Intelligent CISO Issue 30 | Page 52

COVER STORY need to be more focused on . Individual organisations can lose a substantial amount of money too ; there were two major US Internet companies that lost US $ 100 million to this type of fraud .

controls which can also give the criminals a distinct advantage .

Can you highlight any trends you ’ ve seen relating to BEC and EAC attacks ?

Around 94 % of all security attacks come through the email channel and Proofpoint is focused on how we protect that channel and prevent the majority of attacks from ever arriving at the organisation . Business Email Compromise ( BEC ) is where an attacker will send an email asking for an invoice to be paid , for example , and they ’ ll send it from outside your organisation .

Email Account Compromise ( EAC ) is where cybercriminals actually steal the credentials , log into the email system and then effectively send a legitimate email , making a request for a salary to be paid to a different account , for example .

CISOs are aware of this and are concerned , but it ’ s actually more of a threat than many CISOs realise because the barrier to entry for an attacker is really low . They don ’ t need much technology to do this , they don ’ t need much insight , they don ’ t need to know how to hack the latest firewall , they just have to be able to send emails . The overall success rate is relatively high , so it becomes an appealing attack vector . It ’ s also not widely reported , so it ’ s

possible for an attacker to commit crime and keep it at quite a low level , which keeps it out of the press and off the radar of law enforcement , while offering a relatively good living . As a result , what we ’ re seeing is only the tip of the iceberg in terms of threat , but overall , it ’ s a big concern because a huge amount of money can be stolen through these email compromise attacks .

What ’ s the impact of these types of attacks on financial loss and brand reputation ?

Gartner said that the threat from this vector is going to double every two years , and the FBI say that the loss from these type of email compromises over the past three years has amounted to US $ 26 billion . So , it is a big threat that CISOs

In terms of reputation , it becomes quite the concern . If you ’ re a supplier and you contact a customer to let them know your invoice is still unpaid , and they respond by saying they were told by you to pay it into a different account and they offer proof of payment , it puts you in a very difficult position . If a legitimate email has come from your organisation telling the customer to pay you into a different account , where do you go from there ? You have to be really careful not to disenfranchise the customer and annoy them by asking for money they think they ’ ve already paid , but at the same time , admitting your security isn ’ t great .

How are you working with customers to tackle these types of attacks , as Gartner predicts them to double each year ?

It ’ s a never-ending arms race . We work with our customers in multiple ways but as I mentioned , email is the vehicle for the vast majority of these attacks . We apply Machine Learning and AI to make sure that we can pick up on the everchanging attacks that are sent to our customers , and prevent them getting through to their users . Users can be susceptible to following the instructions of the attacker , so we try and stop those attacks getting there in the first place .

We look to prevent the source of the attack getting through to the user , but we also supplement that with security awareness training . We make sure all of the users within our customer organisations receive training to recognise these attacks and know what to do with them . Attackers keep moving the goalposts and moving forward , which means we have to as well .

How is the move to cloud intensifying the trend of social engineering attacks ?

It ’ s not just cloud . Consider the perfect storm that ’ s currently taking place ; we

52 Issue 30 | www . intelligentciso . com