Be Careful Out There—a Reminder to Think Before You Click
A wide-spread phishing campaign involving Google Docs surprised a lot of users. Although Google quickly disabled the attack, it serves as a potent reminder of the dangers and bad actors that lurk in digital landscapes.
At BrightMove, we engineer our staffing, HR, and other SaaS products with a focus on service and security. Secure HR software is key to keeping personnel information safe, and prying eyes out.
As we have discussed before, humans are the weakest link in cyber security. In the recent Google phishing hack, unsuspecting users clicked on a phony Google doc prompt, exposing their personal contact information to hackers.
As Google works to prevent this type of hack in the future, many cyber security measures are still vaguely reminiscent of the game of Whack-a-Mole. A new report from Verizon offers a state-of-the-hack update on what businesses, organizations, and consumers are facing today.
Organized crime using hacked passwords in search of money
In the last two years, hacking for financial gain has gone mainstream. While some hackers still aim solely to disrupt, the criminal element has realized the value of virtual crime.
The Verizon Data Breach Investigations Report (DBIR) has been produced annually for a decade. Based on approximately 40,000 threat events, the report looks at the trends and types of hacks, bad actors, and victims. For businesses and HR managers looking to protect their interests and help employees practice cyber hygiene, the report offers good insight.
Here are some points from the 2107 DBIR:
- Industry specific: The report works through incident patterns, who is doing it, and how they are doing it for major industries.
Healthcare is most likely to be compromised by bad guys on the inside, looking at confidential files for data or identity theft, or just out of curiosity. The world of finance is almost always attacked from without through denial-of-service (DoS) attacks, card skimming, and attacks on financial web apps. Education is targeted mostly from without, suffering data breaches and espionage. Food services and accommodation are deluged with financial point-of-sale (POS) theft, almost always from outside. Retail concerns, especially e-retailers, suffer financial loss mostly through outside DOS, attacks on web apps, and credit card skimming for financial gain.
- Click and lose: Humans across sectors are targeted for an attack on web apps, cyber-espionage, and other tactics like social engineering. While 66% of attacks on users are for financial gain, the rest are for espionage—to gather your contact and personal information. The DBIR notes almost all phishing efforts try to plant some type of malware.
- What’s new in town: Ransomware moved from 22nd place to fifth place this year as the most common form of malware. The report notes a trend by purveyors of ransomware toward attacks on organizations.
Ransomware infiltrates and locks-up data, leaving an individual or business to pay a ransom for return of their data, which is not guaranteed. In 2016, ransomware was increasingly spread through email phishing, as opposed to drive-by attacks from dubious web downloads.
In May, an aggressive cyber attack involving ransomware targeted the National Health Service in Britain, eliminating access to patient files and causing emergency room havoc.
- The bad guys: About 75% of breaches (resulting in financial or other loss) are initiated by outside bad actors. In descending order, the rest of the breaches involve organized crime, internal personnel, nation-state actors, and partners (either business or personal) of victims.
- Overall tools: Stolen or weak passwords are the biggest key to cyber theft, followed by hacking, malware, social engineering, internal errors, and physical actions.
- Who gets hurt most? Although both consumers and businesses suffer cyber-crime, finance, healthcare, public sector agencies, and retail are the biggest victims of digital skullduggery.
Cyber-awareness is still “too little, too late.” HR is perfectly poised to have an impact on organizational security by working with C-suite execs to ensure policies and personnel are in place to protect your company from an attack.
HR is also the leading edge of workforce training to ensure employees can maintain informed awareness as they navigate the increasingly rough, but invisible, neighborhoods on the web each day.
With the risk of serious data and financial loss at the flick of a finger, the Google docs incident is a great reminder to think before you click.