The rise in remote working has left employees vulnerable: Recent workforce changes spurred by the pandemic has led to an exponential increase in phishing attacks. Today’s phishing threats no longer rely on simple phishing emails as cybercriminals launch many different attacks, sometimes using more than one threat vector to trap their victims.
Phishing isn’t just in email anymore: Phishing used to be comprised of easy-to-spot phishing emails attempting to trick users with fake log-in pages or scams, but the phishing landscape has changed dramatically.
As a part of our series about “5 Things You Need to Know to Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Patrick Harr, CEO of SlashNext. With more than 30 years of security and cloud industry experience, he directs a workforce of security professionals focused on protecting people and organizations from phishing anywhere. Prior to SlashNext, Harr was CEO of cloud file services provider Panzura, which he transformed into a software subscription company, grew ACV 400%, and led the organization to successful acquisition in 2020. He has held senior executive and GM positions at Hewlett-Packard Enterprise (HPE), VMware, BlueCoat (formerly CacheFlow), and was CEO of multiple security and storage start-ups, including Nirvanix (acquired by Oracle), Preventsys (acquired by McAfee), and Sanera (acquired by McDATA).
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about your background?
I am the CEO of SlashNext, the phishing authority and provider of real-time, anywhere phishing protection services. I have worked in the technology industry for more than three decades, specializing in security and cloud, with a passion to help security professionals focus on protecting people and organizations from phishing anywhere.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I started my career during the early days of the cybersecurity in the mid-1990s. It was an interesting time to dive into the industry by beginning my career at Novell. I was fascinated by what companies could do during that pivotal time to prevent security threats and attacks, as people were starting to spend more time online. Today, the cyberthreat landscape is even more sophisticated and constantly evolving.
Can you share the most interesting story that happened to you since you began this fascinating career?
When I started my career at Novell, we had just launched BorderManager, which was designed as a proxy server, firewall, and VPN access point. Due to this experience, I was fortunate to be interviewed by the Wall Street Journal discussing how the proxy and cache area was exploding into the marketplace. This was a significant moment for me in my early career, since it marked a pivotal time for cybersecurity businesses to determine how to protect sensitive, personal information online with the abundance of sites at the beginning of the dotcom bubble.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
The number one person I would love to thank is my mother. I was born with a retinal disease, which I was diagnosed with when I was 5 years old. My mom always told me, “You can do whatever you put your mind to.” We didn’t have a lot growing up, so she was adamant that I work hard and focus on my education. She believed that you don’t make any excuse for anything you want to achieve in life.
I am also grateful for my grandfather, who I consider one of the best men in the world. He gave guidance, stewardship, and served as a mentor for me. My grandfather was one of 9 children, so he had to work hard in his early life and developed a strong work ethic. He would tell me to, “Work hard and build with teams.” I’ve always been one to work as a team, not as an individual, and to lead by example. It is a combination of my mother and grandfather’s relentless pursuit that pushed me to where I am today.
Are you working on any exciting new projects now? How do you think that will help people?
There is an innovative new transition occurring in the cybersecurity industry from “Phishing 1.0” to a new “Phishing 2.0” approach. Phishing used to be comprised of easy-to-spot phishing emails attempting to trick users with fake log-in pages or scams, but the phishing landscape has changed dramatically. That is why it’s time to move beyond a human defense for cybersecurity, and fight machines with machines. The only way you to effectively stop this dramatic rise in sophisticated phishing attacks is to move from 1.0 reputation-based phishing defense to 2.0 powered by artificial intelligence (AI) phishing defense for business.
Second, the next area of focus is mobile-specific phishing attacks customized specifically for mobile delivery and designed to target iOS or Android. Most phishing vendors have not kept pace with the innovations made by cybercriminals in the mobile space and are still focused on email-based phishing. With the lack of built-in phishing protection within iOS and Android, mobile users are left with no choice but to rely on their security awareness training, which typically does not focus on mobile best practices. The solution lies in using a purpose-built mobile phishing solution to stop these phishing attacks before the damage is done.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
In this age of COVID-19 and remote working, many of us are working harder than ever before at our jobs. Working from home can mean that work can easily blend into your personal time. It’s more important today to have outlets than ever before. For example, one outlet I have outside of my job is coaching basketball for kids — it’s not only a great stress reliever, but it also plays into my competitive spirit. If you ever want to take the best Management 101 class, I’d recommend teaching a group of 4th graders how to play basketball.
The second thing that I do for myself is hike. I make an effort to hike 4–5 miles each day in the mountains either before or after work. It’s a great way to think, process, and set priorities. That was has been one of the benefits of the pandemic for so many people. Asking ourselves: How can we get out of our homes, connect with nature and destress during these very stressful times?
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the cybersecurity industry? Can you explain?
First and foremost, I find the pursuit of keeping people safe from cyberattacks as my passion and top priority. With phishing being the #1 threat vector, it’s essential to stay maniacally focused on protecting users from phishing attacks in today’s threat landscape.
Secondly, I am excited by the ever-changing, ever-evolving environment of the cybersecurity industry. If you ever hear a vendor say that you are 100 percent protected, that is a false statement in our industry. Threat actors are typically highly intelligent people with sophisticated machines that are always thinking of new ways to outsmart and attack. This is why the best way to outsmart machines is with machines, which is why an AI-based phishing defense is key.
And finally, the immense amount of innovation that the cybersecurity industry requires to stay ahead of the curve while challenging is exciting. We are at the confluence of major trends occurring in our industry with innovation in areas such as IoT, big data, artificial intelligence, machine learning, cloud, edge computing, and 5G. All of these areas need cybersecurity to stay safe from actors looking to exploit new technology, so innovation is a necessity.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Complacency is the biggest critical threat in the cybersecurity industry. Many organizations believe that as long as they have a phishing defense that protects against email attacks, then they are safe. However, we have seen first-hand in SlashNext Threat Labs that isn’t enough to secure your organization. Most phishing vendors have not kept pace with the innovations made by cybercriminals and are still focused on email-based phishing. We have seen mobile attacks rise from 2 to 15 percent. We are seeing attacks on social networks, gaming, browser extensions, and more.
The second critical threat is the widening of the attack surface, due to the shift to remote working. Many people are keeping their business and personal life on the same device. It’s not uncommon during the day to go from corporate email to Zoom to Facebook Messenger to personal Gmail and then back to Slack. This unfortunately becomes a backdoor to corporate data and exposure. It’s time to recognize that phishing is not just email — you have to look at the applications you are using each day to thoroughly protect yourself.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
Earlier in my career, one of our customers had an employee that had stolen sensitive company data. With the help of a forensics team, we used our toolsets to track the employee’s logs and activity. We were then able to quickly identify who that person was, and legal measures had to be involved since the data taken was highly sensitive. Unfortunately, things can do and happen, so it’s essential to employ a multi-layer security defense to detect and respond to any cybersecurity incidents.
What are the main cybersecurity tools that you use on a frequent basis?
We use a variety of cybersecurity tools at SlashNext. For instance, we have a multi-layer security strategy both inside and outside the perimeter including our AI-based phishing software, next-generation virus defense, malware defense, frontline network defense, firewall defenses, and more. Additionally, we use single sign-on (SSO), encryption, and data at rest services, on top of end-to-end encryption on our data. These are a sampling of the many solutions we employ to ensure our customers and our data is as secure as possible.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
It depends on the size of your organization, whether you operate in a regulated industry, and the complexity of the data you are storing. If you have more sensitive data in your organization, then I would recommend looking for a CISO or at the very least a position in-house that is dedicated to security. A higher complexity of data breeds more security holes both inside and outside of the perimeter. If you are a smaller company that has less complex data, then you may not need a CISO right away, and you may be able to outsource your work to a cybersecurity agency.
For organizations of any size, I would also recommend wherever possible using cloud service and SaaS providers that have inherent security defenses built in. For example, AWS is more secure than having your data stored on-premises, due to their stringent data safety protocols, and it’s more cost-effective.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be “amiss”?
The bad news is that the time it takes from system compromise to the time when the target is breached is just minutes. Then data breaches go undetected for 14 to 78 days after compromising a system, giving cybercriminals an enormous amount of time to cause serious damage. In fact, a report by the Aberdeen Group revealed that the likelihood of the first user clicks on malicious emails occurring within 60 seconds was about 30 percent. This unfortunately means that while organizations are slow to detect phishing attacks, users are quick to fall prey.
A Ponemon Institute report that security automation is the most likely way to combat this detection deficit. Automation also enables notification the moment an employee visits an unblocked and previously unknown compromised phishing or social engineering page. Alerting security teams immediately to an event occurs enables them to instantaneously notify the employee, lessening the chance that they or their machine is compromised. All these capabilities help reduce the time to discovery significantly and empower security teams to remediate threats before the compromise has fully taken effect.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
How you respond to the security breach is critical. It’s imperative to be transparent with your customers about what happened and how they were affected. Then, speed is the second most important factor, so that they are made aware as quickly as possible. You will need to address how you plan to prevent another breach from occurring in the future.
Security breaches and crises in general expose the weak spots of businesses. Today’s businesses can no longer rely on a human-only approach to security. Automation and AI built into security processes are key for a multi-layer security defense, and ensuring a business is future-proofed.
At SlashNext, we are fervent believers in privacy — it is our mission to protect users from phishing attacks without comprise. While privacy protection is imperative, I’m not convinced that you have to solve this through complex regulations. I would argue that vendors must provide the privacy aspect of what consumers are looking for. The recent privacy measures, such as GDPR and CCPA, have made business more cumbersome and costly. It’s challenging for companies both large and small, since they have to employ teams to meet the accounting and business compliance that the regulations require. In the future, vendors must solve the core problem of how you ensure the privacy of customers’ data.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Most small and medium-sized businesses believe they are safe from phishing. Yet phishing attacks are the most common cyberattacks taking place each day. Complacency is the biggest mistake in thinking you are secure, and accepting the status quo of security in your organization.
In addition, not taking a multi-layer approach to security is the next common mistake. Thinking that that one size fits all and your business is secure is detrimental. It’s important to classify your data and ask the following questions: What is top secret, private, or public data? How do you tag that data from a policy and sign-on perspective? How do you make that data available for the right decisions? And then how do you protect and backup that data? All of these questions must be answered to have a well-rounded security approach.
Since the COVID19 pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
We’ve seen a 3000% increase in phishing attacks based on our research in SlashNext Threat Labs. This is likely due to the effects of the COVID-19 pandemic, with a rise in remote working causing more individuals having their work and personal devices crossover. We’ve seen the exposure to attacks rise and a much larger surface area for bad actors to attack. There has been a rise in attacks outside of corporate email and onto mobile devices. For example, our research has found that SMS phishing attacks have increased from 2 percent to 15 percent.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs to Know to Tighten Up Its Approach to Data Privacy and Cybersecurity” and why?
- Complacency is the biggest critical threat in the cybersecurity industry: Many organizations believe that as long as they have a phishing defense that protects against email attacks, then they are safe. However, this is unfortunately false and opens organizations up to a wide array of cyberattacks.
- The rise in remote working has left employees vulnerable: Recent workforce changes spurred by the pandemic has led to an exponential increase in phishing attacks. Today’s phishing threats no longer rely on simple phishing emails as cybercriminals launch many different attacks, sometimes using more than one threat vector to trap their victims.
- Phishing isn’t just in email anymore: Phishing used to be comprised of easy-to-spot phishing emails attempting to trick users with fake log-in pages or scams, but the phishing landscape has changed dramatically.
- Mobile phishing is the next battleground: SlashNext Threat Labs sees a multitude of mobile-specific phishing attacks daily, customized specifically for mobile delivery, and designed to only work for Mobile iOS or Android. What makes them particularly dangerous is the attack vector is not email but ads and SMS, where most phishing protection is not as effective.
- It’s time to embrace a “Phishing 2.0” approach: It’s time to move beyond a human defense for cybersecurity, and fight machines with machines. The only way you to effectively stop this dramatic rise in sophisticated phishing attacks is to move from 1.0 reputation-based phishing defense to 2.0 powered by artificial intelligence (AI) phishing defense for business.
If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective, and something everyone can do!)
Do a kind gesture every day! It’s rewarding and makes people around you happier. That one act each day can make the world a better place.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!