Home Sponsored Content Firms reel from social engineering attacks Call to realign IT security budgets to match BEC-dominated threat landscape by David Ndichu December 7, 2020 The pivot to social engineering as the primary mode of cyber attack marks a dangerous and unprecedented turn in cybersecurity. Here, cybercriminals trick employees to interact with the malware by giving up their credentials, installing the malware for them, or directly sending the data or money to the perpetrator. Almost 100 per cent of those attacks require human interaction to be successful, observes Adenike Cosgrove, Director of International Product Marketing at Proofpoint. “As organisations shift their data centres to the cloud, hacking the network is getting more difficult. Cybercriminals are thus attempting to bypass technology and security controls and target the people themselves,” says Cosgrove. Business email compromise (BEC) is one of the most nefarious forms of social engineering: cybercriminals will impersonate someone in a position of trust, and send a simple email to get employees to either send money or grant them access to corporate data. Proofpoint data shows that from March 2020, over 2,000 CEOs or executives have been impersonated, with the average number of CEO impersonation attacks per organisation rising to 102. The Covid-19 pandemic has caused a spike in these types of attacks and Proofpoint has blocked 500,000 BEC attacks every month since March. The rise of social engineering attacks is partly the result of a dichotomy between how defenders block threats, and how criminals target people. Security resources primarily go towards protecting the network, endpoints and the data centre, when data shows that the vast majority of threats —over 90 per cent according to the Verizon data breach report — get delivered via email to people. “We’re still focused on protecting the network when Microsoft and other technology providers are doing such a great job patching vulnerabilities quickly,” says Cosgrove. “As security professionals, we need to focus not just on network security, but on understanding the business and identify those people that are being targeted,” she adds. IT security investments are similarly misaligned. According to a recent report, 90 per cent of the threats are sent through email, but only about 10 to 12 per cent of security budgets is spent on protecting the email channel. Over 60 per cent of security budgets is invested in network and endpoint security. A lot of effort is also spent on remediation. By the time IT security moves to secure the endpoint, the employee has already interacted with the threat. “We need to focus on moving up that attack chain and block as much as possible from reaching the users. And then train those users to identify the threats that do land on their inbox,” says Cosgrove. In addition to executives, cybercriminals are also increasingly spoofing suppliers. In such cases, cybercriminals identify companies an organisation is doing business with and then pinpoint when a shipment is about to be sent or received. Pretending to be the supplier, they send a fake invoice that is similar to what one would expect to receive from the supplier. Or, they will inform the victim that they have changed their bank details and trick an oblivious finance officer to send money to the criminal instead of the supplier. People-centric security People-centric security refers to that shift cybersecurity professionals need to make in their cyber strategies. Unlike security teams, criminals are focusing more on people and less on infrastructure. “IT security professionals need to focus on their people, understand who their most exposed people are and map the vulnerability of each employee because the threat profile varies greatly depending on the job role, seniority and the employee’s access to sensitive information and systems,” says Cosgrove. For example, HR will typically be targeted by fake CVs with malware hidden in macros while marketing professionals, who leverage cloud-based collaborating tools, will be targeted through credential phishing, where cybercriminals steal the username and password to get access to intellectual property and company’s data. To protect against business email compromise and other social engineering attacks requires a combination of technology, processes, and people. From a technical perspective, there are tools that organisations can leverage such as machine learning-enabled secure email gateways, whose algorithms should be able to check the authenticity of an email by analysing the language used. Words like ‘urgent’, should throw up red flags for example, Cosgrove warns. Also, ITSec can put warning tags on emails. If an email says it is coming from one of the executives, but its source is external, it should be flagged as it could be spoofing the identity of one of the executives. On the process side, some organisations have put measures in place that would prevent an invoice from being paid out if they cannot authenticate the identity of the person sending the email. And there are readily-available authentication standards such as DMARC, which prevents criminals from hijacking your domain to trick employees and business partners, says Cosgrove. To solve the people equation, cybersecurity training should be on-going, targeted and relevant to the threats facing each individual in the organisation. If employees come across anything that looks suspicious, it should be automatically forwarded to security, and if malicious, security will remove it from their inbox. “This way, we’re starting to change behaviour and bringing employees into the security fold,” she says. Future Cybercriminals will continue to target people for the simple reason that it works. The FBI has estimated that $26bn was lost to business email compromise and compromised email accounts between 2016 and 2019. And these are only the cases that have been reported. Individual organisations have lost millions and made headlines. It is thus fundamental that organisations focus on implementing a people-centric security strategy. “Focus on understanding your business better than the criminals do,” says Cosgrove. The shift to remote working brought on by the Covid-19 pandemic has expanded the attack surface for organisations. Remote workers are not protected by layers of technical controls available within the enterprise, Cosgrove observes. “The only way then to protect remote employees is by identifying those vulnerable users and implementing controls to protect them, regardless of their location”, she adds. Tags Cyber Security phishing Proofpoint 0 Comments You might also like Interview: Positive Technologies maps cybersecurity trends in MENA Illumio’s Trevor Dearing explains the critical need for a Zero Trust Approach in times of AI Why physical security and cybersecurity should go hand-in-hand Help AG’s Stephan Berner on the importance of integrated cyber defence