Article written by:
Ray Tefft
Security Analyst
Business Email Compromise (BEC) is the number one cybersecurity threat businesses face. Given that BEC is aimed at gaining access to an organization’s email in order to “get in the middle of” electronic transactions, organizations of all sizes are at risk.
Last week, GBQ’s Information Technology Services team was engaged to conduct the fifth cyber investigation of the year involving a business email compromise. In this case, an attacker gained access to our client’s customer’s email system and misdirected a $240,000 payment, spoofing both the customer and our client’s financial employee.
The result of the investigation was a firm determination where the breach occurred and a recovery of the money. Both businesses involved surely would have preferred not to have gone through the investigation; avoiding a security event requires a firm to manage security “to the left of the breach” rather than “to its right” or “afterward.”
When GBQ conducts a cyber-risk assessment, we take a hard look at your entire business, including your email infrastructure and the administrative, technical and physical controls that protect it. We think it is a necessary practice in today’s environment to conduct an annual cyber risk assessment. Short of engaging on an assessment, here are some things “to the left” of an email breach you should be doing to protect email properly:
- Do you control access to your email system with strong passwords and two-factor authentication?
- Employees that use company email may have exposed their company ID and passwords if their credentials were used at a shopping site or other online account that was breached. How many at-risk users are in your organization?
- On average, 25% of employees are using the same password for all of their business and personal login credentials. How many of your employees are using breached passwords?
- Are you training your employees to be cybersecurity aware? Do your users know what to do when they receive a suspicious email?
- What if your employee clicks on a bad link in an email? What can you do?
Overall, when we look at your email infrastructure to the left of the breach, we will also review policies defining the proper use of company email, employee awareness training, as well as some other specific technical aspects of your communications infrastructure.
Additionally, we recommend that a firm should:
- Communicate with its bank to implement things like positive pay. (Better yet, do not use email as an electronic payment communications method!).
- Talk with your insurance broker to understand which types of electronic transactions are protected by your cyber liability coverage. Many times, transactions with emailed routing instructions are not covered.
- Finally, for more education on this topic, the FBI provides some great information:
Most businesses, regardless of size, are not doing enough to the left of the breach, and are operating with vulnerability. Email is not the only vulnerable asset. Again, we think you should be assessing cyber risk annually. If you need help plotting your safe course in the cyber world, contact us.
GBQ IT Services is one team of builders, breakers, operators and auditors with access to a consortium of 50 experienced IT, cyber and assurance professionals delivering IT risk, cybersecurity and productivity solutions. We build value through IT strategy, protect value with information risk and cybersecurity services, measure value and improve productivity with data analytics and process automation, and assure value through IT audit services.