Trend Micro Incorporated, a global leader in cybersecurity solutions, has revealed that 43% of surveyed organisations have been impacted by a Business Process Compromise (BPC).
Despite a high incidence of these types of attacks, 50% of management teams still don’t know what these attacks are or how their business would be impacted if they were victimised.
In a BPC attack, criminals look for loopholes in business processes, vulnerable systems and susceptible practices. Once a weakness has been identified, a part of the process is altered to benefit the attacker, without the enterprise or its client detecting the change. If victimised by this type of attack, 85% of businesses would be limited from offering at least one of their business lines.
“We’re seeing more cybercriminals playing the long game for greater reward,” said Rik Ferguson, Vice President of Security Research for Trend Micro. “In a BPC attack, they could be lurking in a company’s infrastructure for months or years, monitoring processes and building up a detailed picture of how it operates.
“From there they can insert themselves into critical processes, undetected and without human interaction. For example, they might re-route valuable goods to a new address, or change printer settings to steal confidential information – as was the case in the well-known Bangladeshi Bank heist.”
Global security teams are not ignoring this risk, with 72% of respondents stating that BPC is a priority when developing and implementing their organisation’s cybersecurity strategy.
However, the lack of management awareness around this problem creates a cybersecurity knowledge gap that could leave organisations vulnerable to attack as businesses strive to transform and automate core processes to increase efficiency and competitiveness.
The most common way for cybercriminals to infiltrate corporate networks is through a Business Email Compromise (BEC). This is a type of scam that targets email accounts of high-level employees related to finance or involved with wire transfer payments, either spoofing or compromising them through key loggers or phishing attacks.
In Trend Micro’s survey, 61% of organisations said they could not afford to lose money from a BEC attack. However, according to the FBI, global losses due to BEC attacks continue to rise, reaching US$12 billion earlier this year.
Ferguson continued: “To protect against all forms of BPC attacks, business and IT leaders must work together to put cybersecurity first and avoid potentially devastating losses. Companies need protection beyond perimeter controls, extending to detect unusual activity within processes if attackers breach the network. This includes locking down access to mission critical systems, file integrity monitoring and intrusion prevention to stop lateral movement within a network.”
For more information on BPC and BEC attacks, read this Trend Micro Research report.