Dangers of Phishing
Who is Agio and what services do you resell?
Agio is a managed IT and cybersecurity services firm, focused specifically on the alternative investment space. We are an Intermedia user and reseller as well as Intel Security, among other partners. Our full suite of services includes Remote Monitoring & Management of client infrastructure, End User Support, Hosted Solutions such as Managed Backup, Private Cloud Offerings, and Managed Disaster Recovery. We also have a deep cybersecurity practice, providing clients with Managed Security, Consulting, Policy Writing & Development, and Assessment work, such as Risk Assessments, Penetration Testing, Vulnerability Assessments, etc.
Since you focus on cybersecurity, what do you do to help your clients?
We spend a significant amount of time educating our hedge fund, private equity and other asset management clients. People don’t know what they don’t know. We just conducted an email phishing campaign for a client, who wanted a “Capture-the-flag” exercise. Our security team deployed a phishing test, determined their vulnerabilities and then were able to penetrate their network. We accessed their servers, viewed their browser history and logged in as an internal user to view proprietary documents; all of which we then presented to the client as the results.
Our objective here is always to raise awareness within the organization of the dangers and impact of phishing, if executed successfully. Sometimes we have to go to these lengths to really open management’s eyes to the dangers and risks of an attack.
It’s highly effective.
What best practices do you recommend your business clients employ to help with user education?
There’s a few different things; obvious spelling errors, emails that prey on your emotions or create urgency, modified URLs and nonspecific to/from fields. Almost as important, we teach our clients to slow down and think about the email; ask yourself things like, do you normally receive an email from this organization? Is this something that’s out of the ordinary? If the email asks you to do something, rather than clicking the link in the email, we recommend logging into your account to execute what the email is requesting. That way you can verify the sender’s legitimacy before clicking on something potentially malicious.
Those are the biggies. We also use McAfee ClickProtect, and I love the extra layer of protection it provides behind the scenes. When you’re having a busy day and are quickly running through emails, it’s so much easier to fall prey to phishing. I really sleep easier knowing I have ClickProtect to add that second layer of protection; so much so that I wish I had it on my personal accounts as well.
Have you found that there are particular industries that are more or less susceptible to these types of attacks?
It’s really an opportunistic threat profile. If you think about it from the bad actors point of view, they’re casting as wide a net as possible, dropping phishing emails left and right to see who bites. I think as they become more sophisticated, they’ll start targeting firms with more access to funds. To that end, we certainly think the financial services community will be one of the first to experience more direct, targeted attacks. However overall, we still feel it’s a pretty opportunistic game; there are a lot of phish in the sea – so to speak.
How do you and your team stay current on some of the latest security trends?
Great question. Among other boards and forums, we’re a member of the FS-iSAC organization, specific to the financial services community, which shares data among various organizations, from service providers to the actual end businesses, who are impacted. We’re also constantly participating in roundtables and other security forums to understand the evolution of the threat landscape.
Staying educated on trends will always be a challenge for any firm, but staying on top of it is really the only way you can intelligently defend your environment.
How concerned do you think businesses should be about phishing?
Businesses should absolutely be concerned and aware of this issue. At our hedge fund and private equity clients, we see these kinds of phishing attacks everyday. Every C-suite and every board member at a firm should be able to answer the question, “What are you doing around your cyber security policy? Specifically, what are you doing to protect against phishing, spear phishing, etc.?” They might not know the intricacies of the application and technology or when the training actually takes place, but they should understand the key tenets of it, like “We conduct training twice a year.” They should have that on the tip of their tongue, but I think we’re still a long way from that.