Following hacks involving the breach of more than a billion email accounts that is driving down the valuation of Yahoo once again and a much smaller number of high-profile compromises of Gmail accounts belonging to officials of the Democratic National Committee (DNC) it won’t be too long before many organization start revisiting their approaches to the consumerization of IT.
Many end users these days conflate consumer and corporate services to accomplish any number of tasks. Inevitably, sensitive data bleeds over between these services. Hackers have now long known they can with a fair amount of ease compromise the credentials of a consumer grade service to gain access to mountains of data. At the same time, phishing attacks that appear to be an important message from one of those consumer grade services has emerged as a favorite form of phishing attack that in the case of the DNC proved quite effective. DNC officials were fooled into downloading malware when they received a fake email informing them that some unknown party has stolen their email passwords. They were advised to click on a link to change that password, which was then used by the hackers to access all kinds of sensitive data that probably should never have been shared via Gmail in the first place.
Now consumer grade collaboration applications such as Slack are also finding their way into the workplace. Like any email service these applications are gaining popularity because they are simple to use. But given their very nature the people the rely on these services within the context of a work environment are sharing even more sensitive data via a public service. It’s only a matter of time before hacker start going after the credentials needed to access those accounts as well.
Of course, there’s no such thing as perfect security. But in the case of a corporate email system it’s a lot easier to pick up a phone to check the veracity of an email informing you that your email password may have been compromised. Consumer grade services are provided by companies that make minimizing any human interaction with their customers a core part of their business models. It’s virtually impossible for an end user to check the veracity of an email delivered via one of these services. The only advice provided is not to click on any attachments or URLs that appear to be suspicious. All it takes is one lapse in judgement to compromise an account so it’s little wonder that hackers keep flooding these systems with phishing attacks. They know that the odds are on their side.
Corporate email system may not be as easy to use as consumer-grade services. But the cost of relying on those services goes way beyond the productivity of any single individual. Not only can the credentials for accessing those systems be easily compromised they have become a conduit for spreading the means through which malware attacks are being launched at levels of unprecedented scale.
IT security leaders, of course, have been warning about these issues for years. The difference now is that a lot more end users have now seen enough of the damage caused by these attacks to now actually want to understand the real implications.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.
Mike Vizard est un spécialise de l'informatique depuis plus de 25 ans et à ce titre, a publié et contribué à de nombreuses publications techniques, dont InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet et Digital Review. Il rédige actuellement des articles de blog pour IT Business Edge, et contribue à la rédaction d'articles pour CIOinsight, The Channel Insider, Programmableweb et Slashdot. Mike Vizard rédige aussi des articles traitant des nouvelles technologies Cloud pour SmarterMSP.