Defending Against Business Email Compromise Attacks – Following on from Part 1 “An Introduction to Business Email Compromise” in our 2 Part Series.
Board Discussion – An important first step is to ensure the risk of BEC, and social engineering in general, is understood and discussed at the board level. BEC is not solely an IT issue, with Finance and Payroll departments disproportionately represented amongst BEC targets. To effectively mitigate BEC a unified approach is required across departments to ensure a high level of organisational resiliency.
Training and Awareness – As with many forms of social engineering, training and awareness are very effective defences. Individuals who are alert to the possibility of email compromise and impersonation are much less likely to fall victim to Business Email Compromise.
Simulations – To further build upon training, and ensure knowledge retention, simulated BEC attempts should be run regularly. Simulations have the added benefit of providing hard metrics to help quantify the size of the issue, and accurately measuring the progress of improvements.
Email Gateway Tagging – Modern email gateways can be configured to tag emails from external sources and add BEC or phishing warnings. This helps prevent certain types of impersonation tactics and keeps the possibility of BEC front of mind for staff dealing with external emails.
Anti-Spoofing – To protect your business partners and your business reputation, anti-spoofing configurations such as SPF, DKIM and DMARC can be implemented to prevent your domain from being spoofed in a BEC attack against suppliers or customers.
DLP – DLP, or Data Loss Prevention refers to a set of tools and processes designed to reduce the risk of sensitive information leaving the corporate environment. These can be very effective at preventing email compromise attacks that target sensitive information.
Domain Awareness – To prevent impersonation by small changes being made to an organisation’s domain, many organisations will register similar domains to prevent attackers from using them. Alternatively, where registration is not possible or feasible, visually similar domain names can be pre- emptively blocked or flagged at the email gateway.
Robust Business Processes – BEC ultimately relies upon impersonation. Business processes should be designed with this in mind, and include identity validation steps utilising known contact methods, such as voice calls using numbers stored in the corporate directory.
Least Privileged Access – Least Privileged Access is a common concept in IT Security, ensuring individuals are provided with the minimum possible access required to complete their roles. This concept is not always unilaterally accepted in wider business areas, resulting in staff having access to update banking information or make financial transfers when it is not strictly required for their role. By applying the least privileged principles across other departments the risk of BEC can be greatly reduced.
Identify ‘at Risk’ Roles – depending on the organisation, there may be some roles at more risk of BEC than others. Examples may include Finance staff, Payroll staff, Executive Assistants and Service Desk staff (for credential resets). Once these roles have been identified they can be provided enhanced training or more frequent simulations to improve the organisations overall resiliency and improve the ROI of investment made to mitigate BEC.
To meet this growing threat the IT department or Managed Service Provider cannot work in isolation, as resiliency is best achieved through an aware and vigilant user base, supported by strong business processes and underpinned by technology solutions configured to meet the organisation’s specific requirements.
If you would like to discuss your organisations Cyber Security related matters please don’t hesitate contact us on 08 6324 3300, email email@example.com or pop into our office located at 1/82 Brookman Street, Kalgoorlie