Last year, security researcher James Pavur impersonated his fiancee and tricked tech companies into turning over vast amounts of data about her, including credit card information, account logins and passwords and, in one case, a criminal background check. Only a few of the companies asked for verification. Two years ago, Akita founder Jean Yang described someone hacking into her Spotify account and requesting her account data as an “unfortunate consequence” of GDPR, which mandated companies operating on the continent allow users access to their data.
Consider the implications of workers clicking on an ad promising a COVID-19 wonder drug, or opening an email attachment—from what appears to be a legitimate health agency offering pandemic updates—that embeds software designed to compromise security. Or what if a worker is manipulated by social engineering techniques to follow instructions from a cyber criminal claiming to be from the employer’s help desk? Does your company have adequate provisions in place to prevent workers from downloading malware that could be used to collect passwords providing access to payment systems, personnel records, personal customer data, intellectual property, and other important assets?