To Raise Security Awareness, Don’t Trust the Process.

Part 2 in a weekly blog series, “How Attackers Target Trust,” running during October, National Cyber Security Awareness Month and European Cyber Security Month. 

When it comes to trust in the workplace, perhaps our biggest downfall in the security space is trust in business processes. For decades now, we have relied on process definitions to gain efficiencies and to ensure our employees meet expected standards of performance.

The question we are now faced with, however, is are those processes secure in and of themselves?

The impact technology has had on business is all about efficiency of execution. While this has been great for the bottom line and exponential growth in productivity, it has also opened the door to increased risk.

Rarely, if ever, do we question the security of newly defined operational processes or technologies and even more rare is a security review of them.

BEC: the poster child for trusting process too much.

This is most evident by the rise in Business Email Compromise (BEC) attacks over the past few years.  It’s important that we recognize that these are attacks on people and process, not technology.

PhishMe Simulator™ – BEC Template

According to Securityledger.com, the FBI began tracking business email compromise (BEC) attacks as a unique crime type in 2017. The bureau as recorded a massive increase in incidents of business and other types of email account compromise attacks that may be responsible for $1.6 billion in losses in the U.S. since 2013 and $5.3 billion globally.

Can you reduce losses by a simple change in process? YES.

The example above is a common model that simply instructs payment to be made. An easy spoof of an executive’s email address, name and title often does the trick to solidify these attacks as legitimate. This can only be stopped through recognition that financial transactions directed in this manner are a straightforward violation of basic security protocols.

Notice also that the example contains an attachment.

While technology has done a decent job in assisting security personnel with the scanning and filtering of email attachments, imagine if we changed our business processes to no longer utilize emailed documentation as a standard process.

Q: What would happen if we did not use attachments in email to conduct business?

Wouldn’t that single change eliminate the attachment attack vector all together? The answer is that it would and yet, this is how many businesses choose to operate. With the availability of secure file transfers, why wouldn’t we change this paradigm and shift the course of the anti-phishing battle in our favor?

It’s time we took these realizations and secure solutions back to our executive leadership teams. It’s time to challenge the status quo. It’s time to open the door to conversation and alignment with our business partners and slam the door shut to attacks against insecure processes.

Learn other ways PhishMe® can help to raise your security awareness.

Locky or TrickBot? Depends Where You Are. Malicious Payload Delivery Tailored by Geographic Location
Rock the 80’s and More at PhishMe Submerge 2017!

Leave a Reply