these phishing tests. Now, the rate has dropped to between four and seven percent.
But Shawn Henry, President and Chief Security Officer at Crowdstrike Services (USA), warned that while preventative measures are necessary, all it takes is “one adversary” to gain access to a computer within your company’s network.
He added: “It’s absolutely about culture, but there needs to be a culture of hunting for bad behavior.”
According to Mr. Henry, organizations need to become much more proactive in identifying malicious behaviors. “All of the organizations that are successful have changed their philosophy to become proactive.”
He added, “I’ve seen companies hit with destructive malware, shut down for weeks or months, losing hundreds of millions of dollars. They’ve chosen to not invest in the long-term security of the enterprise and that’s fraught with peril.”
From the trademark perspective, this all ties in with brand value.
“What kind of value can you show with your trademark if you have no security measures?” asked Mr. Raphael Gutierrez, Director, Intellectual Property, at Uber Technologies, Inc. (USA), and moderator of the panel.
Before the ride-hailing company’s initial public offering (IPO) was even announced, numerous phishing sites were asking people to sign up for updates on the IPO. “We had to act pretty quickly,” he added.
Relani Belous, Executive Board Member of the Association of Corporate Counsel (USA), added that the hit can also come indirectly.
She said, “You may be doing all the things right, but your law firm may not be doing what they should be. There have been law firms that have been hit too—it can get you directly or indirectly.”
