Company News

One California law firm was the target of a serious phishing attack one week after employees received training, she said. Because of the training, the staff was sensitized, an alert went out and the firm averted a breach.

John Simek, Sensei vice president, noted that spam filters and other software can help firms fight phishing scams, with some programs converting attachments to PDF files and changing all incoming links. He cited Microsoft’s Office 365 Advanced Threat Protection and similar offerings from other software vendors, including Proofpoint. Even then, he said, training is important, and software can have flaws.

“Just because you have the technology in place, don’t think you’re bulletproof,” Simek said.

Penetration testing, or hiring an ethical hacker to break into the network, is an effective way to find vulnerabilities, according to Sensei’s founders, who said it is critical to find people with proper certifications. These can include training from the SANS Institute, a certified information-systems security professional designation from ICS², or a certified ethical hacker certification.

“This is the most dangerous kind of security testing that is done,” because things can go wrong unintentionally, Nelson said.

While penetration testing may be too costly for very small businesses, Nelson recommended that companies of any size hire an independent third-party vendor to

conduct a security audit to identify vulnerabilities and make recommendations to address critical problems. Company leaders should know that IT professionals are not necessarily trained in best practices for analyzing and improving a company’s security posture, Simek said.