CMI #3 - Anti-Phishing

Mike P

Table of Contents

Terms You Might Also Hear

  • Business Email Compromise (BEC) (phishing meant to compromise business functions like wire transfers)
  • Spear Phishing (highly targeted phishing attacks against a company or person)
  • Smshing (Phishing attacks over SMS/Text)
  • Vishing (Phishing attacks over the phone)

Problem Statement

  • Phishing targets organizations of all sizes and people of all walks of life. The attacks can be both opportunistic and targeted depending on the motives of the attackers.
  • Phishing attacks are largely based on financial motives, and no one is immune to receiving this kind of security threat in business and personal life.
  • Many experts cite phishing as the first phase of most attacks leading to ransomware, business email compromise, extortion, and fraud.
  • Some studies purport that phishing attacks account for 90% of all data breaches.
  • Identifying, preventing, and responding to phishing attacks is a priority for most organizations, but little can stop the ebbing and ever-changing flow of malicious emails.
  • Phishing and email attacks are not only increasing, but they’re also evolving. They are a part of life on the Internet.

Market Solutions

Enter the Anti-Phishing product market space.

  • Phishing, and people’s susceptibility to it, means the product market space views this issue as a “human problem.
  • Solutions either have to teach humans how to not be tricked so easily or they have to accept that humans will be tricked and try to address the problem with technology behind the scenes.
  • Solutions in the anti-phishing space can take on different forms, and many organizations use most or all of these:
  • Content Disarmament - by far the most common approach, these tools are designed to be in the flow of mail (between the person sending and receiving the email) to intercept, inspect, unpack, and potentially detonate malicious payloads like links or attachments. These tools prevent bad emails from arriving at the recipient. This is often cloud-based and happens per link.
  • Simulated Attacks - platforms that allow a company to send “safe” phishing emails, SMS, and phone calls to employees as a means for training and awareness. These simulations are used to show how susceptible people are to phishing attacks.
  • Phishing Awareness Training - learning and development platforms that educate employees using an online course format and simulated exercises to spot signs of phishing. These courses are tailored to an individual organization to train employees on spotting phishing attacks and handling them at their company.
  • Job Supplementation - digital and physical assets like posters, signs, stickers, and desk cards to give employees constant reminders to be aware of phishing. Anti-phishing requires constant vigilance, so the goal here is to ingrain awareness and how to safely respond.

This is a free issue. Check out Product Trend Reports to get additional Predictions, Opportunities, and Insights in each issue as well as extra coverage on who these products are right for, what defines a good platform, and so much more!

Players in the Space

Product Space Predictions

  • With COVID-19 and remote working becoming more of a norm, many companies will have to extend the reach of their security capabilities into employee home networks, which is arguably more hostile compared to a traditional corporate network with unmanaged and untrusted routers, printers, gaming consoles, and home IoT devices. A successful phishing attack that compromises one part of the home network can pivot to other devices on the network, including the corporate managed laptop.
  • Since phishing doesn’t have a work-life balance, remote employee protection, especially for high-profile executives, will be on the rise. Look for a rise in vendors and products that can serve both corporate laptops and personal devices with the same level of visibility and protection. There are obvious privacy concerns here.

“The best offense is a good defense”

Unknown, on Anti-Phishing (probably)

Product Space Opportunities

  • Go multi-threaded. As a buyer in this space, you’ll need to deploy social, psychological, and technological means to keep your organization safe from phishing. One solution will not be enough, so think Defense in Depth.
  • Look for bundles where it makes sense. As mentioned in a previous issue, corporate buyers can rarely buy the best of the best. Bundling anti-phishing with Endpoint Detection and Response (EDR) platforms can increase your security observability where most attacks happen by volume - on an employee’s computer.
  • Make simulation content dynamic. Most phishing simulation platforms are just versions of MailChimp. Instead of sending a singular email campaign to a list of users, make a platform that allows for randomization and customization. Send multiple emails with variations of domains and email bodies to make them harder to detect like real phishing emails.
  • Make it interactive. Train employees the same way you train developers to not write insecure code. Solutions that can offer immediate feedback and training at the time of click or in the email clients will teach users at the point that it matters the most. This will be far more effective than the once a year training that employees speed click through to the end.

Key Insights

  • A good anti-phishing program is still only a small piece of the overall cybersecurity puzzle. This is one of the most important pieces, but you can’t overlook or neglect strong identification and protection defenses elsewhere.
  • Anti-phishing solution implementations require nuance. Disrupting the user experience for the sake of security has a high trade-off of risk vs. reward, but it just might be worth it to reduce phishing attacks.
  • Rolling out a successful anti-phishing program is more about constant change management than about the technology itself (as with most technology rollouts). You want behaviors to change, which is the hardest thing to do. Take a page from the experts on change management.
  • Don’t “name and shame” with phishing simulation metrics to drive better end user compliance and awareness. Showing month-over-month click rates by department or line of business isn’t useful to anyone.


Want More?

Looking for more insights and analysis? Check out Product Trend Reports, where you’ll find:

  • 4 Predictions for the product space (100% more)
  • 8 Opportunities for the market to capitalize on (100% more)
  • 6 Key Insights for players and buyers to win (50% more)
  • Plus the extra Pro Positions section with even more!