One of the faintly depressing things about writing and speaking on the topic of cyber-security is that I know that I am never going to be short of recent examples to illustrate whatever point I am hoping to make.
Thus today the ICANN hack provides a timely reminder that anyone in an organisation who is in possession of an e-mail account and a connection to the organsiation's network, is a possible point of vulnerability that hackers may try to exploit. The ICANN hack appears to have been achieved through spear-phishing (or an attack which involves sending individuals targeted e-mails, sometimes specifically prepared in order to appeal to an individual's interest, or "spoofing" an official email from their employer or a third party, to persuade them to download a file or give up security information.
It is all too easy to fall victim to this type of attack, and organisations should certainly implement planning on the basis that a percentage of such attacks will be successful, so that there are defences in place against what would then effectively be an internal attack. But there is no reason not to train personnel to be vigilant for the unusual or unexpected in their inbox, and to remind them that they are the front-line in their organisation's defences. The costs of such training, on a business-wide basis, are negligible compared to the costs of a successful breach.
Attackers sent staff spoofed emails appearing to coming from icann.org. The organization notes it was a "spear phishing" attack, suggesting employees clicked on a link in the messages that took them to a bogus login page – into which staff typed their usernames and passwords, providing hackers with the keys to their work email accounts. No sign of two-factor authentication, then.