Rethinking spear phishing, security training, and social engineering
Last week, I was interviewed by Roberto Popolizio for a feature on Safety Detectives. Below is the content of our interview, where we discuss spear phishing, security training, and social engineering.
Vansec CEO Channy Hong: Rethinking Spear Phishing, Security Training and Social Engineering
By Roberto Popolizio
Whatever you know about protecting your online privacy, cybercriminals probably know that too and are already finding new ways to breach your defenses and steal your sensitive data.
It’s hard for everyday people like me and you to always be on top of threats, vulnerabilities, emerging trends, and overly-complex cybersecurity concepts without going nuts. Not to mention the hidden truths no one talks about…
In this new interview series by Safety Detectives, I am talking to cybersecurity experts and business leaders who share untold truths and actionable insights from their experience that will help you be more aware and more effective in protecting your sensitive data while keeping your sanity.
Channy Hong is the Co-Founder and CEO of Vansec, an AI-powered spear phishing simulation and security training platform that accurately reflects the current sophistication of spear phishing attacks by engaging employees with personalized multi-message email conversations and chat-based training modules that deliver personalized post-simulation debriefs as well as lessons on various cybersecurity topics.
What inspired you to pursue a career in cybersecurity? Can you share the story with us?
To tell you the truth, I never had a cool “aha-moment” story like some of the other founders out there. But I would say my general philosophy has been that no matter how digital our livelihoods have become, the digital world at the end of the day exists to serve a certain utility for human end users and it will always be subject to both the greats and bads of being human.
And of course, when it comes to the bads, the possibility of human exploitation by malicious actors scales exponentially to technological advances. So it was a no-brainer to me that there’s massive potential in being the vanguard of human vulnerability management, as our mission is at Vansec.
For context, Vansec is an automated social engineering simulation platform for training employees against sophisticated spear phishing threats. This is just the beginning, however, and our goal as a company is to become the go-to platform for fortifying human defense against the latest threats enabled by the newest technological advances.
Below is an example of a campaign configuration you can set for Vansec’s Simulation AI to simulate a CEO fraud social engineering attack:
What are the most overlooked cyber threats that you see affecting end users in your industry? What makes threats particularly concerning?
I’m probably quite biased on this given what we do at Vansec, but I think low-quantity, highly-targeted social engineering threats (aka spear phishing).
Spear phishing is one of the most talked about threats on the news, but at the same time it comes dead last in terms of the totem pole of cybersecurity spending. This is actually quite understandable from the boardroom perspective, because it can be quite difficult for CISOs to justify spending on security training against a needle-in-a-haystack type threat.
But it only takes one badly compromised individual to existentially threaten the entire organization (e.g. ransomware) and human failure can often trump even the most sophisticated security controls set up within the organization. The commonly cited metric is that 65% of all known hacker groups use spear phishing as their initial attack vector, so it’s a very real threat that isn’t being properly addressed at the organization level.
Data also suggests that spear phishing emails lead to 66% of successful breaches, although they represent less than 0.1% of all emails sent. According to an IBM report, an average breach caused by phishing costs above $4M and spear phishing attack costs can climb as high as $100M.
What are the best ways to prevent and react to these threats?
A carefully thought out security training program is the best way to fortify the human layer of defense at any organization. Of course, this comes with architecting the right training content, the right incentive structure for effective engagement from the employees, and the right cadence for continual awareness and alertness.
However, remember that training is not a solve-all solution, just like everything else in cybersecurity. While crucial, it can still only be one piece of the puzzle. Things like a good email spam filter, robust financial security controls (e.g. approval process for outbound wires), a well-implemented SIEM etc. are all must-haves for any organization with a mature cybersecurity posture.
What are some things that people should STOP doing today because it’s damaging the safety of their data, and they don’t realize it?
Be mindful of data sprawl on the internet, especially on places like social media: simple and perhaps too obvious but it cannot be emphasized enough. Technology has become extremely effective at both searching and ingesting vast swaths of information available on the internet, which means threat actors are that much more effective at utilizing them against you. We share our personal details on social media too often without considering the long-term implications. Some of us also tend to forget to configure our privacy settings properly. And the more information about you is available online, the easier it is for cybercriminals to target you with phishing and social engineering attacks.
Take these steps to keep your sharing of information under control:
- Limit the type and amount of personal information you share online.
- Regularly review and update the privacy settings on your social media accounts to control who can see your information.
- Before you share anything online, consider the potential long-term impact it may have.
- Regularly search for your name and personal information online to see what’s publicly available. Take steps to remove or secure it.
- Ensure all your accounts are protected with strong, unique passwords to prevent unauthorized access. A password manager can make this much easier.
- Be skeptical of any requests for your personal information, especially from unknown sources. Always verify their authenticity before responding.
What common cybersecurity beliefs and practices do you passionately disagree with? Why?
I know that this is going to be quite a controversial opinion amongst security practitioners but I actually don’t believe in the idea of making security training something that is fun for employees to do, such as through gamification, excess humor, high-budget training videos, etc.
Security training will always be annoying to employees no matter the content or format, and I think Youtube ads are a really good comparison here: if you want to watch your favorite cat video and you’re blocked by a 15-second ad, it doesn’t matter if the ad is low or high quality, it’s going to be super annoying either way.
The focus should be on making the training as effective as possible with as little disruption to the employee’s actual workflow, coupled with a healthy incentive structure for productive engagement.
What other gaps do you see in the current state of cybersecurity awareness available? What can be done to improve that?
No one is offering realistic simulations of sophisticated social engineering attacks, which are especially dangerous mostly due to their hyper-personalization and multi-message engagement.
The effective (and thus dangerous) spear phishing attacks used by threat actors typically involve target research for customization, as well as multi-message engagement for building trust and using psychological schemes (e.g. urgency, authority, etc.).
Industry incumbents like KnowBe4 or Proofpoint offer template-based phishing simulations with light personalization, and I see some startups mixing in AI-based personalization at the individual level (which is great), but to my knowledge, Vansec is the only platform that offers both hyper-personalization and multi-message capabilities for phishing simulations. Below is an example of a multi-message social engineering attack that Vansec can simulate:
Being able to simulate realistic social engineering attacks is crucial for not only training employees but also for stress-testing whether security controls in place can effectively mitigate against potential human failure.
What emerging technologies, trends and new threats do you believe will have a great impact in the next 5-10 years? How can we adapt to these upcoming changes?
Perhaps this is something that is on everyone’s mind these days with breakthroughs in large language models, but in the next 5-10 years, it will become easier and easier to impersonate a human and to do so at a large scale, which means that threat actors will become that much more effective with their human exploitation efforts.
Of course, imagination is the limit as to the exact types of attacks that will emerge in coming years, but my unchanging philosophy is that effective security training coupled with robust security controls will always be front and center of human vulnerability management.
Our goal at Vansec is to stay at the frontier of this changing threat landscape and continually come up with solutions for organizations to effectively mitigate against emerging threats.
To learn more about how Vansec can transform your security readiness, reach out to us at info@vansec.com.