The risk to your business
There are multiple risks to your business, should a BEC attack occur, including:
- Financial loss – often BEC attacks trick people into making unauthorised financial transfers which can result in significant financial losses for the business.
- Reputational damage – a BEC attack can damage your business reputation, as customers and other stakeholders may question your information security.
- Legal liability – heavy penalties now apply for data breaches under the Privacy Act 1988 (Cth).
- Disruption to operations – personnel are forced to devote time and resources to resolving the issue and recovering from an attack.
- Loss of sensitive information – BEC attacks often involve the theft of sensitive information, such as confidential business data or personal information of employees and customers. The theft can severely affect the privacy and security of individuals and businesses.
Reducing the risk of a BEC attack
It is important that every business understands cyber risk and takes steps to mitigate it. This means being prepared, knowing how to respond, and understanding both your regulatory requirements (ie. notification requirements under privacy legislation) and your contractual requirements (ie. a notification requirement of a breach under your contracts with third parties).
Preventing BEC attacks requires a multi-layered approach that includes a combination of technical and non-technical measures. Some key steps that organisations can take to reduce the risk of BEC include:
- Take a top-down approach – your company directors need to be aware of the risks of BEC and actively guide the business’ strategy around privacy and data security.
- Raise employee awareness – educate your employees on how to recognise, report and respond to, a BEC attack. Employees are the first line of defence against BEC scams so providing regular training on cybersecurity and phishing awareness, including how to spot phishing links, how to avoid clicking on unknown links or attachments and how to check for a domain and email mismatch and other red flags through ‘phish’ simulations is critical.
- Create a culture of compliance – ensure that privacy and data protection policies are in place (and updated regularly) and that employees are aware of and trained in such policies. Make it easy for employees to report suspicious emails.
- Vendor management – verify the authenticity of all vendors and suppliers before making payments or providing sensitive information. It is important to establish alternative channels of communication to confirm requests (ie. phone call or in-person conversation), especially for large or unusual transactions.
- Payment verification - companies should establish clear policies and procedures for financial transactions, such as requiring multiple levels of approval and verification for EFTs or other financial transaction.
- Improve your email security – there are many options available such as multi-factor authentication, email filtering, email encryption and anti-phishing software. Work with your IT team or engage a cyber security consultant to conduct a security audit to identify potential vulnerabilities and ensure that security measures work as intended. Ensure all software is kept up to date, including anti-virus software.
- Back up data regularly – ensure regular backups of critical data and store it in a secure location, such as an off-site server to minimise the impact of a BEC attack.
- Prepare an incident report plan - this assists security teams to quickly detect and analyse the breach, assess the impact and effectively remediate the threat.
By taking these steps, you can reduce the risk of falling victim to a BEC attack and minimise the impact of an attack once it occurs. It is important to remain vigilant and stay informed about the latest threats and trends in cybersecurity. Being proactive about information security is essential.
If you would like to discuss BECs in greater detail, how to respond to an attack, compliance requirements or have your privacy and data protection policies reviewed or updated, get in touch with a member of our Sierra Legal team today.