If a single click on a phishing email can ruin the entire company, the blame doesn’t lie with that individual.
40 points
True, in many cases there is a whole chain of vulnerabilities and misconfigurations, and everything starts with one phishing mail. For example:
- successful phishing
- VPN without 2FA, allowing the attacker access to company services
- internal services with vulnerabilities, allowing the attacker to compromise a server
- permission misconfiguration, allowing lateral movement
That was the point of this meme. It is not phishing alone that gets the company in trouble, its mostly a series of misconfigurations.
I think that in cyber security, we have to assume that phishing will be successful sometimes - and be prepared when it happens.