A conversation with Trend Micro’s John Ross Hunt

This interview is part of our Cybersecurity Insights Series, where we tap our partners and industry experts for the latest trends, thoughts, and predictions for cybersecurity and beyond.
In an age of artificial intelligence, deep fakes, and cyberattacks capable of shutting down thousands of miles of pipeline and infiltrating the U.S. government, it’s remarkable that human beings still play a pivotal role in cybersecurity. John Ross Hunt is a product manager at Trend Micro, and he’s intimately familiar with the integral human element in cybersecurity. From his experience working on Phish Insight at Trend Micro (a security awareness training solution that helps employees identify and repel phishing attacks) to his many years of product development in the industry, John is an authority on emerging cyberthreats and what companies can do to prevent them. 
He generously took the time to talk with us about how cyberattacks are evolving, risk evaluation, employee engagement, and many other subjects. 
ML: How has COVID-19 affected cybersecurity, and what should we expect as we enter the post-COVID era? 
JRH: Our threat researchers are always looking ahead to identify what’s coming next. Martin Roesler, who heads up our Forward Looking Threat Research, recently published an article about the post-pandemic security landscape, and it’s worth a read. One of the focus areas is the emerging importance of vaccine passports as a key part of our digital identity and how this will be exploited by cybercriminals. Our shopping experiences are also changing, with far more emphasis on cashless retail and digital wallets. This will result in bad actors probing to find ways to take advantage of new behaviors. Organizations are also increasingly adopting a Zero Trust mentality to secure their ever-expanding digital operations.
ML: Which emerging attack vectors are you most concerned about? How can companies address them? 
JRH: There’s been huge growth in threats targeted at IoT devices, while supply chain attacks are also an emerging theme with attackers infiltrating connected suppliers to get access to large companies. Investing in the right solutions to protect organizations as their digital footprints expand should be a priority. But there’s no single solution that can guarantee 100 percent protection, which is why investing time and resources into security awareness solutions at the employee level should be vital for businesses. We still see a lot of companies that consider their security awareness testing and training as a once-a-year activity rather than something embedded in the culture of the organization and continuously reinforced throughout the year. 
ML: Could you talk about how phishing has evolved over the years? 
JRH: The goal of phishing hasn’t really changed since its inception. But the consequences – especially in terms of financial damage to individuals and business – continue to grow at an alarming rate. Our researchers have seen some changes in social engineering in recent years. Bad actors can leverage artificial intelligence to make their scams far more believable compared to what they had before. The use of deepfakes in video, audio, and text to help with extortion is happening now and will only become more of a concern in the coming years. These attacks are also very scalable, which means more personalized and targeted attacks against more people.
ML: What are some of the most important innovations in cybersecurity, particularly when it comes to awareness training? 
JRH: How we evaluate employee risk is evolving quickly. Risk was traditionally calculated by tracking clicks in phishing simulations or how many times employees attended training. A more holistic approach is emerging where many new sensors can analyze data to provide a more well-rounded view of risk. These data points include: how often employees report phishing emails to their infosec team, how many times they’ve engaged with real attacks as detected by email security products, what’s their role and tenure, and so on. All this data can provide valuable insight when organizations are evaluating their cybersecurity posture. This is something we’re putting more focus on with our Phish Insight product.
ML: Which pain points do your customers cite most often with cybersecurity awareness solutions? 
JRH: We have a great library of training materials available on Phish Insight, and our NINJIO content is a critical part of what we offer. I say this because one challenge customers have is finding a training experience that employees will engage with enthusiastically rather than seeing it as a chore or a distraction from all the other things they have to do. When the experience is engaging and interesting, it can make a big difference in getting employees to buy into a security awareness program. 
ML: What gaps in the cybersecurity space does Trend Micro fill? What can we expect from the company in the coming months and years? 
JRH: At Trend Micro, our core competencies were always focused on the technology and services that protected endpoints, email, the network, and the cloud. Phish Insight was launched to offer a solution to help the human that sits behind all of this technology. Our goal with this product is to make sure that all employees have the knowledge to protect themselves and their organizations from the latest cyberthreats. 
Providing great content, both from a training and simulation perspective, will continue to be a focus for us. We’re also improving the insights we offer customers so they can easily identify their risk areas and address them in a dynamic and automated way. 
ML: Have you noticed any change in the level of demand for cybersecurity training content? 
JRH: Demand for training is growing as more and more customers understand its importance in their overall cybersecurity strategy. As one would expect, we saw a spike in interest in content that trained people on the threats related to working from home. We also saw growth in requests for simulated attacks related to collaboration tools like Microsoft Teams and Zoom. 
ML: What are the implications of the transition to remote work for cybersecurity (especially with regard to employee behavior)? 
JRH: As many countries reopen with varying levels of restrictions, there’s plenty of evidence that organizations are moving to a blended model of remote and office work. Employees have to realize that their home offices can be targeted by attackers trying to gain access to their company’s critical assets. Employees should always be kept up to date on the latest social engineering tactics, as increasing awareness can close entry points for bad actors. 
ML: How has employee behavior changed over the past few years when it comes to cybersecurity? 
JRH: We’ve recently seen attacks that can really impact people’s day-to-day lives. In Ireland, we had the biggest and most high-profile attack on the government when the Health Service was hacked. This caused the postponement of critical treatments and massive delays in many hospitals. In the U.S., the Colonial Pipeline attack sparked surging demand for fuel and left many without it. This has brought the importance of cybersecurity to the forefront of everyone’s minds – it’s no longer just something that IT people are worried about. I still feel there’s a big gap in understanding when it comes to how these attacks begin. Just one click on a malicious link or download of an infected attachment can trigger a series of events that can bring devastating consequences for individuals and organizations. On a more positive note, there has been a general increase in the awareness of cyberthreats, but organizations need to make sure employees know they’re a critical part of the solution.