Taking place on October 18 and 19 at EcXel London, #RISK London addresses the issues impacting organisational risk today, from Governance, Risk and Compliance (GRC), to Environmental, Social and Governance (ESG), organisational culture, and much more.
Jonathan Craven is Privacy and Compliance Lead, UK/Europe at iRhythm Technologies, a US-based healthcare tech company where he heads up privacy strategy and compliance process implementation, as well as championing the “Digital First” approach.
Jonathon appears at #RISK London on a panel debate to talk through phishing attacks, their speedy evolution, and how organisations can offset risk. Below, Jonathan takes us through his professional journey so far and introduces some of the key points of his forthcoming #RISK London session.
Social Engineering: How Phishing Attacks Are Getting Better, and What to Do About It
Wednesday 18th October 2023, 14:00 - 15:00pm BST
Could you briefly outline your career so far?
It’s been somewhat unconventional, to say the least. My academic background is in psychology, and I’ve spent most of my career to date with public sector employers – the police, local government and the NHS – working in a variety of information governance, data protection and cyber security roles. More recently I’ve moved into the commercial sector, with a healthcare tech company as their privacy and compliance lead for the UK and Europe.
While it’s not necessarily a ‘traditional’ route into cybersecurity and privacy, it’s become increasingly apparent to me that much of what we want to achieve in those areas is actually a form of applied psychology – understanding what motivates people to do (and not do) certain things; applying an understanding of normal human thinking to designing business processes and software tools to maximise appropriate behaviours; creating training that employs fundamental learning approaches and supporting tools to optimise the efficacy of that training. In that regard, I often think of myself as a “Cyber Psychologist”.
I feel that the industry is currently experiencing a boom, with far more jobs available than there are appropriately skilled people to fill them, and that’s in stark contrast to when I first started in this industry, as roles were much less commonplace then.
I also think that the profile of these types of roles has risen significantly in recent years, partly driven by circumstances, such as the pandemic and the drastic rise of cybercrime, but also by an increasing awareness that effective privacy management and cybersecurity are business-critical.
Could you describe the current phishing attack landscape – what are the latest methods being employed by threat actors to subvert organisational security?
It’s notable that nearly half of these attacks were targeted at traditional public-sector verticals – healthcare, government and education – demonstrating that threat actors are well aware that these sectors traditionally struggle with investment into cyber security when compared with other commercial sectors, and could therefore be more vulnerable to this kind of attack.
It’s also apparent that threat actors are increasingly imitating well-known brands in an attempt to confuse email recipients into parting with security information, with Microsoft, OneDrive and Binance all being commonly-observed in phishing attacks.
There is also evidence of a growing use of phishing “kits” and AI tools to create increasingly effective phishing campaigns, which are much harder for a recipient to identify and consequently avoid. Also, phishing attacks themselves are continually evolving, with vishing and smishing threats now being more common, along with increasingly complex ‘Adversary in the Middle’ (AiTM) attacks potentially capable of bypassing MFA security.
In all, the cyber threat landscape has never been more varied, or more difficult to combat, which places a significant responsibly back onto organisations to ensure that they are able to robustly deal with such threats, which may see them having to move beyond traditional technical solutions and onto more holistic responses.
What are key strategies businesses should be employing in order to mitigate phishing attack risk?
There are never going to be enough cyber security professionals to deal with the ever-expanding and mutating cyber-threat landscape, so I’m always a strong advocate of businesses empowering their whole staff group to combat threats.
This is obviously a little easier said than done, but a firm foundation can be built upon by increasingly raising awareness of and responsiveness to potential threats as a starting point.
At the very least, this should usually entail businesses moving away from relying on the traditional annual cyber security ‘knowledge check’, and towards a more “drip feed” approach – providing regular bite-sized pieces of information and awareness about how to spot phishing threats and how to deal with them safely, alongside establishing and reinforcing a robust reporting and remediation culture, to encourage staff to report things they are unsure or concerned about.
Cyber teams shouldn’t be the police to the rest of the staff group in this regard – obviously if something has gone wrong, it needs to be fixed, but in the long term it’s more beneficial to promote a supportive and collaborative working environment, where cyber professionals can assist staff in mitigating errors and helping them to learn from any mistakes that are made, rather than waste time looking for somebody to blame.
This isn’t to discourage accountability for deliberately malicious or negligent behaviour – rather the intent is to foster a reassuring environment where cyber SMEs can advise and support other staff members. That way, you are positively reinforcing good reporting and awareness behaviours, and making staff your allies, rather than them being concerned about reporting something for fear of reprisal.
In the end, the sooner you can get the whole staff group well-educated and aware about phishing threats, the sooner you will have many more allies in your battle against them.
Don’t miss Jonathan Craven discussing these issues in depth in the #RISK London panel debate: “How Phishing Attacks Are Getting Better, and What to Do About It”.
With more and more data available about potential targets, and increasingly advanced methods to impersonate trusted individuals, it can sometimes feel like security teams are fighting a losing battle against social engineering.
But as threat actors develop better tools for tricking employees and consumers, security experts develop more sophisticated methods for stopping them.
This session examines the various technical and organisational measures that your organisation can implement to defend against phishing – one of the most pervasive and effective security threats.
Also on the panel:
- (Host) Federico Iaschi, Head of Cyber Resilience and Observability, Virgin Media O2
- Dr. Vasileios Karagiannopoulos, Co-Director of Centre for Cybercrime and Economic Crime, University of Portsmouth
- Tina Forrester, Data Protection Officer, Liverpool John Moores University
The event unites thought leaders and subject matter experts for a deep-dive into organisational approaches to handling risk. Content is delivered through keynotes, presentations and panel discussions.
Session: How Phishing Attacks Are Getting Better, and What to Do About It
Location: Security Theatre
Time: 14:00 – 15:00pm GMT
Date: Wednesday 18 October 2023