AS THE DIGITAL AGE UNFOLDS, it’s increasingly clear that the weakest link in cybersecurity is humans. People click bad links, open infected files, and succumb to an array of other social engineering tricks. As a result, business email compromise attacks have emerged as a significant threat. Indeed, the FBI reports that the crooks behind such schemes have netted $5.3 billion globally since 2013.
To make matters worse, though, hackers are now conducting business process compromise (BPC) attacks as well—and virtually no company is immune. Jonathan G. Gossels, president and CEO of SystemExperts Corp., an independent cybersecurity consulting firm based in Sudbury, Mass., says BPC attacks come in one of two forms: those that impersonate an executive requesting that a user take a particular action, and those that use links or attachments to deliver ransomware.
Security vendor Trend Micro Inc., of Irving, Texas, considers BPC exploits a potent threat too. “Attackers leverage either common vulnerabilities or social engineering to gain a presence on the network. Then they use custom code to alter the target business process,” points out Mark Nunnikhoven, the company’s vice president of cloud research. What makes these attacks so dangerous is that intruders typically avoid detection until they have reaped “a significant and direct financial gain,” he adds. “By the time you recognize an attack has taken place, it’s too late.”
There are ways to combat the problem and minimize the risk of a breach though. According to Nunnikhoven, a channel pro should focus on these key areas: ensuring that there’s deep visibility into client networks and infrastructure; mapping systems and workflows in aggregate rather than examining isolated applications, tools, and processes; and using a holistic “start-to-finish” approach that identifies weaknesses. It’s important to ensure that “each phase of the process verifies the input from the previous,” he adds.
While the right IT tools can aid in detecting and filtering forged emails, fake domains, and other risks, they can’t prevent an employee from responding to spear-phishing attacks or accepting a phone call from a criminal masquerading as a senior executive requesting a funds transfer, both of which involve human interaction. As a result, checks and balances are critical.
“You must address the problem through a combination of enhanced filtering capabilities, better business processes, and education,” stresses Gossels. Rethinking authorizations and other tasks is paramount as well.
Make no mistake, though, business process compromise attacks aren’t going to disappear anytime soon. Direct financial losses and ransomware demands can reach into the tens of thousands of dollars—if not more. “We see more and more criminals attempt and succeed at these types of attacks,” says Nunnikhoven. “The good news is that channel pros are well positioned to help clients defend themselves.”