Defense against APTs: technology plus education

Malware, hacking, and other techniques are commonly used by cyber criminals in order to steal data from targeted companies.

Phishing, or trying to obtain usernames, passwords, or other sensitive information by impersonating a trustworthy entity, is part of 95 percent of all state-affiliated espionage attacks, according to Verizon’s 2013 Data Breach Investigations Report. The organization reviewed 47,000 reported security incidents from the year 2012.

This social engineering component can often trump technical methods like malware and hacking because it targets individuals rather than the technology itself.

Verizon’s report points out a critical flaw in companies’ network security, proving that anti-spam technologies are not working 100% of the time. When the spam is delivered, and the targeted individual clicks the link, Verizon’s data is also proving that the web filtering programs are not guaranteeing top security.

The fact that the security tools can’t work every single time emphasizes the importance of a security awareness program. Gary Landau of Wilshire Associates, an investment solutions organization, delivered a presentation on the different methods of defense against APTs to the Los Angeles chapter of the Cloud Security Alliance Wednesday, Oct. 9. He said that despite all the technologies available to defend against these threats, educating employees on security is still paramount.

Phishing awareness allows companies to test their employees, identify which employees fail these tests, and overall raise security awareness. Incident response practices are also a result of security training, as targeted individuals learn to report the phishing emails.

However, even the most sophisticated security awareness programs will not get through to all employees all the time. The trick with spearphishing is that it is a numbers game—someone will eventually click.

Companies that choose technology or education, rather than approaching both, do not mitigate the risk as well as possible. A combination of security awareness plus advanced network security tools and technologies is the best way to defend against APTs.

Any company can be susceptible to APTs. Find the right information security professionals to protect your data through Tiro Security, a leading provider of information security jobs Los Angeles.