E R T N
P
X
E INIO
OP
and user awareness, organisations
have a great chance of mitigating risk to
acceptable levels.
Employee training is obviously key:
programmes should be centred
around real-life simulations run in
short 15-minute lessons to maximise
impact. And it’s crucial to include not
just regular employees but suppliers,
partners, temps and part-timers, as well
as executives.
Also important is to analyse the
results and feedback to individuals on
where they’re failing, thereby creating
awareness of what’s happening and
where they need to improve. Enhance
www.intelligentciso.com
|
Issue 15
these programmes with technology
controls and improved business
processes. For example, any payment
requests should require sign off by at
least two people in the organisation.
These include multi-factor
authentication (MFA), privileged account
management (PAM) and advanced anti-
phishing controls.
On the technology side, it gets trickier
as there’s no malware attachment or
malicious link to scan for in a BEC email.
Instead, you need email security tools
that scan for spoofed domains as well as
tell-tale keywords in the message body
and from/reply-to headers. BEC is ultimately just one of a large
number of diverse threats facing
modern organisations. As such, these
controls should be considered as part
of a wider defence-in-depth approach
covering a range of best practice steps
from app control to automated patch
and asset management.
There are further best practice security
controls you can put in place to prevent
accounts from being hijacked and used
to send BEC emails. The endpoint is the new frontline in the
battle against cybercriminals, so it is
here that efforts should be focused in
the first instance. u
43