Peter Sandilands is an IBRS advisor who specialises in cyber security, risk and compliance. Peter has over 40 years’ experience in the IT industry with the last 20 years focused on security. He has spoken at conferences and industry briefings across Asia Pacific. Peter was instrumental in the introduction of Check Point Software to Australia, leading the operation for five years. Prior to that Peter was a key strategist in the broadening of Novell’s market across Asia Pacific. Since then he has spent nearly 10 years working for large Australian companies in banking, mining and transport delivering security strategy, security architecture and compliance assessments. Peter has also assisted overseas security vendors enter the Australian market with a focus on the strategic use of the products. As a casual academic at UTS for over 20 years, Peter lectured in network security, Cloud security and networking technologies. With his experience across vendors, channel and business, Peter brings a pragmatic approach to implementing and assessing cyber security. Peter has a Master's of Cyber Security from Charles Sturt University.
Conclusion: Organisations would hope that their data protection policies are in place and effective. Data loss protection is active on the email channel and data is encrypted while at rest within the organisation. Staff are often trying to share data with others or move data to where it may be easily accessible. A very common channel for this is one of the many Cloud-based file-sharing services such as Dropbox, iCloud or Google Drive.
These services conflict with data protection in several ways. In many cases the services used by staff are personal accounts owned by the staff member, not the organisation. This immediately places the data outside the control of the operation. The sharing of the data can be open-ended where a) even the staff member loses control over who can access the data, and b) it is uncertain where the data is stored and in which jurisdiction.
If the data contains personal information, credit card details or confidential finance information, the organisation may find itself in breach of regulations such as the Notifiable Data Breach Regulation or Payment Card Industry requirements.
Conclusion: Many organisations are finding themselves being defrauded, especially when making or receiving payments electronically. It is not that the end systems are compromised but rather the payment information itself is being subverted in between the payer and the payee.
This is hard to defeat via technical means as the messages themselves look the same as any other payment request or invoice. A quality email filtering service will remove many of the clumsy attempts thus allowing more focus on the well-constructed efforts.
This article aims to help improve understanding of the threat and identify effective strategies to lessen the possibility of a business being impacted. Security defence consists of more than just technology. A well-rounded defence is composed of people, process and technology. Defeating business email compromise (BEC) is primarily achieved by the people and process segments.
The staff of a business are in the best position to detect attempts to compromise a payment, provided they have been armed with some knowledge of the types of attacks and permission to halt and question the details.
Many fraud attempts can be prevented by implementing a simple business process that allows all staff to question transactions that change payment details and use secondary channels to confirm those details.
Conclusion: The notifiable data breach regulations have had an impact on business priorities. For any organisation subject to the regulations, protection of personal information should have become a priority. One security technology, data loss prevention, could have offered some assistance. But it has had a mixed reception in the past due to many issues in both implementing and operating the service.
The continued move to SaaS for office systems such as document creation and email is also changing the market. Many capabilities that have been previously offered as standalone products are now being subsumed into the SaaS offerings as just adjunct functions.
This simplifies the selection of the products and their ongoing management. A prime example of this is data loss prevention which is now being offered as a check-box selected capability in several SaaS offerings.
This could put data loss prevention within reach of small to medium businesses as a component of their personal information protection strategy.
Conclusion: Given the reality of shrinking budgets, organisations can struggle deciding what new products to purchase or techniques to implement. They hope the new capabilities will enhance their security posture, but new tools often need additional staff to operate them. Employing skilled security staff can itself be a challenge. A simple but pragmatic approach is to leverage IT operation’s budget and skills to improve operational hygiene and hence, overall security hygiene.