Where I work we like to operate on the assumption that people can be socially engineered so if they are, what happens next, and if that fails, what happens next and if that fails, what happens next. The Swiss cheese approach to security.
Comments
Log in with your Bluesky account to leave a comment
if you work with very sensitive information you need to create a controlled environment: restricted work devices, traffic restrictions, vpn, firewall whitelisting, 2FA, etc 2/2
people will always find a way to make mistakes. the weak link in your sistem is your user. You can train them and create some written work procedures but that will never be enough. 1/2
And the right technology doesn't end up having holes on those vectors. Neither my password manager nor my Yubikey are subject to phishing nor credential stuffing, and if I mandate and enforce the mandate for both in an enterprise, voila.
Google is big. It stores a shockingly large number of emails. It's been going for a long time. It has a large number of employees. There has never been an large-scale leak of customer emails from Gmail from someone hacking in.
We should fight the framing of customer data breaches as inevitable.
Also Google's entire security org is basically build and structured around Aurora happening and then the directors saying "this will never, ever happen again, whatever it takes"
Do people target Google? Sure do. All the time. Do individual accounts sometimes get hacked? Alas. Even at Google. But we don't have to accept at-scale customer leaks as natural or inevitable.
I realize "Google accidentally exposed customer details if you look in the right place" isn't exactly what you were looking for, but I'd still consider it a data breach.
I did not say data breach is normal I said people getting phished is. Highly unlikely the data the bad guys want is on their laptop. So as I said what happens next is where a variety of layered security will be best suited to protect against that initial access turning into a data breach.
And what we are saying is that with the right posture (security keys + password manager) you effectively eliminate the threat from phishing and credential stuffing altogether.
Sure, but not everyone has the budget that Google does for security. Security has to exist within the reality for that particular business. I agree security needs to be top priority but not everyone can afford ubkeys and detecting someone reusing a personal password in your corporate environment.
Comments
We should fight the framing of customer data breaches as inevitable.
I realize "Google accidentally exposed customer details if you look in the right place" isn't exactly what you were looking for, but I'd still consider it a data breach.