+
EDITOR’S QUESTION
ROB HOLMES, VICE-
PRESIDENT OF
EMAIL SECURITY,
PROOFPOINT
/////////////////
G
iven the breadth and diversity of the landscape, there
isn’t a silver bullet but there are a number of measures
that companies should consider in order to bolster their
protection against BPC attacks.
Budgets are often limited and the number of attack vectors is
vast, so there has to be a level of prioritisation of which business
processes need to be hardened and how. This prioritisation should
be a function of the value/risk of the process combined with its
vulnerability to abuse/compromise.
Some business processes (e.g. the transfer of
funds) are of huge value/risk to all companies;
others (e.g. engineering/production) are
company-specific.
Most importantly however, processes
that are people-dependent are more
vulnerable since people are prone to social
engineering attacks; compromises to
technical processes may be more pernicious
but may only be achieved with a greater level
of technical sophistication.
Determining the biggest risks is a vital step,
however mitigating the attacks themselves
requires a combination of strategies.
Businesses should ensure that they are able to
authenticate entities, people and devices that
provide inputs into the business processes. If
actions are taken and decisions made based
on instruction/input from an entity whose
identity has been spoofed, a business process
can be easily compromised. Companies
should ensure that entities involved in the
process are authenticated before their input
into the process is trusted.
Once an account has been compromised
however, no amount of authentication
will thwart the cybercriminal. Therefore,
www.intelligentcio.com
“
BUSINESSES
NEED TO BE
VIGILANT WITH
ANY EXTERNAL
PARTNERS TO
ENSURE THAT
THEY TOO
ADHERE TO THE
NECESSARY
SECURITY
STANDARDS TO
ENSURE THAT THE
ENTIRE BUSINESS
PROCESS
CANNOT BE
COMPROMISED.
companies should both monitor downstream
for anomalous behaviour as well as prevent
account compromises upstream. Given
that most account compromises happen
as a result of phishing and credential theft,
companies can harden their defences
against these attacks through a robust
detection and blocking of these threats
coming through email.
As a last line of defence, businesses should
look to strengthen the security of both
their data and people. Encrypting sensitive
information at rest and in transit will help
prevent man-in-the-middle attacks where
cybercriminals intercept and alter key data
inputs that inform a business process, and
a well-trained, savvy employee can be the
crucial missing piece in thwarting a human-
targeted social engineering attempt.
Finally, business processes frequently
involve third parties, so businesses
need to be vigilant with any external
partners to ensure that they too adhere
to the necessary security standards to
ensure that the entire business process
cannot be compromised. n
INTELLIGENTCIO
33