Half of the business leaders are unaware of BPC cyber attacks. Half of the management teams polled in 12 countries, including the UK, are unaware of business process compromise (BPC) attacks.
Despite 43% of organizations surveyed in 12 countries admitting they have been affected by a business process compromise business process compromise (BPC) attack, they are not on the radar of 50% of management teams.
Half of the management teams polled did not know what these attacks are or how their business would be affected if they were targeted, according to a survey commissioned by cybersecurity firm Trend Micro.
The study carried out by Opinium surveyed more than 1,000 IT decision-makers responsible for cybersecurity across the UK, US, Germany, Spain, Italy, Sweden, Finland, France, Netherlands, Poland, Belgium, and the Czech Republic.
In a BPC attack, cybercriminals typically look for loopholes in business processes, vulnerable systems, and susceptible practices. Once a weakness has been identified, a part of the process is altered to benefit the attacker, without the enterprise or its client detecting the change.
According to Trend Micro, 85% of organizations targeted by BPC attacks would be prevented from offering at least one of their business lines.
“We’re seeing more cybercriminals playing the long game for greater reward,” said Rik Ferguson, vice-president of security research for Trend Micro.
“In a BPC attack, they could be lurking in a company’s infrastructure for months or years, monitoring processes and building up a detailed picture of how it operates.”
Once the cybercriminals have a foothold and have built a detailed picture of the target organization’s operations, Ferguson said they can insert themselves into critical processes, undetected and without human interaction.
“For example, they might re-route valuable goods to a new address, or change printer settings to steal confidential information – as was the case in the well-known Bangladeshi Bank heist,” he said.
In this attack, cybercriminals showed that they had a strong grasp of how the Swift financial platform works and had knowledge of weaknesses in partner banks that use it. By compromising the Bangladesh Central Bank’s computer network, cybercriminals were able to trace how transfers were done and seize the bank’s credentials to conduct unauthorized transactions.
The survey revealed, however, that although half of the management teams are unaware of BPC attacks, security teams are not ignoring this risk, with 72% of respondents stating that BPC is a priority when developing and implementing their organization’s cybersecurity strategy.
But the study report warns that the lack of management awareness around this problem creates a cybersecurity knowledge gap that could leave organizations vulnerable to attack as businesses strive to transform and automate core processes to increase efficiency and competitiveness.
The most common way for cybercriminals to infiltrate corporate networks is through a business email compromise (BEC). This is a type of scam that targets email accounts of high-level employees related to finance or involved with wire transfer payments, either spoofing or compromising them through keyloggers or phishing attacks.
In Trend Micro’s survey, 61% of organizations said they could not afford to lose money from a BEC attack. However, according to the FBI, global losses due to BEC attacks have continued to rise since December 2016, reaching $12bn earlier this year.
“To protect against all forms of BPC attacks, business and IT leaders must work together to put cybersecurity first and avoid potentially devastating losses,” said Ferguson.
“Companies need protection beyond perimeter controls, extending to detect unusual activity within processes if attackers breach the network. This includes locking down access to mission-critical systems, file integrity monitoring, and intrusion prevention to stop lateral movement within a network.”
According to Trend Micro, there are three main types of BPC attacks: diversion, piggybacking, and financial manipulation.
Diversion attacks refer to those where attackers exploit security gaps in the organization’s cash flow system. Threat actors are then able to transfer money to supposedly legitimate channels.
In piggybacking attacks, criminals take advantage of key business processes, such as the transportation of illegal goods and the transfer of malicious software, which translates to big financial gains for the attackers.
Financial manipulation attacks include those that aim to influence financial outcomes and important business decisions such as acquisitions. Attackers do this by introducing malicious variables into a key business system or process.
To defend against BPC attacks, Trend Micro recommends that organizations:
- Analyze information flow from different sensors to spot anomalies.
- Find statistical deviations in similar industry practices and processes to flag suspicious activity.
- Harden business process security through operation security wargaming.
- Do regular quality assurance, quality control, and penetration testing.
- Restrict unnecessary processes from being carried out.
- Separate employee duties.
- Train employees to identify social engineering attacks.