Our survey also shows that trust companies consider business email compromise (“BEC”) to be the top risk category – 31% of them considering BEC to be the top risk and around 15% of trust companies with suffered a BEC attack within the last year.
What is the top cybersecurity and data security risk you have faced as a trustee in the 12 months?
The fact that BEC is in pole position is not surprising given that BEC is the cyberthreat that accounts for the largest financial losses in the world. For example, the FBI’s Internet Crime Report for 2021 estimated that BEC scams cost U.S. businesses nearly $2.4 billion in 2021.5
There are different definitions of BEC fraud. Perhaps the most helpful is that of the National Cyber Security Center, which defines it as “a form of phishing attack where a criminal attempts to trick a senior executive – or budget manager – into transferring funds or revealing sensitive information”.
There are a number of techniques that criminals often use in BEC attacks.
A simple method used by criminals is to set up an email address that looks like a legitimate email address – [email protected] instead of [email protected], for example, to make a person believe that they are corresponding with someone legitimate rather than with a fraudster. Beware of wildcard characters (called homoglyphs, which in some cases cannot be distinguished from the legitimate character), obscure or unexpected top-level domains, or suspicious subdomains in email addresses (e.g. [email protected]external supplier.mailerinfo.com ) to avoid falling victim to this type of attack.
Another method is for the criminal to change the headers of an email so that an email appears to come from the real address, but any response will be diverted entirely to another email address (which would be revealed by looking at the metadata). Trust companies should ensure they have SPF, DKIM and DMARC in place6 activated on their domains to make this type of attack more difficult.
In the most sophisticated attacks, you see criminals taking control of people’s email accounts – gaining access to another person’s account using hacked or stolen credentials, or compromising their computer or infrastructure – and then use it to send e-mails.
When it comes to BEC attacks, watch out for a sense of urgency or poor spelling or grammar in the body of the email — and last-minute email or bank account changes. Payment approval procedures should always be applied rigorously, without skipping steps or giving in to pressure. They must also be stress tested to ensure they cannot be bypassed. They should set up a designated single point of contact with the companies to which they make regular payments and ensure that multiple people sign off on high value transfers, via direct phone call if necessary.
Another important and closely related type of attack – identity theft – is considered by trust companies to be the second biggest risk of the past year. Some 8% of respondents have experienced such an attack in the past 12 months. Spoofing is a social engineering technique in which an attacker impersonates a trusted person to steal money or obtain sensitive or confidential information from a senior company executive. Attackers often thoroughly research their victim using a range of publicly available information, such as information on the company’s website or in social media profiles. They often ask the person they are targeting to keep things confidential or private. To avoid such attacks, members of the organization should be encouraged to limit the amount they share about their employer on social media and to consult with a colleague within the organization before responding to any unusual requests. .
Ransomware, despite the increase in frequency and complexity of these attacks over the past year, was a lesser issue for trust companies – with only 1% of respondents considering it the top cybersecurity risk and data security – and only 4% having experienced such a risk. attacks in the last 12 months (although it’s still 1 in 25). In contrast, in the CISO report mentioned above, approximately 28% of CISOs perceived ransomware as the biggest cybersecurity threat within their organization/industry over the next 12 months. This can be reconciled in that, while ransomware attacks may be less common than BEC fraud, the consequences to an organization can be far greater.
When it comes to defending against cyberattacks, trust companies continue to rely on people and procedures – with 28% investing in organizational measures over the past year and 10% increased monitoring. Again, this aligns with the fact that the majority of CISOs view human nature as the greatest cybersecurity vulnerability within their organization.seven.
Technical metrics are increasingly important to companies’ trust, with 24% of companies surveyed investing in them and 21% investing in incident response systems and capability, such as incident response plans and war games . The importance of ensuring that you have adequate planning to deal with an incident before it happens and to ensure that these plans are integrated into your organisation’s wider crisis management procedures cannot be overestimated. In the heat of the moment, there won’t be time to iron out incompatibilities between different plans, figure out who’s responsible for making decisions – or even resolve differences in risk appetite between members of the management team. Errors in incident response can be very costly in terms of enforcement action, reputational damage and even litigation.
Cyber insurance is also becoming increasingly important to trust companies, with around 6% of respondents increasing their cyber insurance coverage in the past year. Again, in the benchmarked CISO survey, more than half of global CISOs said they were confident their policy would pay off when it mattered most. However, the cyber insurance market is hardening. This means that it can be harder to buy cover, it becomes more expensive, and in some cases the scope of cover narrows (for example, some policies now contain “war” exclusions that could weigh on the activity of the nation-state, which continues at a steady pace). This means that companies will need to take great care to check before an incident that their insurance policies (including those beyond cyber, such as PI, crime, D&O, K&R, liability or business interruption) will meet their needs – and to ensure that they don’t inadvertently invalidate their insurance in the heat of the moment to respond to an incident.