Your First Step in Boosting Corporate Security
Another batch of 700,000 consumers received a breach notice last week, this time in the UK, informing them that, as a result of the Equifax breach, they too “could be targeted by phishing attacks.” The week prior, a stunning 2 billion users learned that their Yahoo emails have been compromised since 2013 in addition to the first billion announced in 2016. And the week before that, Deloitte reported a breach of its internal email systems that may have exposed sensitive customer data.
The ongoing reports of massive troves of sensitive personal and business information getting exposed as a result of malicious hacking, email phishing, and trivial server misconfigurations are indeed the signs of a snowballing information security crisis. Though so far, our practical reactions have not been on par with reality. A combination of security awareness training, occasional patching, and more products that promise to protect you against all things ‘cyber’ is not exactly a recipe for success. It is rather an equivalent of building a nuclear bunker on top of a swamp.
With crisis always being an opportunity, my hope is that we are close to a tipping point beyond which the behavior change is an inevitable survival necessity. Let me make a case for where we can start.
Perhaps the simplest to solve and most frustrating issue that keeps haunting corporate executives, global tech companies, VC banks, and government officials is the so-called Business Email Compromise or BEC. According to the FBI, which started tracking BEC as a separate crime type this year, scamming businesses by attacking their email systems is a $5 billion industry that produced a 2,370% increase in “identified exposed losses” between 2015 and 2016.
These not very high-tech compromises are brought to you by @Sinon_Reborn and the same folks who came up with a Nigerian Prince scam, offers of winning lottery tickets, and PayPal refunds. And while you are thinking that this is never going happen to you or your company, think twice. Companies big and small, government agencies and high-profile politicians fall for these attacks of varying sophistication every day. In just the past few months, we have seen prolific google doc phishing and BEC campaigns successfully target Silicon Valley’s investment banks. Interestingly, the attacks seeking to directly extract money from the victims are now joined by business email compromises focused on data extraction for clever strategic gains.
To understand how to protect your company or organization from BEC, it is important to look at why these attacks are so successful. While there are differences in sophistication and scope, the equation for a successful business email compromise is reliant on two key variables:
1. Your organization conducting critical business processes via email;
2. Your organization sending critical business information without verifying recipients.
Let’s start with number one. It is easy to imagine why receiving a request from a CEO for a wire transfer via email does not set off the alarm if it is normal for your company to run operations through your inbox. Stop using email for anything of value or sensitive or confidential or that authorizes the funds to go from point A to B. Really, just stop.
Don’t send routing information over email. Don’t discuss contract details over email. Email is and will forever be subject to “human error and technology failures,” as former CEO of Equifax put it. Not applying the patch and reliance on scanners will not help us win this game. Email is no longer a responsible tool for sensitive communications.
Some also feel that email is dying. They may say your new workforce will not use it. And that the messaging behavior prevalent in Asia will come swinging to other regions. Some even say that corporations will soon only communicate using messaging and collaboration tools rather than exchange servers. Well, I certainly hope so. But there are others who suggest that thanks to Google enabling a whole new generation to use Gmail in schools, email will persist. Ultimately, it doesn’t really matter. Sending your account information and your IP in the same medium where you send the animated birthday cards has never been and will never be a good idea.
The failure to verify the person on the other end of your conversation is another key component of most BEC campaigns. It is not easy to vet everyone you talk to, and social engineering certainly isn’t making this easier. Ultimately, speed, stress, and inconvenience lead us to make the mistake of conducting business with unverified parties. But still, verification should not be optional when you are transferring money or sharing high-target pricing strategies or IP or negotiating a deal. It is negligent to not take advantage of user verification capabilities supported by math and encryption to ensure that your intended recipient is in fact the recipient you think it is.
Moving your critical operations away from email and to a controlled secure workspace where user key verification is built-in is a strong step in boosting your organization’s resilience to BEC. Developing a clear and easily enforceable policy is next:
- Have a policy to NOT conduct business or send sensitive information over email;
- Anyone who asks to conduct business or send sensitive information over email should be subject to extra verification;
- Never respond to an email to wire money;
- Always get a voice or video verification before wiring any funds;
- If you get a suspicious email, save it. Do not respond or click any links.
- Ensure your organization’s wiring procedures mandate that information is never sent via email to reduce the risks from BEC attacks.
For example, with AWS Wickr, you can choose to require video key verification to ensure you are communicating with the right person. Enabled by encryption, you can easily establish a verifiable secure communication channel. You only need to get verification right once to ensure you have the right person on the other end of your business conversation.
Lastly, making a change in your organization’s internal policy to never conduct important business via email in and of itself becomes a verification enabler. If your company makes it clear that critical communications and sensitive transactions DO NOT TAKE PLACE in email, the person asking you to transact through your inbox is automatically qualified as not legitimate. A sophisticated attacker might send a joke about the drinks you shared poolside at the company picnic (information grabbed on Facebook) or say something about a good lunch meeting you had with client (Chatter) or that you closed out tickets from the last sprint (compromised Slack). But if they attempt to initiate a money transfer in an email, or discuss proprietary business matters, you and your team instantly know it is not legit.
It is time to move sensitive communications out of easily compromised and discoverable channels. Neither email or IM is safe. Using these channels today is the same as knowingly clicking on a link from the Nigerian Prince. It is simply negligent.
With tools like Wickr, you can send sensitive information like account routing information and ensure that after legitimate transfers and communications are complete, all valuable information is deleted according to your organization’s information governance (defensible deletion) policies. You can proactively set an expiration date for sensitive communications to comply with internal and external industry requirements and then rely upon math rather than end users or service providers to protect your data.
Here is how to protect your team and organization from BEC attacks with Wickr:
- Create a secure AWS Wickr Network for your entire company and particularly for your finance team;
- Mandate that all sensitive information and transactions go through AWS Wickr only;
- Proactively reach out to your business partners and inform them of new policy. Ask them to get the free Wickr Me app. You now have a mathematically verified communication channel for sharing PII and other sensitive data;
- If you know and can recognize your business partner, ask them to send a video verification for additional protection.
When asked about causes of the data breach at the recent Capitol Hill hearing, Former CEO of Equifax “blamed human errors, particularly the failure to repair the problematic software despite warnings from the federal government and the company’s own security team.” Or as Benjamin Franklin once said, “In this world, nothing can be said to be certain, except human error and technology failures.” It’s unclear if this was offered as an admission of guilt, a laying of blame, or a concession to the inevitable. My fear is that it was offered as a ray of hope to provide optimism that we can solve the human error and technology failure problem. I say let’s get on this right after we fix death and taxes. But first let’s stop using emails to run our businesses and government, what do you say?