2017 was a year of significant data security breaches worldwide, with organisations at all levels targeted.
According to Gartner, the worldwide spend on information security products and services in 2017 was $101.544bn, set to increase to $114bn by the end of this year, followed by $124bn by 2019, representing an almost 20% increase in the space of 2 years (https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019).
This growth is being driven by multiple factors.
In addition to traditional concerns, such as security risk for businesses relating specifically to potential data breaches, there is also growing awareness of the importance of organisational security, both from a financial as well as reputational standpoint for companies, due in no small part to the many high-profile breaches suffered in 2017 and 2018.
Even within the previous 2 months, Instagram was subject to a data breach, wherein hundreds of users had their accounts locked and their login emails replaced with Russian addresses. Although the number of users of affected was relatively small compared to Instagram’s user base, the compromise was enough to be reported by international media outlets, causing potentially significant damage to the company’s reputation (https://www.independent.co.uk/life-style/gadgets-and-tech/news/instagram-hack-accounts-russia-take-over-security-locked-how-2018-a8492406.html).
In addition to the above, there is also the additional and increasing pressure that exists due to regulatory concerns, most notably evinced by the introduction in May of this year of the EU General Data Protection Regulation (GDPR).
GDPR places an increased onus on organisations to responsibly process and protect individuals’ personal data. As such, its arrival is likely to require many organisations, from SMEs to large multinational companies, to develop a more holistic understanding of their security infrastructure, both from a technical perspective, as well as through other means, such as by allocating resources to educating their workforce, and introducing data policies that comply with regulatory requirements.
Notwithstanding the greater awareness and concomitant spending that organisations are now undertaking with respect to their cyber security, the nature of the threat against these organisations and, in particular, the sensitive data they hold both in relation to themselves and individuals, is ever-increasing, in sophistication and in scope.
In recognition of this growing threat landscape, Cyber 1 introduces the first in a series of articles designed to highlight key cyber security threats of which organisations should be aware, both now and in the future.
This week’s article focusses on a very commonplace threat: Business Email Compromise attacks (BECs).
Although much cyber security-related news in 2017 focussed on well-publicised ransomware attacks such as WannaCry and NotPetya, Cisco reported at the time in its mid-year cyber security report, that the greater threat to organisations lay in BECs (https://www.computerworld.com.au/article/626254/ransomware-gets-headlines-business-email-compromise-bigger-threat/).
These are a form of phishing attack, wherein an attacker impersonates, for example, a senior company executive, and thereby elicits employees to divulge confidential information, sensitive personal or business information, or even facilitate the transfer of company funds.
BECs often target large companies and can bypass the often-strong threat defences in place in such organisations, due in part to an absence of malware or malicious links, making purely software-based detection of this threat difficult.
BECs rely on social engineering: in other words, targeting the most vulnerable element of a company’s cyber security system, namely personnel. The main defence against BECs is therefore education of employees, as well as ensuring that appropriate disaster recovery mechanisms exist in case of breach.
However, to ensure comprehensive protection against these attacks, as is the case with any cyber threat, there is no single answer, technical or otherwise: instead, the corporate network should be considered in its entirety and appropriate safeguards implemented at every level, not just that of the employee.
CYBER1, as a 360o cyber security solution that offers products, services and round-the-clock vigilance on behalf of its clients, is well-placed to help organisations better understand their existing infrastructures and facilitate the development of better threat detection and response protocols.
It is through these measures that organisations can obviate the risk of the threats mentioned above, and it is in this arena that CYBER1 can assist vulnerable organisations: through its unparalleled combination of technical, regulatory and corporate expertise, CYBER1 is well-suited to offer tailored protection to organisations in diverse industries and jurisdictions.
The next edition will look at the risks associated with the use of Application Programming Interfaces (APIs).