top | item 44594013

(no title)

stantaylor | 7 months ago

I used to work for a financial services company that had a strong and well-managed security culture. The company got acquired, and afterwards, we kept getting emails from third parties for various things, all supposedly initiated by execs/groups at the parent company.

We employees of the acquired company discussed the emails in Slack: we were sure that these emails were legitimate, but acting on them would have broken our security policies, so we all decided to all report them as phishing attempts. We understood that we were engaging in malicious compliance, but our actions were also a best practice, so we couldn't technically be criticized for it.

After a while of this, execs at the parent company would send out sometimes exasperated-sounding emails ahead of time, alerting us to the email that we should expect to receive and how they wanted us to respond. Of course, that led to discussions of how we know that that pre-email emails were legitimate. After a while, we all lost interest in this malicious compliance and adopted the much laxer security culture of the acquiring company.

discuss

x0x0|7 months ago

I had to fire the MSP I hired because they needed to install some software on everyone's computer, so they sent a company-wide email, with no clearance from anyone, directing approximately 40 people to open terminal and paste in a string sent in that email. Along with instructions on how to open terminal.

The absolute last thing anyone competent does is train employees to receive communications like that in email and follow them. If they'd asked for 3 minutes at an all hands to prep employees, or announced in slack, or something similar then ok. Or some out-of-band announcement that this was legit.

unknown|7 months ago

[deleted]