Log4Shell, one of the worst computer vulnerabilities discovered in years, has had security experts around the world racing to patch it.
Dubbed as the "worst possible" computer bug by cyber security experts, Log4Shell is a critical flaw in open-source code widely used across industry and government in cloud services and enterprise software.
According to Jacqueline Jayne, security awareness advocate, APAC at KnowBe4, Log4Shell exploits vulnerabilities within servers to install malware and gain access to organisations.
While IT is focusing on patching these vulnerabilities and monitoring their environments, it is just as critical to ensure employees are aware of the potential outcomes should malware be successfully deployed and cyber criminals gain access to an organisation's system.
"For example, once in a system, cyber criminals can send out phishing emails (malicious emails) to all the contacts in everyone's email accounts across your entire organisation.
"If you have 300 employees who have 1,000 contacts, there are 300,000 phishing emails that can be sent out to unsuspecting people.
"What's more, these emails will come from you and your organisation so the chances of the receiver engaging in these emails are extremely high," Jayne said.
The fallout would not be known for several days with the hunt being complicated by the fact that affected software can be in programs provided by third parties, security response teams trying to identify impacted machines and millions of servers potentially compromised with Log4Shell installed.
Jayne added that the same can occur in reverse.
"While your organisation may be completely safe from Log4Shell, it only takes one external organisation that one of your employees has had email contact with to fall victim for there to be a high chance that they will receive and engage with a phishing email (that looks completely safe)."
"The stakes are high so please make sure you communicate to your employees about the potential risks. Cyber security awareness is everyone's responsibility and if you have been educating your employees on the potential dangers you have already reduced your risk in this situation," Jayne concluded.
New Zealand’s computer emergency response team was among the first to report that the flaw in a Java-language utility for Apache servers used to log user activity was being "actively exploited in the wild" just hours after it was publicly reported on Thursday and a patch released.
[Related: SA government hit by cyber attack]