Express Computer

Home  »  Guest Blogs  »  The BEC battleground: Why zero trust and employee education are your best line of defence

The BEC battleground: Why zero trust and employee education are your best line of defence

Guest BlogsNews
By Express Computer
0 78

By Robert Haist, CISO, TeamViewer

In a world where businesses are rapidly digitizing and email communication is prevalent, BEC attacks pose a substantial threat to organizations of all sizes and sectors. To combat this growing menace, it’s imperative for all businesses to adopt a multi-layered security approach, focusing on zero trust principles and comprehensive employee education. Business Email Compromise (BEC) attacks – scams designed to give cybercriminals unauthorised access to confidential information or lure victims into transferring funds – are skyrocketing. In fact, according to a report by Abnormal Security, in 2023, BEC attacks skyrocketed, with monthly attacks per 1,000 mailboxes more than doubling to 10.77, a staggering 108% increase compared to 2022. The rate of these attacks peaked in October with a monthly average of 14.57 attacks per 1,000 mailboxes. This trend has been triggered by the shift to hybrid and remote work and the accompanying change in employee habits and the security landscape.

BEC attack frequency doubled in 2023, and it is expected to increase again this year, largely due to the massive ROI it promises cybercriminals. Based on FBI data, successful business email compromise attacks typically incur costs exceeding $125,000 on average. To safeguard against this widespread threat, organizations must maintain a high level of security awareness and implement robust security programs.

Empowering employees: Your first line of defence

Security awareness training empowers employees to actively combat phishing attacks, including Business Email Compromise (BEC) scams. Phishing emails are increasingly sophisticated, using social engineering tactics to bypass filters and deceive even vigilant employees. Attackers often use information from social media or previous data breaches to impersonate executives, colleagues, or vendors convincingly. By creating a false sense of urgency, they can easily trick untrained staff into revealing sensitive information or authorizing fraudulent payments.

Traditional training methods are no longer sufficient to prevent successful attacks. Modern security awareness programs need to be dynamic and engaging, simulating real-world scenarios and teaching employees to recognize email red flags and social engineering tactics. For instance, employees should learn to identify signs such as spoofed sender addresses and grammatical errors, and to be cautious of unexpected requests, especially those involving financial transactions or changes to account information. Staff should be encouraged to independently verify information through established channels.

Zero trust: The centre of a secure remote landscape

Even with extensive employee training, some BEC scams can bypass human vigilance. Comprehensive security processes are essential to minimize their impact. The zero-trust security model is crucial here. It assumes no inherent trust for anyone, inside or outside the network. With zero trust, every user and device must be continuously authenticated before accessing any resources. This makes it much harder for attackers. Even if they steal a login credential, they can’t automatically access the entire system.

A key component of zero trust is multi-factor authentication (MFA) which acts as multiple locks on every access point. Just like a physical security system requiring multiple forms of identification, MFA requires not just a username and password, but an additional verification factor like a code from a phone app or fingerprint scan. This makes unauthorised entry, including through BEC scams, much harder. So, any IT infrastructure implemented must have zero trust and MFA at its core.

A complement to zero trust is the principle of least privilege access; granting users only the minimum level of access required to perform their jobs. Imagine assigning keys that only unlock specific areas within the castle, not the entire grand hall. This minimises the damage if credentials are compromised because attackers can only access the data and resources assigned to that specific user.

Companies should also employ continuous monitoring and risk-based access decisions, akin to guards patrolling a fortress. Using advanced analytics, security teams can detect suspicious behaviour and implement risk-based access controls. For instance, access from an unrecognized location might prompt stronger authentication or additional approval. Additionally, network segmentation is crucial for containing threats. By dividing the network into smaller compartments, even if attackers breach one section, their movement is limited, preventing them from compromising the entire network.

A multifaceted approach is key to BEC defence

Building a robust defence against BEC attacks requires a layered approach. Implementing a layered defense strategy, including comprehensive security measures based on zero trust principles, is crucial. However, this alone is insufficient. Businesses also need to empower their employees to make informed decisions. Investing in ongoing security awareness training that includes real-world scenarios is vital for teaching employees how to identify and report suspicious activity effectively.

Furthermore, given the increasing sophistication of BEC attacks and their global impact, it is imperative for Indian businesses to merge these strategies with their existing security frameworks. This integration will not only enhance their defense against BEC attacks but also fortify their overall cybersecurity posture.

Get real time updates directly on you device, subscribe now.

Express Computer

Express Computer is one of India's most respected IT media brands and has been in publication for 24 years running. We cover enterprise technology in all its flavours, including processors, storage, networking, wireless, business applications, cloud computing, analytics, green initiatives and anything that can help companies make the most of their ICT investments. Additionally, we also report on the fast emerging realm of eGovernance in India.

You might also like More from author
Leave A Reply

Your email address will not be published.

LIVE Webinar

Digitize your HR practice with extensions to success factors

Join us for a virtual meeting on how organizations can use these extensions to not just provide a better experience to its’ employees, but also to significantly improve the efficiency of the HR processes
REGISTER NOW 
Powered by Convert Plus

Stay updated with News, Trending Stories & Conferences with Express Computer
Follow us on Linkedin
India's Leading e-Governance Summit is here!!! Attend and Know more.
Register Now!
close-image
Attend Webinar & Enhance Your Organisation's Digital Experience.
Register Now
close-image
Enable A Truly Seamless & Secure Workplace.
Register Now
close-image
Attend Inida's Largest BFSI Technology Conclave!
Register Now
close-image
Know how to protect your company in digital era.
Register Now
close-image
Protect Your Critical Assets From Well-Organized Hackers
Register Now
close-image
Find Solutions to Maintain Productivity
Register Now
close-image
Live Webinar : Improve customer experience with Voice Bots
Register Now
close-image
Live Event: Technology Day- Kerala, E- Governance Champions Awards
Register Now
close-image
Virtual Conference : Learn to Automate complex Business Processes
Register Now
close-image