Dispel the Myths about Phishing
A conversation about phishing defense with eSecure’s CEO.
By Cofense Inc.
How does it benefit MSSPs to offer phishing defense? To understand the value to service providers and customers, the Cofense™ team recently chatted with Clinton Smith of eSecure, an MSSP located in Australia and the UK.
Interestingly, his responses correspond to what Cofense calls the 5 Uncomfortable Truths about Phishing Defense, examined in a recent blog series. For example: “No matter how good your perimeter defenses, phishing emails still reach the inbox.” Clinton expounds on this idea and other key topics below, dissecting what they mean for MSSPs and their customers.
Q: Phishing attacks are in the news practically every day. Does this increase awareness or desensitize customers to the problem?
A: Most organizations are aware of the problem, in particular their security teams. But individual users often seem to expect that their organizations are going to protect their mailboxes. It’s a somewhat reasonable expectation, at least from the user’s perspective, but technology has limitations, so users need to do their part.
Q: Makes sense. Does this put more pressure on managed service providers to deliver anti-phishing solutions that turn users into network defenders?
A: We’re continually under pressure to raise the bar. For example, while medium-to-large companies realize the need to educate users on phishing, smaller partners in the supply chain may not. These smaller organizations tend to be less mature in developing anti-phishing programs. Some still have a strange reluctance to invest in cybersecurity.
Q: What about those organizations that have invested in security defense—are there too many that think, mistakenly, that what they have is enough?
A: Again, the security teams would gladly invest more, but not everyone in the organization agrees. In Australia, mandatory breach notification laws are raising awareness that security is a process, something that needs to evolve as threats themselves evolve.
Q: Did this need to evolve phishing defense drive your decision to partner with Cofense?
A: Absolutely. When an organization can’t recruit enough experienced cybersecurity staff, because the industry has a talent shortage, they need to create a strong culture of security. The solutions Cofense delivers can help them do exactly that, from phishing simulations to threat reporting and incident response.
Q: What types of phishing attacks have Cofense solutions helped defend against? Are there any that stick out?
A: Recently, we’ve seen phishing attacks target cloud services. As organizations move more of their business operations to the cloud, those cloud-based applications become a natural target. Cofense helps our customers identify and respond to these attacks, and to other types of attacks, much faster. That’s a great benefit, since some of the attacks you see in the news have been quite devastating.
Q: What other challenges are you able to help customers solve by offering phishing defense solutions?
A: So many of the challenges come down to visibility. The biggest problem for our customers is maintaining, or even expanding, visibility in a security environment that changes by the day. Ultimately, all of us are trying to ensure data protection. Working with Cofense, we help customers achieve that by stopping phishing attacks, which are the initial cause, the spear point, of most data breaches.
Q: And what are those discussions like? Are they normally prompted by an incident that stems from a phishing attack?
A: Having had long heart-to-heart discussions with CEOs about security incidents, I think it’s usually not a case of a single event exposing their vulnerability. It’s normally a series of events that show a lack of understanding about the threat and what a realistic investment in phishing defense would be.
Q: How are customers responding to your phishing defense offering?
A: Customers are loving it. The Cofense approach is a very practical and real way of educating a broad audience about cybersecurity threats. Let’s put it this way: customers know it’s better to have a good guy doing a security test, if you will, than a bad guy.
Q: Do customers have any issues with outsourcing their cybersecurity, or aspects of it?
A: Often, the starting point is a period of denial, similar to the way people respond to any life-changing event. They go from ‘It’s never going to happen to us’ to ‘Okay, it might happen to us’ and finally to ‘It is happening to us.’ Then they understand how large the problem is and how they can’t afford to build a total solution, involving research and constant testing and much more.
Q: What role do limited budgets play in the decision to outsource?
A: At the end of the day, budget pressures point to an outsourced solution. The economies of scale simply make sense. Plus, as organizations mature they realize it’s smart to distribute their cybersecurity, instead of relying on one person to manage everything. When that person goes on annual leave, the gap becomes too risky.
Q: Do customers like having access to additional security expertise?
A: They do because, again, customers are challenged to acquire, develop, and retain qualified security staff. Our customers are comfortable with a hybrid approach, where they manage certain security functions themselves and outsource other functions, for example, phishing defense. By offering the Cofense suite of phishing defense solutions, we can demonstrate that we’re a partner who is invested in understanding and strengthening their security.