Rob Holmes, Vice-President of Email Security, Proofpoint, outlines some best practice advice on how businesses can stay protected against BPC attacks.
Given the breadth and diversity of the landscape, there isn’t a silver bullet but there are a number of measures that companies should consider in order to bolster their protection against BPC attacks.
Budgets are often limited and the number of attack vectors is vast, so there has to be a level of prioritisation of which business processes need to be hardened and how. This prioritisation should be a function of the value/risk of the process combined with its vulnerability to abuse/compromise.
Some business processes (e.g. the transfer of funds) are of huge value/risk to all companies; others (e.g. engineering/production) are company-specific. Most importantly however, processes that are people-dependent are more vulnerable since people are prone to social engineering attacks; compromises to technical processes may be more pernicious but may only be achieved with a greater level of technical sophistication.
Determining the biggest risks is a vital step, however mitigating the attacks themselves requires a combination of strategies.
Businesses should ensure that they are able to authenticate entities, people and devices that provide inputs into the business processes. If actions are taken and decisions made based on instruction/input from an entity whose identity has been spoofed, a business processes can be easily compromised. Companies should ensure that entities involved in the process are authenticated before their input into the process is trusted.
Once an account has been compromised however, no amount of authentication will thwart the cybercriminal. Therefore, companies should both monitor downstream for anomalous behaviour as well as prevent account compromises upstream. Given that most account compromises happen as a result of phishing and credential theft, companies can harden their defences against these attacks through a robust detection and blocking of these threats coming through email.
As a last line of defence, businesses should look to strengthen the security of both their data and people. Encrypting sensitive information at rest and in transit will help prevent man-in-the-middle attacks where cybercriminals intercept and alter key data inputs that inform a business process, and a well-trained, savvy employee can be the crucial missing piece in thwarting a human-targeted social engineering attempt.
Finally, business processes frequently involve third parties, so businesses need to be vigilant with any external partners to ensure that they too adhere to the necessary security standards to ensure that the entire business process cannot be compromised.