3 Interesting Articles

No, You Aren’t Getting a Bonus. Your Company Is Just Testing You.
Wall Street Journal ($): Companies are utilizing sophisticated and personally tailored phishing tests to enhance their employees’ cybersecurity competence, often leveraging enticing or emotional content such as concert ticket offers or unexpected bonuses. Firms like KnowBe4 design various phishing simulations based on social trends, current events, and even create controversial, emotion-driven templates to simulate real-world attacks that prey on urgency and fear. These tests have sparked debate, as some employees feel they can diminish morale or feel emotionally manipulative, particularly during uncertain economic climates. Critics argue that traditional training sessions might be a more empathetic approach, avoiding the potential for employees to feel exploited or distrustful of internal communications. Nonetheless, proponents highlight the efficacy of such simulations, citing significant reductions in susceptibility to actual phishing attacks after systematic training.

23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews
Wired: 23andMe, a popular genetic testing company, has encountered a data breach, albeit without a direct system compromise. Attackers, utilizing guessed login credentials and exploiting the “DNA Relatives” feature, have harvested and leaked user data, including details on sex, birth year, and genetic ancestry results. Notably, the breach involves data points claiming to pertain to Ashkenazi Jews and hundreds of thousands of users of Chinese descent, with possible inclusion of celebrities like Mark Zuckerberg and Elon Musk—although verification of the data’s legitimacy is pending. The incident spotlights the risks and ethical dilemmas surrounding DNA databases, especially given the sensitivity of genetic information and its potential misuse, thereby sparking discussions about data privacy on platforms designed to facilitate sharing.

Too Rich to Ransomware? MGM Brushes Off $100M in Losses
Dark Reading: In the wake of a sizable ransomware attack, MGM Resorts opted not to negotiate with cyberattackers, enduring approximately $100 million in losses but maintaining a robust financial outlook, according to their recent SEC disclosure. This decision contrasted with Caesars Entertainment, which chose to pay a $15 million ransom after being targeted by the same cybercriminals. Experts in cybersecurity highlight the potential benefits and risks for organizations regarding their response to ransomware attacks, noting that while large enterprises like MGM can absorb financial hits and resist payment demands, smaller businesses may find such an approach unsustainable. The contrasting responses from MGM and Caesars demonstrate differing strategies in addressing cybersecurity threats and emphasize the perpetual balancing act of investing in preventative cybersecurity measures versus managing post-attack remediation and recovery.

2 Stats You Should Know

69% of employees had bypassed their organization’s security policies in the past 12 months, and 74% said they would be willing to do so if it helped them or their team accomplish a business objective. (source)

A recent survey suggests that 70% of organizations view SaaS cybersecurity as a top three security initiative within the next 1 to 3 years. (source)

1 More Thing

Our digital landscape is vast and vulnerable. In recognition of #CybersecurityAwarenessMonth—and every month—let’s prioritize safeguarding our interconnected world.