"Antivirus can't stop spear phishing if I'm going to leverage spy tradecraft, if I'm going to learn about you and learn everything I can from your social media accounts. And when I send a spear phishing email to you, it's going to look like it's from one of your pals. Once [cybercriminals] get in [to your devices], they get a foothold and antivirus isn't going to touch that," he says.
So how can you stay safe from these threats? For a start, don't uninstall that antivirus yet because it still has a role to play.
"Many attacks can be ruled out by antivirus clients," says Dr. Siraj Ahmed Shaikh, reader in cybersecurity at Coventry University.
At the most fundamental level, some sort of protection software is still required for any computer connected to the internet, especially when you consider the sheer amount of systems shipped and the amount of patching which is required to ensure they're up-to-date.
"The role of a traditional antivirus is still useful because when you buy a computer, it's already out of date because there have been so many patches since the software was released. Antivirus at least does a good job of raising the threshold, raising the minimum bar of our security systems," says Dr. Shaikh.
But if protective software can't be relied on to detect sophisticated attempts at coercion, how do we begin to take on the threat posed by cybercriminals attempting to trick people with espionage? The answer lies in education -- training people to recognise what might be suspicious and reporting it.
"It's about raising awareness that these emails are coming in and how sophisticated they can be. It's about using examples, showing these emails, and breaking them down to show where the red flags are," says cybersecurity consultant Dr Jessica Barker.
It's also important to teach people that in the vast majority of cases, only those with malicious intent will ask for credentials and passwords to be sent over email. Even within an organisation, it's unlikely that another department is going to ask for your login credentials over email.
"It's about encouraging people that no company will ask you for your login details -- but if they do, you should find another way of contacting them," she says, detailing a simple way people can avoid falling victim to a phishing attempt. Within an organisation, that's as simple as talking to the department where the email is said to be from.
It's also important to make sure employees are aware they can come forward if they think they've fallen victim to phishing, because no matter what training is provided, it just takes one person clicking on a malicious link or accidentally providing corporate credentials to a criminal to breach a whole corporation's network.
"What you need to do is build a culture when someone can immediately report that they've clicked a link they're worried they shouldn't have, and people feel safe to question and not be punished," says Dr Barker. An organisation taking this approach can then move to minimise damage sooner rather than later.
"If you have an incident like that, where you get a phishing email and someone clicks the link, you can respond quickly and minimise the damage, whereas if someone doesn't speak up, it's harder to mitigate any damage."
For O'Neill however, there's only one way that the enterprise and cybersecurity providers will ensure that they remain secure -- and that's by using a similar level of intelligence to defend organisations.
"We need to think about spies, leverage human intelligence, not just machines. We need to start with human intelligence and use software to augment that," he says.