The pandemic has forced organisations and their employees to adapt to more remote ways of working and it’s up to CISOs to ensure this is done with security in mind to avoid being exploited by cybercriminals. Andrew Rose, Resident CISO for EMEA at Proofpoint, discusses some of the current and developing cyber-risks, and how to combat them with a people-centric security approach.
Can you give us an overview of the current cyberthreat landscape?
A lot of CISOs have invested heavily in technology controls, such as firewalls and intrusion detection systems, and these have been effective despite the fact they require a lot of maintenance and upgrades. This has changed the way criminals now look at organisations as technology is no longer the easiest way in.
What we’re seeing now is a fundamental shift of focus to social engineering – it’s the major attack vector these days. If an attacker can steal a legitimate user’s credentials, they can sail past all manner of technical controls and access the valuable data. As a result, attackers are focused on people, not technology.
We also see this in the attack models, where almost 100% of cyberattacks require the user to intervene or act for it to be successful. It’s no longer a case of finding the weakness in your perimeter firewall, it’s about finding a staff member who will click.
What cyber-risks have been introduced – or heightened – through the mass migration to remote working?
As many organisations have adopted a working from home model, organisations have had to consider how they can improve remote working and collaboration. So, cloud adoption has been very rapid and people aren’t used to the new technology, giving the criminal an opportunity to slip in attacks such as credential phishing or offer malicious applications that users may see as suspicious or unusual.
Lots of people are using their home computers, rather than corporate ones, and these can lack top-tier security controls which can also give the criminals a distinct advantage.
Can you highlight any trends you’ve seen relating to BEC and EAC attacks?
Around 94% of all security attacks come through the email channel and Proofpoint is focused on how we protect that channel and prevent the majority of attacks from ever arriving at the organisation. Business Email Compromise (BEC) is where an attacker will send an email asking for an invoice to be paid, for example, and they’ll send it from outside your organisation.
Email Account Compromise (EAC) is where cybercriminals actually steal the credentials, log into the email system and then effectively send a legitimate email, making a request for a salary to be paid to a different account, for example.
CISOs are aware of this and are concerned, but it’s actually more of a threat than many CISOs realise because the barrier to entry for an attacker is really low. They don’t need much technology to do this, they don’t need much insight, they don’t need to know how to hack the latest firewall, they just have to be able to send emails. The overall success rate is relatively high, so it becomes an appealing attack vector. It’s also not widely reported, so it’s possible for an attacker to commit crime and keep it at quite a low level, which keeps it out of the press and off the radar of law enforcement, while offering a relatively good living. As a result, what we’re seeing is only the tip of the iceberg in terms of threat, but overall, it’s a big concern because a huge amount of money can be stolen through these email compromise attacks.
What’s the impact of these types of attacks on financial loss and brand reputation?
Gartner said that the threat from this vector is going to double every two years, and the FBI say that the loss from these type of email compromises over the past three years has amounted to US$26 billion. So, it is a big threat that CISOs need to be more focused on. Individual organisations can lose a substantial amount of money too; there were two major US Internet companies that lost US$100 million to this type of fraud.
In terms of reputation, it becomes quite the concern. If you’re a supplier and you contact a customer to let them know your invoice is still unpaid, and they respond by saying they were told by you to pay it into a different account and they offer proof of payment, it puts you in a very difficult position. If a legitimate email has come from your organisation telling the customer to pay you into a different account, where do you go from there? You have to be really careful not to disenfranchise the customer and annoy them by asking for money they think they’ve already paid, but at the same time, admitting your security isn’t great.
How are you working with customers to tackle these types of attacks, as Gartner predicts them to double each year?
It’s a never-ending arms race. We work with our customers in multiple ways but as I mentioned, email is the vehicle for the vast majority of these attacks. We apply Machine Learning and AI to make sure that we can pick up on the ever-changing attacks that are sent to our customers, and prevent them getting through to their users. Users can be susceptible to following the instructions of the attacker, so we try and stop those attacks getting there in the first place.
We look to prevent the source of the attack getting through to the user, but we also supplement that with security awareness training. We make sure all of the users within our customer organisations receive training to recognise these attacks and know what to do with them. Attackers keep moving the goalposts and moving forward, which means we have to as well.
How is the move to cloud intensifying the trend of social engineering attacks?
It’s not just cloud. Consider the perfect storm that’s currently taking place; we have things like COVID happening and all of the social anxiety that comes with that such as financial pressures and job insecurity. This gives the attacker the great advantage right now of being able to create emotional situations where people will switch off logic and immediately click and open an attachment, because they’re worried.
However, the cloud intensifies this. When you move to the cloud, the data moves outside of your perimeter. So, you have to visualise that all these great data assets you have are currently within your organisational perimeter. If you make a mistake, the worst thing that can happen is you’ve left this database unsecured; however, it’s not so bad because everybody within your perimeter is a trusted individual. When you start to move date into the cloud, suddenly that same misconfiguration leaves that data open to everybody on the Internet and that’s a very different proposition. So, you have to be really careful with databases, with file sharing and all those aspects of human collaboration, because it’s now outside your perimeter.
If attackers can steal your credentials and steal your identity, they’ll sail right past your encryption and right past access permissions. This is why we talk about staff becoming the new enterprise perimeter. The problem now is that using social engineering to steal identities gives attackers straight access to the data – they can then monetise that and use it for their own profit, or use it against you as an organisation.
How would you define people-centric security?
Fundamentally, it’s recognising that people are the new enterprise perimeter.
Commonly, a security manager would look at their organisation and understand that they have controls in place, such as firewalls, intrusion detection, anti-malware and backup. These take a lot of feeding and watering, a lot of configuration to make sure they’re secure and working properly. However, the attacker realises there’s no point bashing their head against these controls, or pulling up zero-day exploits to try and get in. They look at the people who use this technology and do their research – rather than trying to scan all your firewalls, they will try and identify the people in your organisation who perhaps have access to critical data and start to use social engineering attacks against them, because if they can steal the identity, they can access the data.
Defenders also need to think about people-centric security and how they defend the identities of their organisation and staff. That’s what the people-centric story is about – ensuring that the defenders start to consider protecting the people because that’s the new perimeter.
How would you advise that CISOs take a people-centric security approach?
More than 99% of attacks now require human interaction – attackers need someone to click on a link or open an attachment. Therefore, there’s a huge part that your staff can play in defending your organisation. For an organisation to focus on people-centric is to start initially thinking about email because that’s where the vast majority (94%) of these threats come from. Step one is to stop all attacks coming in via email.
Step two is to educate your staff. And this is not just about security awareness. The example I commonly use is smoking – a pack of cigarettes has ‘smoking will kill you’ written on the side, so everybody buying cigarettes know the dangers involved. They have 100% awareness and yet still, people smoke. It’s not just about awareness, it’s about behaviour. It’s about going beyond just having a security awareness campaign.
The final step of that journey is about protecting the data wherever it may be, on premise or in the cloud.
How can CISOs instil a security culture in their organisation?
It begins with buy in from the top. If your CEO isn’t representing good security behaviour, nobody else will. And then it’s about communicating all the right things to do. It’s about why it’s important and what can happen if you don’t follow it and about reinforcing communication with continual drip-feed, with triggers to remind people to do the right thing. People want to do the right thing, but they often focus on just doing the job which can deviate from security best practice. So, you need to keep reminding them to do the right thing and remembering the messages you’ve instilled in them by triggering them. Continual reinforcement of the message is the way to slowly turn that ship around and build that strong security culture.