Would you apply to a company that was recently phished?

I saw a position I wanted to apply for, but then I did some research and I am hesitant to apply for it because of what I found.

It turns out one of their HR people was phished. They received a phishing email from the "CEO" asking for an excel document with all of the employees' information. The HR person without thinking twice sent the excel document in a reply to the phishing email.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

tmtex

Well I see you have your sec +, maybe you could go in and educate them a little bit.

iBrokeIT

I'm less concerned about if a company got breached, phished or whatever as I am about how they plan to respond to the incident.

If they continue like it's business as usual then that is a non starter but they they plan to hire a new CISO, do user awareness training, up the InfoSec budget, pit controls in place ect ect then I'd be happy to come on board.

A lot of organizations don't take information security as seriously as they should until they have an incident with large financial consequences.

tmtex

I worked for a MAJOR commercial real estate co(Global) they got all our info. Long story short I had CC's opening up everywhere in the north east, plus I lived in Milwaukee. To this day I can get that address off my credit report

alias454

I would apply and then make sure to ask about it during your interview if you get one.

ITSpectre

I would take the job then during the interview I would ask as one of my questions... " What are the biggest challenges facing the company/department right now?"

Danielm7

iBrokeIT wrote: »

I'm less concerned about if a company got breached, phished or whatever as I am about how they plan to respond to the incident.

Agree with the above. It's sort of like the bigger the company the more chances that someone will respond to a phishing email. Some of them are really good, I don't know that any company is going to get 100% employee compliance no matter what they do at this point. I work at a fairly big company, we do security education, phishing testing, etc, people even report a lot that is questionable and even then people click on and open things they shouldn't.

Infosec85

tmtex wrote: »

Well I see you have your sec +, maybe you could go in and educate them a little bit.

Haha golden...

ITSpectre

Danielm7 wrote: »

Agree with the above. It's sort of like the bigger the company the more chances that someone will respond to a phishing email. Some of them are really good, I don't know that any company is going to get 100% employee compliance no matter what they do at this point. I work at a fairly big company, we do security education, phishing testing, etc, people even report a lot that is questionable and even then people click on and open things they shouldn't.

In a class I was in the instructor said it very plainly..... "When it comes down to it... the biggest threat to security is user errors and inward threats. If you tell a person not to do something they will do it anyway so there is no full proof method to prevent phishing and attacks"

Since it was Phishing that mean someone clicked on a email and then that's how it happened. You can do all the education you want... but if someone wants to click on the link.... they will do it.

Im not surprised it was HR. They will click on anything, Then call tech support because they have a bunch of random icons all over the screen and they are all white.. or what they clicked on took them to a website and now their computer is not working right....

gespenstern

Would apply. Irrelevant.

aftereffector

Chances are, any company you apply for will have suffered a security breach - most just don't know about it (yet).

636-555-3226

Every company gets phished and falls for it. We've been doing phishing and security awareness at my work for years but we still fall into a 1-3% failure rate depending on the person and circumstances. sometimes the phish aligns 100% with something going on in their lives (rare, but happens), some people are just stupid and keep falling for it (rare, but happens), etc. also i can 100% guarantee you any mid- to large-size company you apply to has at least one compromised computer on their network. the bigger the company, the more compromised computers. you've gotta be pretty picky to not choose a company to work at because there's a chance there's a security hole.

only exception to that is if the company recently got pwned and the CISO got fired and you're the person they want to hire for the next CISO, but you've got the feeling they're just looking for another scapegoat to take the fall since they don't want to apply the lessons learned from the last breach.....

thomas_

tmtex wrote: »

I worked for a MAJOR commercial real estate co(Global) they got all our info. Long story short I had CC's opening up everywhere in the north east, plus I lived in Milwaukee. To this day I can get that address off my credit report

Yeah, this is close to the level that happened. Apparently the excel file contained information on 1000 employees including their names, SSNs, home addresses, salaries, and other information. After it happened fraudulent tax returns started being submitted in the name of employees that were in the excel document

It just feels weird submitting an application to a company where I know that has happened. I skipped applying to another company because they wanted me to submit an application with quite a bit of PII over a http connection. If they were doing that with application information I could only imagine how they were handling their patients' HIPAA information(it was a medical clinic.)

On one hand I think it might be a good time to apply since they already have it happened and they tightened down their policies, trained users, etc. On the other hand it wouldn't surprise me if a similar incident happened and was caused by the same person.

TechGuru80

I am confused...do we think companies getting phishing emails and responding is an anomaly? Probably happens a lot more than we will ever know.

cyberguypr

I came here to say what most have said above. I don't see how this is relevant to a job search unless you have some personal/moral objection to working for breached/phished companies. Given the current state of affairs with all things security related, I always expect someone to either have messed something up or mess it up real soon.

And to tmtex's point, you are wrong about him being able to educated them with his Sec+. This situation obviously requires a CEH. At least EC-Council knows how not to be breached. Oh wait...

thomas_

cyberguypr wrote: »

And to tmtex's point, you are wrong about him being able to educated them with his Sec+. This situation obviously requires a CEH. At least EC-Council knows how not to be breached. Oh wait...

lol, good point

Kinet1c

aftereffector wrote: »

Chances are, any company you apply for will have suffered a security breach - most just don't know about it (yet).

This * 1000.

If it's a security position it could be a great experience as they'll likely be implementing a lot of policies and structure around their security practices.

kohr-ah

I would go for it.

My last company was phished and I swear got cryptolocker every other week.
The weakest point in security is the users. I would go for it anyway and see if it feels like a good fit.