Cybersecurity has come a long way from writing our easy-to-guess passwords on post-it notes and placing them on our oversized monitors. Nevertheless, the recent proliferation of cyber attacks has companies like United Airlines fearing for what might be catastrophic damage due to the negligence of just one employee.
Greatest Threat To United Airlines? Cyber Attacks
United Airlines has instructed employees to report suspicious email by forwarding it to an internal email address or clicking on a “Report Phish” button in Outlook.
Last month, United’s Cybersecurity team launched a phishing campaign based on an “actual threat” received by United. These sorts of simulations are conducted each quarter to “arm employees with the latest information on spotting potential suspicious emails and reporting them.”
As part of the experiment, more than 78,000 United employees and contractors received an email which contained a voicemail attachment from an individual outside the company (all email that is not internal is marked external with the warning, “This message was sent from outside of United Airlines. Please do not click links or open attachments unless you recognize the sender and know that the content is safe.”)
There results were not comforting:
- Only 4.2% of the total recipients reported the email using the Report Phish button in Outlook or forwarded it to the appropriate email address
- 11% of United employees and contractors failed to recognize the email as suspicious and opened the attachment.
I doubt these sort of numbers are unique to United. Even at my own small company we’ve had employees open up phishing attachments. It happens, even with training.
But as we recently saw with the Colonial Pipeline cyber attack, ransomware attacks can quickly spiral out of control in ways that cause immense financial and economic damage.
That’s why United told employees in a memo reviewed by Live and Let’s Fly that cyber attacks pose the “biggest” threat to the airline:
Cyber attacks are currently the biggest threat to our airline, so we need everyone to be extra vigilant and report suspicious emails!
United offers the following instructions when reviewing email, which are actually generally applicable and a good reminder for all of us:
When you open an email, spend an extra moment looking it over. Before clicking on a link or opening an attachment, ask yourself, “Was I expecting a message from this person?” If the answer is no, this is a characteristic of phishing, and you should report the email.
CONCLUSION
Cyber attacks are a serious and growing threat to economic stability and commerce. Often, it can be the the weakest link—just one person—who inadvertently unleashes a torrent of damage.
United Airlines cyber attacks are deemed airline’s biggest threat. What do you do to prevent yourself or employees from clicking on phishing email?
image: M.J. Flaherty in United’s Network Operations Center [NOC] in Chicago
I trust this company will up its game in terms of cyber. It is both in their best interest and the general public. Good Luck UA!
There was a good article on zdnet this morning with the CISO for Microsoft saying just assume your network is already compromised and do everything you can to eliminate the threats like MFA and enhancing your supplier sourcing to eliminate backend breaches like SolarWinds.
https://www.zdnet.com/article/microsofts-ciso-why-were-trying-to-banish-passwords-forever/
TL/DR: You aren’t going to have 100% security ever so make the bad guys work for it so much there is no profit for them.
Companies refuse to pay what they need to, if they want top technical talent.
Companies also send mix messages and confuse non-technical people. For example I work at a major defense firm that has a number of technical people but also non-technical people. They tell you not to click on links in emails and yet they constantly send legitimate emails saying click here to either fill out a survey, view a video, etc. All that does is confuse the non-technical person.
Also when technical people, especially security, tells upper management you need to do this and that, they resist because it either costs too much money, or it is too much of a hassle. I once complained to a stock brokerage because they wouldn’t let me create a password more than 8 characters. They claimed their clients didn’t want anything longer. Hmmm.
Not sure if anything has changed but most airline systems are old and prone to outages. I think it was Southwest that just had a couple of major mishaps this week. Most of which should have been avoidable but it costs $$$.
Reminds me of a Bruce Willis movie. Maybe Diehard. The theme was criminals/terrorists hacking into ATC systems/radar etc, in order to blackmail.