"That's the work we are doing right now," Harkins said, citing an increase in security spending. "It will take a couple of years."
A number of companies are now offering analytics and security products designed to combat social-engineered attacks.
In February, Milpitas, California-based FireEye announced a system designed to stop spear-phishing. Its software can open an e-mail attachment or a link outside of the corporate network, run it to see if it's malicious, and report back on the scope of the planned attack, Ashar Aziz, FireEye's Chief Executive Officer, said in an interview.
"This is the deadliest sector of attack that exists today," he said. The company already provides the product to several governmental agencies, he said.
Another vendor, CertiVox, started selling a product last week that lets users safeguard their Web e-mails and online posts on Facebook or blogs. Through encryption, the messages are readable only to recipients picked by the sender. The company, with offices in San Francisco and London, is testing the software with large law firms in London, CEO Brian Spector said in an interview.
Trying to Keep Up
"The security industry is still stuck in infrastructure 1.0," Spector said. "As the Web 2.0 world started taking off, it wasn't keeping up."
Training may be the biggest key to stopping the attacks. Hudson Valley Credit Union in Poughkeepsie, New York, experienced a spear-phishing attack five years ago. Now, each of the company's more than 800 employees takes an annual online security training course, said John Brozycki, the credit union's information security officer.
Each year, the course expands to include new schemes and provides a refresher on long-time problems like phishing.
"We hope that our defenses are able to handle it," Brozycki said.