FEATURE
With BEC , one of the things that you need to focus on first of all is the technology – block as much as possible from reaching your people .
Start by authenticating email and your domain . Implement industry authentication standards like DMARC that prevent criminals from spoofing your domain . Tell your suppliers to do the same thing . By having those layers , this will ultimately protect the business , its suppliers and customers .
But we also need to educate our users themselves to identify BEC attacks . Show them the real-world examples and educate them on those threats that you ’ ve blocked . And embed them in part of your security controls , make it easy for them to report bad emails and reward them for doing so .
How important is a layered approach for preventing these types of attacks ?
We need a layered approach to not only prevent BEC attacks , but to be able to detect and respond to EAC attacks . For example , if you see that someone is logging in from Venezuela at 2am when they ’ re normally based in London and work 9am – 5pm , you need to be able to remediate that . That ’ s unusual behaviour , potentially a compromised account and someone that we need to investigate . So , you need CASB solutions as well , that can detect those types of attacks .
How far do technology and education align to prevent these types of attack and should CIOs and CISOs prioritise one over the other ?
Now that our people are working remotely , we can ’ t rely solely on network firewalls , IPS solutions or the layers we ’ ve put in the data centre because we ’ ve outsourced that data centre . Our people are our new perimeter .
It ’ s critical to train employees and ensure they ’ re aware that they ’ re under attack and to show them the actual threats that we block that are targeting them .
The technique that the criminals are using will dictate the controls that we implement to ultimately identify and block these threats .
But I don ’ t think it ’ s either or – it ’ s both working in tandem . You want to make it easy for employees to alert you by pressing a simple button in Outlook which automatically sends the email to the SOC team .
They analyse that email using technology , sandbox the email to determine whether it ’ s bad . They send an alert back to the employee . Then they use technology to find those emails in other employees ’ inboxes and pull those out automatically . That ’ s people , your employees , and technology , the automation and sandboxing , working together to protect the organisation .
How can organisations instil confidence in their employees to ensure that these incidents are reported ?
In the past , we had a tendency to shame the individual , even with the simulated phishing attacks that we send out to raise awareness . We can ’ t victim-blame or shame the individual – unless of course there is repeated behaviour – we need to make them feel safe . They are ultimately victims and we need to make it easy for them to report and reward them when they do identify a bad email .
There ’ s also gamification that you can bring into this to make it much more interesting and engage your employees .
What advice would you give those wishing to bolster their email defences ?
Fundamentally , organisations need to focus on implementing a people-centric security programme . Your people are the new perimeter , at the core of cyberdefences and they are under attack by cybercriminals .
It ’ s important for CISOs and CIOs , and all security professionals , to understand the business as well as the criminals do . Understand who your very attacked people are , who ’ s being targeted with what , who ’ s getting credential phishing , who ’ s getting malware , who ’ s getting those Business Email Compromise attacks and who ’ s credentials are compromised ? Based on that visibility into your very attacked people , you can then build a security programme that ’ s tailored to your business and threat profile of your users . It ’ s not generic at all but is highly effective because it ’ s based on the risks that you face .
Protect your business , protect your suppliers , protect your employees and ultimately , by doing that , you ’ re protecting your data . u www . intelligentciso . com | Issue 31
39