We are used to reading about users as the one vulnerability that organizations will never be able to patch. It is certainly true that the majority of ransomware attacks and network infiltrations originate with a phishing attack in which an employee inadvertently opens a bad attachment or clicks on a malicious link. But part of the problem might lie in how we think about users in the first place, and the business culture that many enterprises have fostered.
How Organizational Culture Can Foster the Perfect Conditions for BEC to Succeed
Picture the scene: An employee working in the finance team for a large multinational bank receives an invoice marked URGENT, which appears at first glance to have come from his line manager. Although something doesn’t feel quite right about the structure of the email, the employee pays this invoice immediately, not wanting to place himself in the firing line of his superior. It’s only once they have already processed the transaction that the realization sinks in: His line manager’s name was on the email in question, but the address itself, on closer inspection, isn’t quite right. The company may find itself unable to recover the wrongly paid funds.
This thankfully imaginary but completely plausible scenario is an example of a BEC, or business email compromise, attack. These attacks involve carefully crafted messages that are designed to look as if they have come from someone within an organization, usually someone high up in the finance department, in order to trick another employee into paying a fictitious invoice. Often meticulously researched and targeted towards a specific individual, BEC attacks are common ways for cyber-criminals to financially attack an enterprise, and have increased by 15% quarter over quarter in 2020, according to recent research.
While an actor does need to carry out research and preparation in order to pull off an effective BEC scam, another factor is one which is a lot more difficult to pinpoint, and even more difficult to protect against: organizational culture.
In order for the scams to fully work, there needs to be a sense of urgency surrounding the action that leads to the fraudulent transaction. Therefore, the companies at most risk of falling victim to a BEC campaign are the ones where employees are so concerned about their performance, or the possibility of being reprimanded by a superior, that they will process a transaction that feels unusual without asking their superior first. This culture of fear is where scams like BEC can thrive. The problem is also exacerbated by the all-too-common ‘always on’ ethos, in which employees are expected to work late into the evenings, out of the office environment and at weekends. This causes (in many cases, but not all) an overworked, stressed and tired workforce, more likely to make mistakes.
So What’s to be Done?
The most obvious solution to this is to break down the culture of fear--fear of making a mistake, fear of breaking security. This can be done via training exercises or demonstrations, but also competitions to hunt spoofed campaigns, or quizzes where employees are invited to spot the tell-tale signs of a BEC incident.
It’s also important to encourage employees to come forward after the fact. If our fictitious employee had gone straight to his security team after the incident, the chance to mitigate the harm of the phish would be greater than if he kept quiet and waited for the finance team to work it out themselves. Employees who come forward quickly after a security incident, or manage to identify a false domain or phishing email that may have otherwise had the network compromised, should not be shamed; companies would be well advised to consider a “security amnesty” policy wherein employees who are prompt in reporting possible missteps are shielded from ill consequences (cases of serious negligence notwithstanding). While this may seem like rewarding the failure to notice something potentially compromising, it acknowledges the fact security incidents happen, and damage limitation is as important as prevention.
On the positive side, companies should likewise consider positive rewards for reporting security risks before they occur. If an employee recognizes and thwarts a BEC attack, why not offer a coffee gift card or similar? Gamification is well-understood to effectively modify behavior. It can be used effectively to teach employees not just to be smarter about security, but to literally become a key part of IT’s “early warning sensor” network.
Culture seeps into every aspect of a company. A good culture will encourage a better sales pipeline, stronger HR, and stronger relationships between managers and employees. Applying the same logic to security will help to demystify it for employees, and break down the culture of fear which impedes strong security.