Business Email Compromise

Ken Dwight is “The Virus Doctor” – Business consultant and advisor to IT service providers and internal IT at many businesses who have come to him for his training, has his own direct clients. Ken conducts a monthly community meetings for alumni. He provides a list of curated items of current interest for discussion and resources, and has a featured topic which often includes another speaker to provide breadth of perspective. He has been doing this community service for 83 months!

I asked Ken to cover with me some topics that from his perspective don’t get talked about enough.

Business Email Compromise

Also known as CEO fraud. Impersonating a CEO for purposes of wire fraud. We are focused on the technological solutions. There is no technological solution for eliminating BEC.

CEOs must be part of the solution.

Example: Subcontractor to Airbus. Used to dealing with multi-million-dollar wire transfers.

BEC is a large Fortune 500 issue, it scales down to one user environments.

Title companies are a big target.

Retention policies and standards for WHERE to store what kinds of data to make sure that email is not a file server thereby increasing the risk of what data is compromised as part of BEC.

Perfect example of the beginning of an incident response plan or a tabletop exercise. Orgs must define the cost of compromise. That plan needs to be in place long before. It makes a recovery so much more straightforward.

Attackers analyze their victims in tiers. Potential victims $10 - $50mm revenue organizations. Reputational damage, but not big enough to have an adequate cybersecurity budget.

ShadowIT is a problem, which is why you must address it with a CFO-enforced procurement policy.

Proactive management of M365 tenant security configuration is so critical

The security of your tenant is not included in the fee for biz premium or the overall licensing.

How much activity there is, changes, products, services, vendors. Ideal stack, layers, point solutions within that. Revisit that in a period of time like a year.

This is a nice resource for M365 security and BEC.

https://www.blumira.com/office-365-security-issues

Direct advice from Ken

One topic I believe falls directly into this category is the issue of Business Email Compromise, as opposed to actual malware / hacking / ransomware attacks. As you know, the losses to BEC still represent a greater dollar value than ransomware, according to the FBI statistics. But BEC isn’t even a technology problem, it’s pure social engineering – and no additional layers of hardware or software “solutions” will prevent it or reduce the cost to its victims. In my opinion, that’s why you hear so little on the subject from the cybersecurity vendors.

Another topic I find interesting, but haven’t really heard any vendors or industry pundits talk about, is the whole new ecosystem and infrastructure produced by modern threat actors. The whole business model of these sophisticated criminals has created occupations, titles, and job descriptions that didn’t exist a few years ago. Some of these are a result of the specialization, compartmentalization, and outsourcing by these organizations; here are a few that come to mind:

• Breach attorney
• Ransomware Negotiator
• Initial Access Broker
• Cloud Access Security Broker
• Multiple “As-a-Service” offerings:

• Ransomware as a Service
• Phishing as a Service
• C2 as a Service

Another area that is mentioned fairly frequently, but typically fueled by more heat than light – and raised as a point of frustration by MSPs and IT Solution Providers in general – is the users who still believe they don’t have to worry about cybersecurity, hackers, malware, or ransomware, because they “don’t have anything the criminals would want,” or words to that effect. I believe those users need to comprehend how real and serious the threats are to their business.

By defining the multiple tiers of threat actors, the threat vectors they may employ, their potential victims, the assets owned and managed by those victims, and the attacker’s strategy for monetizing those assets, I believe it becomes obvious that every organization and every individual is the intended target of some subset of those threat actors.

Visit this resource for help making argumentation. Ken is working on some additional materials for end user cybersecurity awareness training.

https://qpcsecurity.podbean.com/e/the-real-reason-you-cannot-afford-to-have-a-cybersecurity-incident/