Despite heading a company that provides a technological solution for stopping targeted email attacks, Evan Reiser, CEO of Abnormal Security, knows that technology is not the complete answer to the malicious email problem.
At the same time, security awareness and anti-phishing training is also not a foolproof solution, he maintains.
“Some businesses are giving up on technology and defaulting to an awareness-based security program for detecting email attacks, but that sets them up for failure. Our brains are wired to look for patterns and repeat processes, so for something that we do daily like email, it’s only a matter of time before an employee accidentally clicks a link from a ‘trusted’ company,” he told Help Net Security.
Forcing employees to dedicate a good chunk of each working day to evaluating emails for signs that it might have been sent by a bad actor is not good for business and not good for the employees, he opined: companies must marry training and technology together to build a comprehensive approach to protecting against email-based attacks.
Building a robust awareness training strategy
“There have been massive strides in the industry regarding training and awareness. There are a lot of great organizations that will provide security training as a service. These offerings teach employees to look for tell-tale clues such as emails from unknown senders, spelling errors, bad links, and inconsistent email addresses,” Reiser noted.
“However, I don’t think organizations fully realize how sophisticated attackers are. They are using information from social media, company websites, and other email communications to mimic people you trust, like bosses, colleagues or vendors. We’re not falling for emails from a Nigerian prince asking for money anymore.”
Even the most security-savvy employees can fall for some of these sophisticated tricks, and some may be too embarrassed to tell anyone about it or flag their failure quickly enough to prevent a (relative) catastrophe.
For many employees and in many organizations, falling for an email attack still carries a stigma, but companies should work on minimizing it, as well on sharing the lessons learned.
“It’s not about pointing fingers, but about creating a level of honesty and information sharing. Companies and executives need to move beyond exercises and share insights with employees about what they see in the industry, inside their own company, and how employees have been targeted and fooled,” he advised.
Collaboration and learning leads to better security for all
Reiser was interested in technology since forever, but only recently focused on cybersecurity – more specifically, on creating a more accurate solution for spotting malicious emails, especially if they are sent from legitimate but compromised accounts.
After getting a BS in computer systems engineering and a job in web development, he quickly found himself transitioning away from the corporate setting and into the world of startups.
His first company, an online-to-offline advertising platform that used behavioral profiling to direct offline purchasing through online ads, was sold to JP Morgan in 2010.
“With that experience, I built a new business that applied machine learning to advertising technology. That company was acquired by TellApart – and later by Twitter – where we worked on large-scale behavioral modeling, distributed machine learning and data privacy, security, and strategy,” he says.
He then realized that the same behavioral modeling technology that they used at TellApart and Twitter could have exciting cybersecurity applications – and this is how Abnormal Security came to be.
In this day and age, companies can’t do business without using email, but phishing and scam emails and business email compromise (BEC) incidents are a daily occurrence. Even the biggest and the most tech-savvy corporations aren’t immune to being victimized, and this means there’s a healthy demand for more effective solutions.
“The way I view it is that we’re partners and teammates with our customers,” Reiser explains. The ultimate goal is to get customers as secure as possible, he noted, but they are not under the illusion that the defenses they build last forever. “Bad actors will always come up with new ways to attack, and that’s why we need to learn together to build the best possible security posture.”