Old Mutual Wealth CISO discusses scourge of phishing attacks and cloud concerns

Ben de la Salle says firm seeing more phishing attacks aimed at mid-ranking staff

Phishing attacks are becoming more subtle and increasingly are aimed at all areas of a business, not just top level executives, according to the CISO of investment firm Old Mutual Wealth.

Speaking at the Investment Week Cyber Security Strategy Briefing event, in partnership with Computing, Ben de la Salle explained that while top level staff are still targeted, so too are more mid-ranking employees.

"We have had experience where a PA has responded to what they think is an email from the CEO asking for the CFO and then they reveal that person is away, at the hospital or something, and that provides additional information to that person [the hacker," he said.

"But we've also found them working much further down the chain. They impersonate people that would be in the position to ask for something to be processed and they sometimes even follow up an email with a phone call saying ‘as per my email' and so on."

De la Salle said his firm aims to make all staff aware of the threat, and even goes so far as to send out fake phishing emails to employees to see who responds.

"We are educating them and tell them what to look out for and not to reply but it's hard to stop sometimes because it's so simple."

De la Salle went on to discuss security in the cloud, revealing that he still has concerns about losing control of company data.

"There are lots of cloud security providers offering protection from zero days and so on and they do that by saying they will inspect files and ID them if they appear malicious. That's great, but then you say to them ‘what happens to that fle when you've processed it?' and they say, ‘oh we keep it' and so then you're having to ask, well how do you store that, where is it kept, and so on and you've lost control over that data."

At the same event the CISO of market research firm IHS Markit said firms should make top level staff understand the risk from phishing attacks by showing them how attackers comb social profiles to find information to be able to pass for them in a social engineering attack.