Financial gain is the primary motive in more than 60% of security breaches1. The vast amount of security breaches take place due to human error. Increasingly, the threat is coming in the form of social engineering. One of the most effective social engineering methods for attackers is Business Email Compromise targeting financial and administrative teams.
Security Awareness Training
Attackers continue to evolve and perfect their methods, so it is paramount that organizations make security awareness training and policy governance a priority to mitigate the risk of a significant financial loss. A successful security awareness training program should include security newsletters and updates, re-occurring training, and simulated phishing attacks. While security awareness training is vital for any organization and all associates, organizations should increase their focus on awareness for departments with direct access and control of the finances. Business email compromise, also known as CEO Fraud, occurs when the bad actor poses as a member of executive leadership. The best bad actors even go so far as to study your leaders writing styles and impersonate your leaders (aka “speaking in their voice”). Because this type of attack is so targeted, organizations should increase training for key departments and implement customized simulated phishing emails to simulate an executive team’s email.
Vendor Change Management
Having vendor change management in place can mitigate the risk of the human factor in unauthorized payment changes. If a bad actor is required to provide specific information before the change can be approved, it can dramatically decrease the likelihood of their success. Identify a strategic method to track requests for changes to payment/s. The ability to track via a ticketing system or designated mailbox helps streamline the process and identify red flags.
Organizations should apply at a minimum:
- Maintain a list of all approved vendors to facilitate payment changes
- Create, and follow, a vendor management policy that guides how vendors are added and tracked
- Establishes dual control for authorizing change requests
Dual Control
The idea of dual control is absolutely critical to the process. The establishment of dual control should be part of vendor onboarding. An example of a dual control might include implementing a vendor code and designated contact. In this example, the vendor code might be a number or passphrase used to positively identify someone from the vendor. If you receive a change request with this code, you will go to the designated approver in the department, who would then verify the request is valid.
Cybersecurity Insurance
Threats are ever-changing and evolving. Because human errors occur, organizations should protect themselves financially with Cybersecurity Insurance.
Organizations must stay vigilant and stay abreast of current security threats. But, because the threat landscape changes so quickly and can be challenging to manage, and human errors happen, organizations should also protect themselves with Cybersecurity Insurance. Often, organizations fail to fully appreciate what is (not) included in their cybersecurity policy. Take the time to review your policy. Some policies may only cover the cost of incident response and determination and may not cover financial loss. The best way to protect your organization from a financial loss is to have a Cybersecurity policy, but also to know what that policy covers.
So, Be Prepared
Bad actors continue to find new ways to threaten businesses, and their primary motive for attacks is financial.
Prepare yourself and your organization:
- Ensure financial security controls by increasing security awareness training,
- Implement change management policies for financial and administrative teams,
- Know what is in your Cybersecurity policy.
(1) As reported by the 2020 Verizon Breach Investigation Report
Visit our resource page for more information: https://teamascend.com/resources/
Written by Kinsey Tickell and Jeremy Ausburn
Providing an on-site security risk assessment is no longer a necessity. Edafio provides a virtual option as well with the same quality of service.
Let us know if we can help you.