A recent data breach at Disney demonstrates how important it is for all organizations to put effort into securing their networks. No longer is it just for financial institutions and healthcare related organizations, but the hackers are reaching out to all companies they believe may offer a good payout. This time, they are holding one of the upcoming Disney films hostage and threatening to release it in increments if the entertainment giant doesn’t pay up.
Although the name of the film that is being held ransom hasn’t been officially disclosed, it is believed to be the fifth of the movies in the Pirates of the Caribbean franchise, Pirates of the Caribbean: Dead Men Tell No Tales. Disney CEO, Bob Iger did not confirm this detail, but he did inform employees that a ransomware attack occurred. Those inside the company have also said that Disney will not pay the hackers and are working with the FBI to find the perpetrator(s).
Most often malware attacks start with someone in an organization opening an attachment or clicking on a link inside an email message. These are preventable instances when companies put resources into training. Once a year just isn’t enough anymore. The phishing attacks constantly change and it’s becoming more and more difficult to detect real messages from imposters.
For example, a recent phishing scam showed the hackers using actual PayPal accounts to send fake invoices to unsuspecting PayPal users. Because they used real accounts, it was nearly impossible to detect it as phony using the traditional clues, such as incorrect logos and typos.
A thorough education program and ongoing awareness training is how users will learn how to identify phishing, stay on top of the current phishing campaigns, and help prevent your organization from going the way of Disney. In fact, the recent worldwide ransomware attack that affected hospitals in the UK, FedEx, and others was successful because malware in email messages set a worm lose on the networks.
Events like this show that hackers no longer target particular industries. Anywhere there may be a significant payout is fair game, and in the mind of a hacker, a company like Disney likely has the motivation and funding to pay up, even with their presumably big cybersecurity budgets. In this case, there is speculation the attack didn’t go through Disney, but through a smaller third party with which they worked. If the FBI can trace it back, imagine the fallout for that small company and the responsibility it may have to accept.
In any case, the size of the organization no longer matters. If cyberthieves think they will get paid, they will give it a try. There is little risk for them, but comparatively a lot of risk for their targets.
Find more security tips from Stickley on Security.