Cyber security has become a matter of utmost importance in today’s digital world. With the growing number of cyber threats and breaches, every company, big or small, try to fortify their security walls to prevent cyber attackers from breaching their network. However, despite having substantial security measures that are way stronger than the other companies, Fortune 500 companies are more susceptible to cyberattacks.
Many of these Fortune 500 companies have reported an increase in instances of fraud or attempted fraud through wire transfer payments. Several cyber threat factions have been engaging in a widespread Business Email Compromise (BEC) scams against Fortune 500 companies since autumn last year.
The threat groups have been successfully using BEC scams, which utilise credential harvesting, phishing and social engineering, to persuade account holders to initiate fraudulent wire transfers into attacker-controlled accounts, resulting in the theft of millions of dollars.
Delving deeper into the mechanism of cyber attacks is security expert Alan Levine:
Despite having advanced cyber security technologies, Fortune 500 companies still face cyber threats. What are the types of threats they are seeing and how do they occur?
Business Email Compromise (BEC) is an attack vector that is seeing substantial growth; Trend Micro for example has predicted that impact from this particular form of phishing will increase by more than $9bn in 2018.
Companies in the Fortune 500 have reported a significant increase in instances of fraud or attempted fraud via wire transfer payments. Cyber threat groups have been successfully using BEC scams, which utilise credential harvesting, phishing and social engineering, to convince finance and accounts payable personnel to initiate fraudulent wire transfers into attacker-controlled accounts, resulting in the theft of millions of dollars.
It must be said, however, that although there has been a lot of focus on the risk to Fortune 500 companies from BEC, they are not by any means the only targets; all companies are at risk.
What is even more concerning is that attacks exploiting users may become more successful over the next decade. Wombat’s 2018 State of the Phish Report found that Millennials are less able to recognise phishing attacks than their older Baby Boomer colleagues.
How do they resolve these threats?
To defend against BEC, individuals in financial roles need to be specifically trained to identify and fend off these scams, which are particularly tricky to avoid because they are set up over time, with cyber criminals researching their targets and then building trust via multiple channels (phone, email, and social media). There are specific things that Fortune 500 organisations can teach their end users to defend against the BEC threat:
- All employees should be made aware of the dangers of sharing too much on social media. Teach users that they can’t always trust the legitimacy of their social contacts.
- Ask users not to give out company-internal information — like mobile phone numbers, vacation schedules, and job titles — when they receive unsolicited emails or phone calls. They need to understand that criminals can use seemingly innocuous data points against your organisation.
- Stress the need for users to verify all requests for wire transfers and highly sensitive data (like employee tax information). It’s a great idea to implement a ‘non-technical’ form of two-factor authentication with high-value targets, such as employees who can initiate wire transfers. For example, make it a policy that all such requests require voice-to-voice confirmation — via an established phone number — before financial transactions are facilitated.
- Cyber security is of top concern in countries all around the globe. US Homeland Security Secretary Kirstjen Nielson has also mentioned that her agency is making election cyber security top priority in an attempt to prevent foreign interference in this year’s elections. What is your outlook on this scenario? How can we advance cyber security so elections are secured?
Good cybersecurity is not one thing; it is a combination of elements, involving people, processes, and technology. Every cyberattack has a source, a vector, and a target. We should assume that nation states are sometimes the source of cyberattacks aimed at election interference. Their targets are the digital systems used to input and calculate election results.
We can try our best to thwart attackers by strengthening the technical defences of digital election systems. But, foremost, we should understand the common vector for these – and most other – cyberattacks. Even one malicious email, sent to IT personnel who administer an election system, can result in the compromise of their computer and then, via the exploitation of these assets, the extended compromise of an entire election system. While we deploy technology to defend election systems and develop processes to support those defences, we must place greater value on the impact, good and bad, of the very people who are central to those defences.
Thus, we should focus our efforts on the vector: emails that launch an attack and facilitate every devastating thing that may follow. If IT administrators and, indeed, all users, are trained to identify and report potentially malicious emails, then the very start of attacks against election systems can be stopped. Addressing the email vectors for cyberattacks means training the people who receive, read, and react to those emails, so that they know what to do, and do it with diligence everytime.
- Do you think that better government intervention in cyber security will secure companies from cyber threats?
It is great to see the UK’s National Cyber Security Centre adopting a much more active posture in helping defend the UK from the range of cyber threats facing the country. Closer partnerships have now been formed with government, industry and law enforcement by prioritising cybersecurity. However, ultimately it isn’t solely through government intervention and enforcement that organisations will become secure; security has to form part of any business’s DNA and includes a mixture of people, process and technology. Cyber criminals will always identify and attack the weakest links; therefore, businesses should work together to create a virtual ‘fence’ to limit the potential attack surface and subsequent effectiveness of cyberattacks.
- What can be done differently to change the cyber security scenario all across the globe?
There’s no doubt that organisations are under a greater threat from cybercriminals than they’ve ever been, and this is unlikely to simply drop off. For example, Wombat Security’s ‘2018 State of the Phish Report’ found that 76% of organisations experienced phishing attacks in 2017. In addition, organisations are reporting more security impacts stemming from email-based social engineering.
There is no silver bullet when it comes to solving the challenge that cybercrime presents. However, a user who receives continuous cybersecurity training – and is therefore cyber-aware – is less likely to commit risky behaviours, and is more likely to spot and report suspicious activities. Don’t underestimate the power of educated users – effective training offers clear, measurable benefits for cyber risk reduction.
When strong technical defences are combined with an ‘army’ of knowledgeable users, organisations will prevent more successful attacks and chip away at the profitability of cybercrime, thus slowing its growth.
- Is there any way for companies to augment their cyber security to an extent that cyber threats won’t stand a chance to breach into advanced systems?
No system in the world is completely invulnerable to attack, but one of the most positive changes a company can make is to invest in its people. No company should rely on cyber security technologies alone. What’s needed is a layered approach that embraces a mixture of both technical safeguards and end user cybersecurity training and awareness.
Shockingly, according to the Online Trust Alliance’s (OTA) ‘Cyber Incident and Breach Trend Report’, 93% of cybersecurity incidents in 2017 could have been prevented by following basic security best practices, such as conducting phishing awareness training. With so much at stake financially and reputationally, organisations cannot afford to allow data breaches or damaging service outages to occur because of human error. Employees are a corporation’s last line of defence against cyberattacks, so they must be given the right skills and tools to effectively participate in the fight against cybercrime.
About Alan Levine
Alan Levine is a security advisor of Wombat Security with extensive global experience and has specialisation in all facets of cyber security, global data privacy with emphasis on European privacy provisions, Compliance, including SOX and related corporate compliance requirements.