lolloj - Fotolia
Despite 43% of organisations surveyed in 12 countries admitting they have been affected by a business process compromise business process compromise (BPC) attack, they are not on the radar of 50% of management teams.
Half of the management teams polled did not know what these attacks are or how their business would be affected if they were targeted, according to a survey commissioned by cyber security firm Trend Micro.
The study carried out by Opinium surveyed more than 1,000 IT decision-makers responsible for cyber security across the UK, US, Germany, Spain, Italy, Sweden, Finland, France, Netherlands, Poland, Belgium and Czech Republic.
In a BPC attack, cyber criminals typically look for loopholes in business processes, vulnerable systems and susceptible practices. Once a weakness has been identified, a part of the process is altered to benefit the attacker, without the enterprise or its client detecting the change.
According to Trend Micro, 85% of organisations targeted by BPC attack would be prevented from offering at least one of their business lines.
“We’re seeing more cyber criminals playing the long game for greater reward,” said Rik Ferguson, vice-president of security research for Trend Micro.
“In a BPC attack, they could be lurking in a company’s infrastructure for months or years, monitoring processes and building up a detailed picture of how it operates.”
Once the cyber criminals have a foothold and have built a detailed picture of the target organisation’s operations, Ferguson said they can insert themselves into critical processes, undetected and without human interaction.
“For example, they might re-route valuable goods to a new address, or change printer settings to steal confidential information – as was the case in the well-known Bangladeshi Bank heist,” he said.
In this attack, cyber criminals showed that they had a strong grasp of how the Swift financial platform works and had knowledge of weaknesses in partner banks that use it. By compromising the Bangladesh Central Bank’s computer network, cyber criminals were able to trace how transfers were done and seize the bank’s credentials to conduct unauthorised transactions.
The survey revealed, however, that although half of management teams are unaware of BPC attacks, security teams are not ignoring this risk, with 72% of respondents stating that BPC is a priority when developing and implementing their organisation’s cyber security strategy.
But the study report warns that the lack of management awareness around this problem creates a cyber security knowledge gap that could leave organisations vulnerable to attack as businesses strive to transform and automate core processes to increase efficiency and competitiveness.
The most common way for cyber criminals to infiltrate corporate networks is through a business email compromise (BEC). This is a type of scam that targets email accounts of high-level employees related to finance or involved with wire transfer payments, either spoofing or compromising them through keyloggers or phishing attacks.
In Trend Micro’s survey, 61% of organisations said they could not afford to lose money from a BEC attack. However, according to the FBI, global losses due to BEC attacks have continued to rise since December 2016, reaching $12bn earlier this year.
“To protect against all forms of BPC attacks, business and IT leaders must work together to put cyber security first and avoid potentially devastating losses,” said Ferguson.
“Companies need protection beyond perimeter controls, extending to detect unusual activity within processes if attackers breach the network. This includes locking down access to mission critical systems, file integrity monitoring and intrusion prevention to stop lateral movement within a network.”
According to Trend Micro, there are three main types of BPC attacks: diversion, piggybacking and financial manipulation.
Diversion attacks refer to those where attackers exploit security gaps in the organisation’s cash flow system. Threat actors are then able to transfer money to supposedly legitimate channels.
In piggybacking attacks, criminals take advantage of key business processes, such as the transportation of illegal goods and the transfer of malicious software, which translate to big financial gains for the attackers.
Financial manipulation attacks include those that aim to influence financial outcomes and important business decisions such as acquisitions. Attackers do this by introducing malicious variables into a key business system or process.
To defend against BPC attacks, Trend Micro recommends that organisations:
- Analyse information flow from different sensors to spot anomalies.
- Find statistical deviations on similar industry practices and processes to flag suspicious activity.
- Harden business process security through operation security wargaming.
- Do regular quality assurance, quality control, and penetration testing.
- Restrict unnecessary processes from being carried out.
- Separate employee duties.
- Train employees to identify social engineering attacks.