By Chris Terrell, Information Technology Department Manager
Really, how bad can one errant click be?
OK, maybe you get a virus on your computer and somebody from IT has to fix it while you use a loaner. Maybe some files have to be restored. It is not the end of the world, right? These things happen… All. The. Time.
Fair enough, computer viruses happen all the time. Sometimes it can feel like white noise after a while, something we have all learned to live with.
Then again, maybe an errant click can become a nine figure mistake. Not four figures, not six figures, NINE figures. As in hundreds of millions lost. Sound far-fetched? Not if you are an employee at Yahoo. As you may have read in recent months, Yahoo suffered from a massive data breach. More than one billion Yahoo accounts were compromised. Keiter addressed the data breach incident in a previous article.
What no one knew in 2016 was how the data was obtained. You may be thinking it was a sophisticated breach of systems, a complicated internal attack that bypassed the best physical and logical security an enormous company like Yahoo could muster. Real cloak-and-dagger stuff.
The answer revealed recently is not as glamorous.
Attackers breached Yahoo using regular old social engineering—the most effective weapon a cyber-criminal has in their tool kit.
That social engineering took the form of a spear-phishing email, the sort of email we have all been receiving for years now. The difference? A decade ago we all received the 'Nigerian Prince' email or something similar, the sort that was so laughably bad almost no one fell for it (which was the point, attackers were targeting the most naïve segment of the population).
Not so today. Today spear-phishing emails look very real, and almost everyone can be fooled by them if they are careless. Once a user at Yahoo clicked on that bogus email, they essentially opened a door hackers simply walked through to gain access to Yahoo data.
The moral of the story?
For many companies there is no asset more valuable than their data. In Yahoo’s case that mistake has a price tag of approximately 250 million dollars, the amount of money Verizon is reported to have taken from the amount offered to purchase Yahoo.
It does not matter how good a firm’s network security is if users are not properly trained to spot a well-crafted and completely bogus email. Companies cannot solely depend on the IT department to safeguard data, it has become the responsibility of everyone in the firm.
The first line of defense and the first vector of attack is the end user, so an effective cybersecurity awareness training program combined with robust network defenses are an essential part of the landscape in today’s office environment.
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.