Getting sick is a really nasty experience. Being forced to stay in bed because you cannot move an arm and a leg, your nose dripping constantly and a headache bouncing in your skull all day is the opposite of a pleasant experience. When you then take into account, you could’ve prevented this by just taking out a flu-shot at the beginning of autumn, you still wonder why you didn’t. No time? Did not want to fork out $30,00 as cost of living is hard enough? Not being able to work and missing opportunities for your business is far more costly, and regaining customer confidence when it comes to business continuity can be a real challenge.
Extrapolate this to a cyber hack where your customer data is threatened to be exposed to the outside world and criminals are able to reach into the deepest of pockets of your customers by extortion methods, identity theft etc.
A hack is not really a hack when a spear phising attempt is able to obtain employee credentials, who are then used to basically bypass all security measures that are in place. Is it really a “burglary” when you leave the front-door open, or more an invitation for criminals to go “shopping”?
The Latitude security page shows a somewhat troublesome image that seems to be in line with the policies and procedures that are followed in the company. Too much “easy going” will eventually catch up with you.
Irrespective of terminology, the fallout of the breach is significant, with detailed information of a large customer base being stolen. Latitude Financial Services observed a breach that had all the hallmarks of a relatively simple spearphishing campaign and it most likely took only one employee with enough authorisation in one or more systems, to do this significant damage.
This comes just days after I wrote about the poor state of security in the financial services industry and the lack of preventative measures that should’ve been in place to prevent this from happening. Latitude is not the only one and it is just matter of time that other institutions will see the same fate.
Actions to take now
I know I’m sitting on the side line here making a high level analysis, but when relatively simple things like credential theft through phising happens, you can imagine that awareness training and Verifier Impersonation Resistant MFA technologies have not been used at Latitude.
I’ve said it before, customer and employee phishing awareness as well as full proof MFA solutions will prevent this to the extent that attempts to breach into environments are only possible under physical duress of the owner of the token.
As an authorised partner of KnowBe4 and Yubico, we can help in bringing you solutions that tackle both the main two problems that have a root cause of the breach at Latitude. Ask us for a demo of KnowBe4 and how this can help your organisation in elevating awareness of the various phishing methodologies and how to thwart them, or click here to register directly.
Contact us for Yubico solutions to help you and your customers to obtain maximum, phising resistant, MFA protection.
