Posted 1 month, 1 week ago
According to IBM, the average cost of a data breach in 2019 was just under $4 million—and this is nothing compared to the costs of some of the more high profile security lapses in recent history. Since the Equifax breach was uncovered in the 2017, it’s estimated that it’s cost the company $1.4 billion. And this is before we talk about other types of attacks beyond data breaches, like the SWIFT transaction fraud that lay at the heart of the infamous Bangladesh Bank heist. Really, it’s hard to overstate how critical data security is for international businesses, especially in the financial sector.
From the outside, it’s fairly clear that protecting the information that's sent, received, and stored by your organization is mission critical. And yet, it seems like every day we hear about a new data breach or an instance of cyber fraud—is the problem that these incidents are simply not preventable? Or are companies not protecting themselves effectively against known risks?
Too often, it’s the latter. In those instances, it’s hard not to wonder what steps could have been taken to prevent the hackers or fraudsters from preying on the business—but after the fact isn’t really the ideal time to do a deep dive into cyber security best practices. On the contrary, the best time to learn about the most serious threats to your corporate data is right now.
While much of what we’ll discuss in this list involves specific attacks to which companies might find themselves vulnerable, this one is a more generalized statement: the world’s biggest cyber security threat is human error. This can take any number of forms, from email users who aren’t able to identify phishing emails and unwittingly click on suspicious links (more on that shortly), to sysadmins who have to manage and maintain complex IT systems, to managers who don’t encourage their teams to follow cybersecurity best practices when working remotely. Essentially, any time someone is trying to provide information or perform a transaction, something could go wrong. From the perspective of keeping your corporate data safe, that means your best bet from an overarching cybersecurity perspective is to do whatever’s in your power to minimize the chances that humans encounter to click on the wrong link, open the wrong email, misconfigure an application, process a fraudulent request, etc. This can involve trainings for corporate email users and a strong baseline set of best practices, yes, but it can also mean automating wherever feasible, and thus greatly reducing complexity.
One of the reasons that the cost of human error when handling sensitive information can be so high, however, is that businesses often fail to effectively encrypt data, both in storage and in transit. If you sent an unencrypted message to your CFO containing important financial information and hacker who was snooping on your web traffic managed to read it, you just made the hacker’s job a whole lot easier. He can either take that information and use it to profit (if the message contains account or routing numbers he could potentially find a way to break into those accounts, e.g.), or he can alter the contents of the message (e.g. so that the account numbers are now those of a bank account that he controls) and send it to CFO, pretending to be you. This latter attack is known as a man-in-the-middle, and it’s a common tactic that malicious actors and fraudsters use to extract money from their victims. Luckily, it can be fought off with encryption. If the message you originally sent was encrypted, the man-in-the-middle wouldn’t have been able to read or manipulate it, and the whole attack would have been thwarted from the start.
For something like financial transactions, the same principle applies: if a financial institution is sending messages to the SWIFT network unencrypted, someone can essentially pull off what the hackers in the Bangladesh heist did, i.e. change the account information on legitimate requests so that the money goes to their accounts instead of those of the intended recipient. With encrypted data, this risk vanishes for the reasons recounted above. Considering that the amounts of money involved that infamous heist were in the hundreds of millions of dollars, it seems safe to think of this a significant threat.
Okay, we’ve talked about two of the ways that organizations become vulnerable to attacks (human error, unencrypted data), with allusions to some of the specific ways in which fraudsters might try to capitalize on these factors. Now, let’s dig a little deeper into some of the specific threats (i.e. types of cyber attacks) that enterprise businesses face in the 21st century. For starters, there’s phishing attacks. No one thinks that it can happen to their organizations (or themselves—because they would never fall for such a thing), but in 2017 about 75% percent of businesses reported falling victim to a phishing attack of some kind. Considering that a midsize company might lose more than $1.5 million in a phishing attack, this is nothing to take lightly. And the attacks continue to gain sophistication; today, most attackers even use HTTPS to make themselves appear legitimate—meaning that the intended victim might hover over the link in a borderline-suspicious email, decide that it looks legit, and then inadvertently navigate to a form where they’ll give privileged information to hackers who will use it for their own gain.
This attack represents what happens when our first two threats come together: an email user or other corporate actor makes a mistake in judgement, and there’s no encryption system to provide trust and identity management to make the right judgement call easier.
Phishing and related attacks like business email compromise (BEC) and CEO fraud make up a huge swath of the attack surface for your typical business. In fields that might be slightly more niche—e.g. banking, insurance, medical, etc.—there are other threats that CIOs and CISOs have to take seriously when they’re sketching out their digital defenses. For instance, banks that use the SWIFT network to initiate financial transactions are at an increasing risk of SWIFT fraud, even as SWIFT CSP implements new requirements and recommendations for the cyber security of the banks on its network. With potential phishing attacks, the authenticity of the message in question needs to be verified before you can continue with confidence. For message on the SWIFT network, the bigger concern is the integrity—i.e. whether or not someone has changed the details on the message and sent it along to the SWIFT network in the hopes of getting them to send money to an account that they own. Again, this is what happened in the infamous Bangladesh Bank heist, and it’s something that still happens (albeit in smaller, less flashy ways) on a regular basis even as SWIFT CSP compliance requirements grow more stringent. Why? Because few banks are actually able to comply with the requirements. Most of the solutions available on the market are too heavy and too expensive to give banks the protection they need with a total cost of ownership (in terms of both money laid out and costly labor spent on configuration, installation, and maintenance) that’s feasible. Unfortunately, without a suitable solution, message manipulation of this sort remains one of the biggest threats to your data.
In the two threats we sketched out above, the first two items on our list (human error and lack of encryption) came into play in a significant way. This last threat encompasses those two factors, while perhaps opening up a broader line of argumentation: in order to stave off costly cyber security incidents, businesses need to empower their employees to practice good digital hygiene no matter the situation. Especially right now, with so many people working from home for the first time, it’s critical that email users and others act in accordance with digital best practices, from choosing secure WiFi network to work on, to keeping their communications to approved channels, to, yes, encrypting emails and their storage. This might sound like it’s basically covering the same territory as human error, but the difference here is that our concern is with fighting complexity and indifference. When manual processes that sysadmins have to perform in order to keep track of encryption are too numerous or difficult, the system of establishing trust and managing identities begins to fall apart even without explicit mistakes. When users can’t make sense of the new email UI that they’re using to promote message encryption, they’ll simply go around it, using messaging apps or other means of communicating that may leave data vulnerable. Essentially, the real threat here is implementing systems for security that your users or admins won’t be able to comply with. And, indeed, the more complexity mounts in your IT environment, the more prone you’ll be to slipups.
The solution to actually making good digital hygiene possible? Automation.
By automating encryption and key management for email and SWIFT transactions, p≡p’s software makes privacy—the foundation of good digital hygiene—the default. Instead of giving email users clunky UI that impedes their ability to do their jobs effectively, p≡p simply offers color coded feedback whether or not a particular communication channel is secure or not, and if the sender’s identity has been verified.
This means that there’s no way for a user to fall for a phishing email that spoofs the CFO’s email address, since the system will flag the message due to wrong trust and key information. Likewise, the system automatically offers protection for the entire back office IT ecosystem, ensuring the integrity of SWIFT messages and thereby eliminating the possibility of message manipulation.
Like we said above, ease of use is the only way to fight human error—and p≡p’s automated, turnkey solution makes peer-to-peer, end-to-end, opportunistic encryption so easy that it’s virtually invisible. The result is that fraud attempts are stopped in their tracks. And your company is protected where it is the most vulnerable.
Why Business Email Compromise Is the Costliest Attack Vector (and What to Do About It)
June 19, 2020, 10:24 a.m.