IT leaders cannot be sleeping well lately. It seems that barely a day goes by without news of another stalwart company brought to its knees by cyber-attackers.\nMany IT leaders are starting to realise that today's threat is significantly different from the waves of attack that came before.\nA new environmentFor one, cyber-attackers' motives have changed. In the past, hackers tended to be teenagers and malcontents, hell-bent on mischief and focused on destruction.\nTheir main objective was to inject viruses or mount massive denial-of-service (DOS)\u00a0attacks to cripple any corporation or organisation within their reach. Today's hackers (or, more specifically phishers) are much more sophisticated.\nThey are generally activists, criminals, competitors or even national governments who use stealth tactics to steal valuable information, either for personal gain or to expose company secrets to the world.\nThe mode of attack has also evolved.\nWhere hackers used to use programming to muster a full frontal attack on firewalls and servers, today's cyber attackers use information to con employees into opening the door for them.\nAs a result, they easily slip around the firewalls and sit \u2014 unnoticed by virus detectors \u2014 on networks collecting valuable data.\nPhishing season is openTo better understand the risks faced by companies,\u00a0we recently examined the publicly available information for companies on the Forbes 2000 list.\nUsing only the meta-data found on their websites, our security analysts were able to acquire potentially useful information from more than three quarters of the websites they examined.\nBesides hundreds of thousands of usernames and email addresses, our cursory review was even able to identify cases where companies were using out of date software with potential vulnerabilities. The full study findings will be released in September.\n\nSo if firewalls and anti-virus software are all but useless in today's security environment, how can IT leaders work within their organisations to neutralise the threat?\nFor one, IT functions need to move more nimbly in order to identify and respond to potential vulnerabilities.\nToday, phishers have an incredible advantage over corporate IT functions: they are not beholden to approval cycles, budget requests or bureaucracy and can develop, deploy and disband an attack in a matter of hours.\nTo effectively respond, corporate IT functions must be able to not only respond to these threats, but anticipate and neutralise them before they occur.\nOur experience shows that there are a number of steps that IT leaders can take to help reduce the risk of phishing attacks:\n 1\u00a0Quantify your current exposure:Before you can plug any leaks, you must have a clear understanding of where the greatest risks lie within your organisation. IT leaders will want to run simulated phishing attacks against their own organisation to identify vulnerabilities and ascertain opportunities for improvement. In many cases, professional, ethical\u00a0hackers may be employed to conduct penetration testing across your infrastructure to provide a real-world assessment unhampered by internal politics 2 Remove information leaks: This is not merely a case of plugging holes or deploying a new security update. Most information leaks are small, relatively innocuous breaches, such as employee email addresses, usernames or software versions, that are often widely dispersed across both corporate and external websites. Tons of information can be gleaned from employees' social media profiles, for example3 Perform regular security audits: These types of information leaks are not one-time events. Left unmonitored, the risk will quickly return. Over the medium to long term, security audits also help to raise awareness of the threat within the enterprise, which effectively reduces the chances of new leaks arising4 Classify data and information: Clearly, some corporate data is more sensitive than others and should command more stringent controls around its security. But most organisations don't think about the relative value of data, but rather tend to treat all data in the exact same way. For inspiration, IT leaders may want to emulate government data management controls where data is classified according to risk and value, which then\u00a0dictates the level of control required5 User awareness and training: In the face of a phishing attack, your organisation's security relies heavily\u00a0on the awareness and diligence of your employees. Everyone in the organisation \u2014 from the boardroom to the mailroom \u2014 must understand the value and sensitivity of the information they possess and, more importantly, how to protect it\nAnd while there is much that IT leaders can do, it will ultimately take a fundamental culture shift throughout the organisation to properly neutralise the threat of phishers. Based on our research, it may be some time before IT leaders are able to get a good night's rest again.