Commenting on Oxford University’s decision to ban Google Docs following a phishing attack against the service, Varonis Systems warns it will take more than a single ban to ensure the organisation is protected from increasing attacks that make use of trusted services like Google.
David Gibson, VP of Strategy with the data governance specialist, says people are much more likely to fall victim to email-based phishing scams when the attacks are staged on a platform that people inherently trust. In the case of Oxford University, users saw a familiar and friendly-looking Google Docs form and falsely assumed it was legitimate and secure. Google Docs in particular has become a prime target for advanced cybercriminals as it is not only highly trusted, but also very easy to set up without much verification of your actual identity.
“Google docs and other public cloud file sharing services have proven to be very convenient for end users—it’s unfortunate that they are now proving to be convenient for cybercriminals and phishing attacks. As so many are dependent on digital collaboration it’s not surprising that the block on Google docs turned out to be temporary, despite the “severe consequences” for the university mentioned by Robin Stevens, ” said Gibson.
The good news, he said, is that IT professionals – and their managers – can help reduce their exposure to phishing with a few simple steps:
1 Educate users about the risks of phishing attacks. With some awareness, employees will become more alert when they receive links in their email, or are asked to submit login credentials or Personal Identifiable Information (PII) via an external site (like a Google form) rather than a site hosted on the organisation’s own domain. (The University’s temporary ban on Google docs probably served to raise awareness more than they anticipated).
2 Use company-wide SSL for all web services. Purchase an Extended Validation Certificate, which gives users an added visual cue in their browser, telling them they’re visiting a site that is run by your organisation.
3 Publish a policy that describes the circumstances under which employees might be asked for personal information, along with the types of information that will and will not be collected (e.g., “We will never, ever ask r your social security number”). This will give users something to reference when they’re unsure.