The National Cyber Security Centre (NCSC) has issued new guidance for businesses addressing the threat of Business Email Compromise (BEC) attacks.
BEC attacks have become increasingly sophisticated, allowing cybercriminals to access sensitive data, necessitating heightened defences from businesses.
BEC, a targeted form of phishing, contrasts with broader phishing attacks by focusing on specific individuals within organisations. These attacks often target senior executives or employees with access to valuable data, requiring significant investment from cybercriminals. The new NCSC guidance encourages businesses to reduce their digital footprints, train staff to recognise BEC attempts, implement two-step verification processes, restrict the number of employees authorised to make significant payments without further approval, and prepare for potential successful attacks.
Challenges and Practical Measures
While the NCSC’s guidance is beneficial, it adds to the workload and budgetary pressures of IT and security teams already stretched thin. AJ Thompson, CCO at Northdoor plc, acknowledges the necessity of the guidance amidst increasing sophisticated threats. He emphasises the importance of businesses being aware of BEC threats and educating their employees.
Recent headlines highlight the severity of BEC attacks. In one notable case, cybercriminals stole £20 million from Arup by duping an employee with a digitally recreated version of the company’s CFO via video conference. Although such high-level sophistication is rare, it underscores the significant investment cybercriminals are willing to make for substantial returns.
More commonly, BEC attacks involve convincing emails from what appear to be senior executives, requesting money transfers or access to data. If employees fall for these emails, the consequences are often not realised until it is too late.
Implementing Effective Countermeasures
Much of the NCSC’s advice involves common-sense measures. Reducing the amount of publicly available information about senior executives makes it more challenging for cybercriminals to create convincing replicas. Two-step verification adds a layer of complexity for cybercriminals, and restricting the number of employees who can make large payments without further authorisation limits the potential for financial losses.
The most critical piece of guidance is educating employees. Since employees are the primary targets of BEC attacks, ensuring they can identify and respond to suspicious activities is vital. Education effectively neutralises many threats by empowering employees to act promptly when they encounter potential BEC attacks.
However, Thompson notes that this guidance adds to the substantial workload of IT and security teams, often amid shrinking budgets. Businesses face real threats from BEC attacks but may lack adequate resources to counter them. Some companies are turning to consultancies to provide the expertise and assurance needed to handle threats, educate staff, and develop robust business continuity plans. This approach alleviates the burden on internal teams, ensuring BEC attacks do not slip through the cracks while empowering staff to recognise and manage potential threats.
The B2B Marketer, the online destination for B2B marketing professionals seeking valuable insights, trends, and resources to drive their marketing strategies and achieve business success.
