[viraptor]

> While it's true a state sponsored entity would have more resources than a kid in a basement

In this case, according to the indictment, it was a few spearphishing emails with .docs attached, followed by keylogger and other malware installation. The companies should be held responsible for being silly in this case.

[ggggtez]

It's a bit silly, sure, but just because they got breached in this phishing attack, doesn't mean they didn't resist other attacks successfully.

Personally, yeah companies need to be held to a higher standard against hackers, but if we're going to be realistic, we only expect they could do it because it's IBM and they have a lot of money. What about all the other companies? Rhetorically, what are we going to do about this issue? There's been decades of fairly basic confidence schemes and "hacks" and all the corporate training in the world isn't making a dent in people trusting strangers and running malicious files.

[viraptor]

I have some strong views here. 1. These are cons more than hacks as you wrote. I believe the protection doesn't exist only because there's no real risk. What would happen if some employee got conned to send out company money. Why isn't the same response applied to obtained information? 2. Principle of least privilege + monitoring. Those companies should know almost immediately about the break-ins. Even if the training fails, there are mechanisms to stop this.

I'm starting to believe that at some point we should start fining people for lack of protection.