OK fine, my near-weekly encouragement to see your employees as human beings first, and look out for them as human beings haven’t convinced you that burnout is a problem for your business. How about the fact that tired, burned-out employees eventually just check out and create a security nightmare?
It makes sense, for the reasons Jim points out. Your ability to collect ransom payments is diminished if the organization has backups they can simply rebuild with. So, if you can find a way to lock not just the live data, but also the backups, you stand to make more money.
What I wonder is if this will cause organizations to look at that old-school offline backup option? Keep a copy of your data physically away from your network, locked in a drawer or closet, etc.
But, is that even feasible any longer?
There is an obvious question here, right?
Why do you still have this database sitting around?
Seriously, why? Either you’re telling the truth and you have a vulnerable system sitting out there that you’ve never even used, or you have been using it and you’re lying to save face now that data has been breached. Neither one makes you look particularly good, does it?
I mean, you really should use one for the obvious reason listed here, it lets you create a ton of different passwords, and make them complicated enough that they are hard to crack, since you no longer have to remember them, but they also make it easy for you to help someone gain access to important information and accounts when you are unable to. Because believe me, it happens.
The breach of the WordPress credentials is bad, as is the sFTP credentials. Sure, if you are still using the same WordPress password that GoDaddy assigned to you when you started the account, you really need to step up your game.
WordPress is an inviting target, because getting admin access to a WordPress install, or really any other content management system, makes it super easy to lock out the original owner and inject anything you want into the site. Want a place to spread malware in drive-by injections? Nothing like an already existing, and maybe even trusted, WordPress site, eh?
And so, I wonder if those yearly, semi-annual, quarterly, video training would be a lot more effective if we also shared specific examples of people who got phished, and how they fell for it?
Like most things in life, it’s one thing to hypothetically know that something could happen, but it’s quite another to know that it did happen to someone we know. Someone just like us. That makes it so much more real in our minds, and it appears to make a huge difference in how users might approach phishing attempts.