The majority of ransomware attacks and network intrusions start with a phishing attack, wherein an employee accidentally opens a malicious attachment or clicks on a malicious connection. However, part of the issue maybe because of the way businesses think of users in the first place, as well as the corporate atmosphere that many companies have fostered.
The FBI’s Internet Crime Complaint Center (IC3) recently released its annual cybercrime report, which shows that it received a record number of complaints and reports of financial damage, with internet crime causing over US$4 billion in losses. And, as per FBI estimates, losses due to BEC attack were 64 times greater than ransomware.
Although analysis and planning are necessary for an actor to pull off a successful BEC attack, another aspect that is far more difficult to pinpoint, and much more difficult to defend against, is organizational culture
To be completely effective, the scams need a sense of urgency around the operation that leads to the fraudulent transaction. As a result, the firms most vulnerable to a BEC initiative are those whose workers are so worried about their results or the prospect of being reprimanded by a supervisor, that they will process an irregular transaction without even consulting their superior. Scams like BEC flourish in this fear-based setting. The all-too-common ‘always on’ ethos, in which workers are forced to work late into the evenings, outside of the workplace, and on weekends, exacerbates the problem. This results in an overworked, depressed, and exhausted workforce that is more likely to make mistakes (in many situations, but not all).
So what must be done?
Breaking down the mentality of fear—fear of making a mistake, fear of breaching security is the most obvious solution. This can be accomplished by teaching drills or presentations, as well as challenges to find spoof campaigns or quizzes in which staff is asked to identify the tell-tale signs of a BEC event
It’s also important to allow staff to come forward after an incident has occurred. If an employee of a company immediately reports the phish to their security staff following an incident, the chances of mitigating the phish’s impact would be better than if he had remained silent and waited for the finance team to figure things out on their own.
Employees who come forward immediately following a security breach, or who detect a fake domain or phishing email that may have otherwise endangered the network, should not be ashamed; instead, organizations should consider a “security amnesty” scheme, in which employees who reveal potential missteps promptly are protected from retaliation, (with the exception of incidents of serious negligence).
Also Read: Top 4 Things that Make CISO More Effective
While this could seem to be a reward for failing to detect anything potentially dangerous, it recognizes that security breaches do occur, and risk management is almost as vital as prevention.
On the positive side, businesses should consider including constructive incentives for reporting security threats before they arise. Also, it is a good idea to reward employees with a coffee gift card or anything similar if they spot and prevent a BEC attack. Gamification is well-known for its ability to successfully change behavior. It can be used to teach employees not only how to be safer, but also how to become a vital part of IT’s “early warning sensor” network.