Earlier this week, the Anti-Phishing Working Group (APWG) released its Phishing Activity Trends Report for Q4 of 2015, which, “analyzes phishing attacks reported to the APWG by its member companies, its Global Research Partners, through the organization’s website and by e-mail submissions.” The purpose of this report is to get an understanding of how phishing attacks are evolving, spreading and impacting private enterprises, government organizations and individuals.
This report shed some light on just how big of a problem phishing is in the United States. According to the APWG findings, 14 million new malware samples were captured, 158,574 phishing attacks were observed, and the USA remained the top country hosting phishing-based Trojans and downloaders in Q4 of 2015 – just a three month period.
This is a real concern for companies since phishing attacks can lead to the compromise of credentials that truly give hackers the “keys to the kingdom” on company networks. They can also lead to the theft of employee or customer data, and even intellectual property. This can result in many serious costs to the enterprise – in revenue, customer loyalty and brand perception.
One local company in the National Capital region is working hard to battle phishing attacks and help companies mitigate the threat and impact of phishing across their organizations. PhishMe, which is based in Leesburg, VA, is the leading provider of threat management for organizations concerned about human susceptibility to advanced targeted attacks.
The company’s COO, Jim Hansen, will be presenting at the Technology Showcase during the 2016 Mid-Atlantic Growth Conference, where he will discuss the company and its solutions.
To learn more about how PhishMe’s solutions empower employees to be an active line of defense against spear phishing, malware, and drive-by threats, we sat down for an interview with Jim. Here is what he had to say:
MAGC: Can you tell our readers about your background in information security and the federal government, and how that background prepared you for your role at PhishMe?
Mr. Hansen: For 11 years I was a federal agent. During that time I had an opportunity to work on a variety of highly publicized cases both in the United States and globally. During my time as Deputy Director of Computer Crime Investigations for the Air Force Office of Special Investigations, I was deeply involved in investigating attacks against Department of Defense systems around the globe.
These experiences provided me with a first-hand look into how the most advanced attackers operate and why they tend to rely on techniques such as phishing to penetrate networks and steal data. More importantly, I learned what it takes to defend against the world’s most sophisticated and successful threats.
MAGC: How large of a challenge is phishing to enterprises today? What role does phishing theft play in cyberattacks? Can you give our readers some examples of recent, high-profile cyberattacks that were caused by phishing?
Mr. Hansen: Phishing is the attack technique used most by cybercriminals and nation-backed players today. Estimates show that it accounts for more than 90 percent of all data breaches, ransoms and systems takeovers.
Phishing has led to massive breaches that have been highlighted in headline after headline. Recently, it has taken center stage as it was a key component in the attack that forced Hollywood Presbyterian Hospital to pay a $17,000 ransom in BitCoin to retrieve its own data. In Ukraine, hackers used a phishing email to gain access to power facilities and were then able to cut off electricity to hundreds of thousands of people.
Financially, we estimate that phishing attacks account for hundreds of billions in losses annually. In fact several US Publicly traded companies were forced to disclose on their 10-Q filings losses of over $40 Million each from wire transfer phishing attacks.
MAGC: The cybersecurity market is extremely hot right now in light of huge breaches that have impacted government agencies and private companies in the past year. What differentiates PhishMe from other security solutions and services? How does PhishMe help eliminate phishing attacks and protect enterprises?
Mr. Hansen: Many cybersecurity providers that have entered the market over the past several years rode in on the huge funding wave that is now starting to ebb. A number of them have delivered some needed benefits to market, but almost all of them, without exception, have overlooked the most critical link in the cybersecurity chain — humans.
We are the only cybersecurity company providing a fully integrated human phishing defense solution. With PhishMe, more than 700 enterprises and government agencies are conditioning millions of employees to detect and report phishing threats, gathering human-vetted attack intelligence, and automating incident response. This powerful combination has allowed our customers to stop phishing attacks from turning into devastating data breaches, helped them to avoid becoming victims of fraud and extortion scams, and turned their employees into a line of defense that no machine can match.
Sooner or later, attackers are going to land phishing emails in the inboxes of employees. If organizations have prepared their people to identify, report, analyze and respond to these threats, they’ll greatly reduce their chances of ending up in headlines.
MAGC: Phishing and cybersecurity is obviously an issue that cuts across multiple sectors – including public sector and private enterprise. Where is PhishMe currently seeing the most market adoption? Are most PhishMe customers from the public sector, or are private enterprises also working with PhishMe?
Mr. Hansen: Phishing widespread and public and private sectors are acutely aware of how damaging it is, as a result, we’ve seen huge adoption across both markets.
Our customer roster has swelled to more than 700, which includes 45 of the Fortune 100. We’ve experienced 892 percent growth over the past three years and are on a trajectory to surpass $25 million in annual recurring billings.
Demand for PhishMe has landed us on the Inc. 5000 and Deloitte Fast 500 lists of fastest growing private companies and we are continually recognized by industry awards.
MAGC: Are there particular industries in the private sector that PhishMe views as target markets or verticals? What trends and factors are driving enterprises in these industries to embrace solutions to combat phishing attacks?
Mr. Hansen: PhishMe is used extensively by the energy and utilities sector, within financial services, in the government and defense industrial base, among healthcare organizations, in the legal profession, by media companies, and in retail.
Phishing is the most widely used and successful attack method and there isn’t a public or private sector organization that hasn’t experienced a related attack. This is why we are in demand by virtually every industry that needs to protect its systems and data against phishing attacks.
MAGC: What does the future look like for PhishMe? As users get more educated on phishing and cyber hygiene, is there concern that phishing attacks will become less effective and the company’s solutions less essential? Or are malicious actors becoming too sophisticated and staying ahead of the learning curve?
Mr. Hansen: Giving as many employees as possible the power to identify and report attacks through experiential conditioning is part of what we do. Our ultimate goal is to give organizations the ability to turn all of their people into an effective line of defense against phishing threats. This isn’t something that can be accomplished through a one-time simulation or occasional research project. The only way any organization is going to stay on top of phishing is through constant conditioning, employee engagement, accurate intelligence, and smart response.
Football teams that win the Super Bowl consecutively do it because they continue to work hard, even when they reach the top of the hill. Those that decide to take it easy after winning the Lombardi Trophy typically don’t do so well the next season. Cybersecurity is much the same, you might beat an attacker one day but if you don’t stay sharp, you are going to lose the next.
MAGC: You’ll be attending the upcoming Mid-Atlantic Growth Conference and presenting PhishMe during the conference’s Technology Showcase. Why was PhishMe interested in participating in this year’s event? What benefit does the company get from attending? What can attendees expect to learn about PhishMe and the state of the security industry?
Mr. Hansen: PhishMe is thrilled to have an opportunity to participate in this event. In addition to it providing us with an opportunity to raise our visibility in the region, it also gives us a chance to increase awareness about the critical role humans play in defending against phishing attacks, which is costing enterprises hundreds of billions of dollars in damages every year.