“By definition,” wrote Corey Nachreiner, director of security at WatchGuard, in ReadWrite Hack, “APTs often employ new techniques for which counter-measures and defenses may not exist.” The implication here is that once targeted by an APT, there is not much any company can do. Furthermore, he added, “APTs have started to infiltrate small- and medium-sized businesses (SMBs) at an alarming rate. And they are proving to be just as devastating, regardless of the size of the organization or the motive for the attack.”
In a separate report published mid-November 2012, Trend Micro noted “that 91% of targeted attacks involve spear-phishing emails, reinforcing the belief that spear phishing is a primary means by which APT attackers infiltrate target networks.”
The logic of these statements is that any company of whatever size that cannot defend against targeted phishing against its own staff is unlikely to prevent a network breach once it becomes targeted by an APT attack. Defending the user against phishing attacks becomes a primary line of security defense. The problem here is that the sheer scale of the phishing problem is not always appreciated.
Scott Greaux, vice president of product management and services at PhishMe said today, “Nearly 60% of employees receive phishing emails every day, so clearly technical controls are failing to stop these messages as they pass through the system.”
The bottom line is that it is the user who is both the weakest point and the strongest resource in the defense of corporate networks. The problem, continues Greaux, is that “for many companies it is purely down to luck if that employee responds. Our research shows that almost 60% of people will fall for a well-designed phishing email – opening your systems to the criminals and hackers.”