Would you apply to a company that was recently phished?

thomas_thomas_ CompTIA N+/S+/L+ CCNA R&S CCNP R&S/Enterprise/CollabMember Posts: 998 ■■■■■■■□□□
I saw a position I wanted to apply for, but then I did some research and I am hesitant to apply for it because of what I found.

It turns out one of their HR people was phished. They received a phishing email from the "CEO" asking for an excel document with all of the employees' information. The HR person without thinking twice sent the excel document in a reply to the phishing email.

Comments

  • tmtextmtex Member Posts: 326 ■■■□□□□□□□
    Well I see you have your sec +, maybe you could go in and educate them a little bit.
  • iBrokeITiBrokeIT GRID, GICSP, GCIP, GXPN, GPEN, GWAPT, GCFE, GCIA, GCIH, GSEC, CySA+, Sec+, eJPT Member Posts: 1,312 ■■■■■■■■■□
    I'm less concerned about if a company got breached, phished or whatever as I am about how they plan to respond to the incident.

    If they continue like it's business as usual then that is a non starter but they they plan to hire a new CISO, do user awareness training, up the InfoSec budget, pit controls in place ect ect then I'd be happy to come on board.

    A lot of organizations don't take information security as seriously as they should until they have an incident with large financial consequences.
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops
  • tmtextmtex Member Posts: 326 ■■■□□□□□□□
    I worked for a MAJOR commercial real estate co(Global) they got all our info. Long story short I had CC's opening up everywhere in the north east, plus I lived in Milwaukee. To this day I can get that address off my credit report
  • alias454alias454 Member Posts: 648
    I would apply and then make sure to ask about it during your interview if you get one.
    “I do not seek answers, but rather to understand the question.”
  • ITSpectreITSpectre Member Posts: 1,040 ■■■■□□□□□□
    I would take the job then during the interview I would ask as one of my questions... " What are the biggest challenges facing the company/department right now?"
    In the darkest hour, there is always a way out - Eve ME3 :cool:
    “The measure of an individual can be difficult to discern by actions alone.” – Thane Krios
  • Danielm7Danielm7 Member Posts: 2,309 ■■■■■■■■□□
    iBrokeIT wrote: »
    I'm less concerned about if a company got breached, phished or whatever as I am about how they plan to respond to the incident.

    Agree with the above. It's sort of like the bigger the company the more chances that someone will respond to a phishing email. Some of them are really good, I don't know that any company is going to get 100% employee compliance no matter what they do at this point. I work at a fairly big company, we do security education, phishing testing, etc, people even report a lot that is questionable and even then people click on and open things they shouldn't.
  • Infosec85Infosec85 Member Posts: 192 ■■■□□□□□□□
    tmtex wrote: »
    Well I see you have your sec +, maybe you could go in and educate them a little bit.

    Haha golden...
  • ITSpectreITSpectre Member Posts: 1,040 ■■■■□□□□□□
    Danielm7 wrote: »
    Agree with the above. It's sort of like the bigger the company the more chances that someone will respond to a phishing email. Some of them are really good, I don't know that any company is going to get 100% employee compliance no matter what they do at this point. I work at a fairly big company, we do security education, phishing testing, etc, people even report a lot that is questionable and even then people click on and open things they shouldn't.

    In a class I was in the instructor said it very plainly..... "When it comes down to it... the biggest threat to security is user errors and inward threats. If you tell a person not to do something they will do it anyway so there is no full proof method to prevent phishing and attacks"

    Since it was Phishing that mean someone clicked on a email and then that's how it happened. You can do all the education you want... but if someone wants to click on the link.... they will do it.

    Im not surprised it was HR. They will click on anything, Then call tech support because they have a bunch of random icons all over the screen and they are all white.. or what they clicked on took them to a website and now their computer is not working right....
    In the darkest hour, there is always a way out - Eve ME3 :cool:
    “The measure of an individual can be difficult to discern by actions alone.” – Thane Krios
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■□□□
  • aftereffectoraftereffector Member Posts: 525
    Chances are, any company you apply for will have suffered a security breach - most just don't know about it (yet).
    CCIE Security - this one might take a while...
  • 636-555-3226636-555-3226 Member Posts: 976 ■■■■■□□□□□
    Every company gets phished and falls for it. We've been doing phishing and security awareness at my work for years but we still fall into a 1-3% failure rate depending on the person and circumstances. sometimes the phish aligns 100% with something going on in their lives (rare, but happens), some people are just stupid and keep falling for it (rare, but happens), etc. also i can 100% guarantee you any mid- to large-size company you apply to has at least one compromised computer on their network. the bigger the company, the more compromised computers. you've gotta be pretty picky to not choose a company to work at because there's a chance there's a security hole.

    only exception to that is if the company recently got pwned and the CISO got fired and you're the person they want to hire for the next CISO, but you've got the feeling they're just looking for another scapegoat to take the fall since they don't want to apply the lessons learned from the last breach.....
  • thomas_thomas_ CompTIA N+/S+/L+ CCNA R&S CCNP R&S/Enterprise/Collab Member Posts: 998 ■■■■■■■□□□
    tmtex wrote: »
    I worked for a MAJOR commercial real estate co(Global) they got all our info. Long story short I had CC's opening up everywhere in the north east, plus I lived in Milwaukee. To this day I can get that address off my credit report

    Yeah, this is close to the level that happened. Apparently the excel file contained information on 1000 employees including their names, SSNs, home addresses, salaries, and other information. After it happened fraudulent tax returns started being submitted in the name of employees that were in the excel document

    It just feels weird submitting an application to a company where I know that has happened. I skipped applying to another company because they wanted me to submit an application with quite a bit of PII over a http connection. If they were doing that with application information I could only imagine how they were handling their patients' HIPAA information(it was a medical clinic.)

    On one hand I think it might be a good time to apply since they already have it happened and they tightened down their policies, trained users, etc. On the other hand it wouldn't surprise me if a similar incident happened and was caused by the same person.
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    I am confused...do we think companies getting phishing emails and responding is an anomaly? Probably happens a lot more than we will ever know.
  • cyberguyprcyberguypr Senior Member Mod Posts: 6,926 Mod
    I came here to say what most have said above. I don't see how this is relevant to a job search unless you have some personal/moral objection to working for breached/phished companies. Given the current state of affairs with all things security related, I always expect someone to either have messed something up or mess it up real soon.

    And to tmtex's point, you are wrong about him being able to educated them with his Sec+. This situation obviously requires a CEH. At least EC-Council knows how not to be breached. Oh wait... icon_smile.gif
  • thomas_thomas_ CompTIA N+/S+/L+ CCNA R&S CCNP R&S/Enterprise/Collab Member Posts: 998 ■■■■■■■□□□
    cyberguypr wrote: »
    And to tmtex's point, you are wrong about him being able to educated them with his Sec+. This situation obviously requires a CEH. At least EC-Council knows how not to be breached. Oh wait... icon_smile.gif

    lol, good point
  • Kinet1cKinet1c Member Posts: 604 ■■■■□□□□□□
    Chances are, any company you apply for will have suffered a security breach - most just don't know about it (yet).

    This * 1000.

    If it's a security position it could be a great experience as they'll likely be implementing a lot of policies and structure around their security practices.
    2018 Goals - Learn all the Hashicorp products

    Luck is what happens when preparation meets opportunity
  • kohr-ahkohr-ah Member Posts: 1,277
    I would go for it.

    My last company was phished and I swear got cryptolocker every other week.
    The weakest point in security is the users. I would go for it anyway and see if it feels like a good fit.
Sign In or Register to comment.