This Week in Cybersecurity: Phishing & Ransomware Take Center Stage
We are only a few days into May, but so far this month cybersecurity has emerged as a hot topic with the development of two headline-making threats: Gmail’s widespread phishing scam and the hack of Netflix binge favorite “Orange in the New Black.”
Today, we’re taking a look at each of these cyber threats and sharing some best practice tips for your investment firm’s security.
Gmail Phishing Attack: What Happened
The ‘worm’ that arrived in Gmail users’ inboxes earlier this week looked like a real and trustworthy email. It appeared to arrive from one of said user’s contacts and included a link to an alleged shared Google Doc. Unfortunately, if someone took the phishing bait, the worm then had access to that user’s Google account login information, email account and Gmail contacts. Google appears to have reacted quickly once they learned of the scam, however, there are still potentially hundreds of thousands of users who clicked these malicious links.
What can hedge funds and private equity firms learn from the Google Phishing Attack?
Employees can either be your firm’s biggest strength or biggest threat when it comes to phishing. It is critical that your employees receive regular information security awareness training to better understand the types of security threats with the potential to hit their inbox.
Beyond annual training, managed and simulated phishing exercises (like Eze Managed Phishing & Training) are reliable, cost-effective tools to train users to identify red flags in emails and avoid succumbing to malicious attacks.
Orange is the New Hack? How Netflix Got Burned by Third Party Due Diligence
While “Orange is the New Black” fans were patiently waiting for the scheduled June release of the show’s fifth season, a hacker known as TheDarkOverlord released the upcoming season when Netflix ignored a request to pay a ransom. The hacker was able to hijack the files by gaining access through a third-party provider used by Netflix. We’re hearing about more and more ransomware and cyber espionage attacks as cyber threats that firms need to take seriously.
What Netflix Reminded Us about Vendor Risk Management
The Netflix security breach highlights the critical importance of managing third-party vendors for firms and businesses who rely on outsourced providers to support their operations. A few key reminders on vendor due diligence and risk management:
Understand who your outsourced providers are, what functions they provide and what data/systems they have access to
Consider sending regular requests for proposals (RFPs) and DDQ documentation requests to any third parties you are evaluating or those you are already engaged with
Continuously evaluate and monitor to ensure all parties are achieving their end goals and meeting expectations
Conduct regular vulnerability assessments and/or penetration tests to have a clear understanding of your IT security weakness
Remember: It’s one thing to put faith in your service providers to do their jobs effectively. It’s another to ignore your own firm’s responsibility to manage that provider in an effort to protect your own firm.