Paolo Frizzi, Founder and CEO of Libraesva: “There is no ideal ‘one-size-fits-all’ formula for good security”

As Paolo Frizzi, Founder and CEO of Libraesva knows all too well, the constant battle between good and evil continues in terms of email-based attacks. Only today, we wrote about the bust of phishing-as-a-service LabHost, just in case you need more evidence.

No doubt Paolo’s team at Libraesva welcomed the news of this raid, but it’s like the arcade game Whac-A-Mole. You hit one service, and another one pops up. And now they have AI to help them craft more persuasive phishing attacks.

“By entering simple prompts, hackers can generate templates that mimic emails from businesses and colleagues,” explains Paolo in the interview below. Couple this with attacks using QR codes and “a shortage of skilled IT experts” and it’s as tough as ever, if not tougher, to guard businesses against email attackers.

As the CEO of an award-winning email security firm, however, Paolo offers several ways to fight below. And he has form. Paolo’s first business, Libra, provided email and connectivity solutions in Italy and he wrote the code for its email security virtual appliance.

In 2013, Paolo founded Libraesva to tackle the growing threats to email security, and today it’s trusted by global brands to protect their businesses. You’ll get an idea of why by reading the full interview…

What are the biggest cybersecurity challenges those in leadership roles are facing?

As the primary method of business communication, it’s unsurprising that email has become the key threat vector for cyberattacks. This creates a major headache for leaders who not only hold ultimate responsibility for protecting their businesses and ensuring regulatory compliance but also efficiency. After all, keeping business operations running smoothly depends heavily on strong communication.

While email weaponization isn’t new, the prevalence and sophistication of attacks are growing rapidly with bad actors developing smarter email-based attack methods that can evade traditional defences. QR code-based attacks, for example, which link to fake websites and ask users to enter sensitive personal credentials, are widespread, while the threat of increasingly realistic phishing powered by artificial intelligence (AI) is growing amid the rise of ransomware-as-a-service. To add to these challenges, there is also a shortage of skilled IT experts that leaders need to maintain robust security.

What are some prevention strategies you believe every business should adopt?

Clichéd as it might sound, effective prevention is better than the cure. Companies that want to avoid the potential disruption and expense of enhancing their cyber defences tend to implement a security solution and then stop thinking about the issue. But this is exactly what allows scammers to find weaknesses and launch attacks that systems are unprepared to defend against. The cost of a data breach — estimated at around $9 million — far outweighs the upfront cost of prevention.

Multi-pronged prevention strategies are crucial. Although every company’s processes are unique, vigilance and agility will always be critical.

For instance, constant monitoring will give the visibility needed to quickly detect and investigate potential inbound threats, especially when it comes to email traffic and trends. Defences should also be continuously tested to spot vulnerable areas before cyber criminals do, and then re-tested after reinforcements are made to check gaps have been successfully plugged.

Worth a read: Samsung Galaxy Z Fold review: or, what Samsung must do to make the next Z Fold a compelling business phone

What is it about generative AI that makes it so prone to exploitation by threat actors? Conversely, how can it be used for good (in cybersecurity)?

Cybercriminals are taking advantage of the easy availability of generative AI and its ability to perform tasks at speed and scale in order to make it harder to distinguish between genuine emails and malicious ones. The prime example is, of course, phishing. By entering simple prompts, hackers can generate templates that mimic emails from businesses and colleagues. 

On the positive side, however, AI is helping to establish safeguards because the huge analytical capacity of machine learning (ML) makes it well-suited to proactively identifying hazards. For example, ML-fueled security solutions can run semantic and behavioural analyses of past communications data and learn what counts as ‘normal’ for certain individuals. By comparing these patterns and traits to current email activity, they can then pinpoint anything that seems out of the ordinary; with threat flags becoming more precise over time, as understanding of specific users improves.

Which cybersecurity best practices are being adopted with the most success by companies?

There is no ideal ‘one-size-fits-all’ formula for good security, but some best practices apply across the board. Organisations should deploy a combination of defences on any incoming communications to ensure no threats slip through the net.

Dedicated email security gateways combined with integration into cloud email services, with AI-based protection services layered on top, have proven effective in today’s challenging security environment.

Protocols such as DMARC (domain-based message authentication, reporting, and conformance) provide an effective way of detecting phishing and spoofing attempts. Through this multi-level email security, messages are subjected to sender authenticity and domain assessment, before they reach employee inboxes.

Worth a read: Logitech gives keyboard and mouse owners one-click access to ChatGPT

What’s something that has drastically changed about cybersecurity since you first got started in the field?

In one word: complexity. Companies need to be able to simultaneously adapt to emerging threats, cover the full mix of in-depth employee training, ensure granular risk monitoring and adhere to data usage rules.

What advice do you have for aspiring professionals wanting to work in cybersecurity?

My decision to study engineering was driven by my interest in solving complex challenges. Twenty years later I am solving one of the biggest problems businesses face. Ask yourself one key question: do I enjoy solving problems? If the answer is ‘yes’, this is the place for you – because there are always big, and new, challenges to address.

Interviews worth a read

• Dan Lattimer, Area VP UK & Ireland at Semperis: “The CISO role has evolved into that of a political advisor focused on risk”
• Noor Aziz, CMO of GreyB: “When AI advances, creativity becomes the new human skill needed”
• Jorge Tavares, Head of Customer Service & Sales at Medicare: “We shouldn’t forget that the agents who communicate with our customers are the face of the company”