Google announced a remarkable achievement this week — not one of its 85,000 employees has been the victim of a phishing attack since the beginning of 2017.
Phishing refers to when a hacker sends an email that looks authentic for the purpose of gaining personally identifiable information such as a password or credit card number. Even the savviest of employees can fall victim to such an attack inside a large organization like Google, especially as the perpetrators become increasingly sophisticated in hiding their identities and making it look like they come from inside the company.
One way to try and battle this kind of attack is using two-factor identification, such as sending a code to your cell phone, but hackers have become so advanced that they have found ways to intercept the code or otherwise disrupt the authentication process.
Google announced a remarkable achievement this week — not one of its 85,000 employees has been the victim of a #phishing attack since the beginning of 2017. @ron_miller
Given all this, how did Google manage to protect tens of thousands of employees from these kinds of attacks? They gave their employees hardware security keys like the ones from Yubikey. Security keys are inexpensive devices you insert into your USB port. You simply touch the key when prompted to provide a second factor of identification.
Learning from the big boys
When a company the size of Google can completely eliminate a security threat in this manner, it is nothing short of extraordinary, but Google has also been working to protect Gmail from similar attacks. In May 2017, the company published a blog post outlining how it had protected users from a coordinated phishing attack precisely designed to get at people’s Google credentials.
This week, we defended against an email phishing campaign that tricked some of our users into inadvertently granting access to their contact information, with the intent to spread more phishing emails. We took quick action to revoke all access granted to the attacker as well as steps to reduce and prevent harm from future variants of this type of attack, the company wrote in the blog post about the attack.
The fact is though, that you can’t always count on vendors to protect you. The cloud providers often discuss what’s called a ‘shared security model.’ While they will protect the hardware and physical data centers from attack, they count on customers to take care of the applications side of things.
Unfortunately, the vendor can’t protect you from a bad configuration. That’s your responsibility, but you can learn a lot by watching what the large cloud vendors do and Google has provided companies with a cheap and easy way to protect users from a common type of attack by using USB security keys.
Computing is inherently insecure, but if you can take lessons from major vendors like Google and apply them at your company, you could benefit from what they have learned.
Photo byJon Russell on Flickr. Used under CC by 2.0 license.