Trend Micro revealed that 43 percent of surveyed organizations have been impacted by a Business Process Compromise (BPC). Despite a high incidence of these types of attacks, 50 percent of management teams still don’t know what these attacks are or how their business would be impacted if they were victimized.
Most popular filename categories used in malicious attachments (based on VirusTotal samples)
In a BPC attack, criminals look for loopholes in business processes, vulnerable systems and susceptible practices. Once a weakness has been identified, a part of the process is altered to benefit the attacker, without the enterprise or its client detecting the change. If victimized by this type of attack, 85 percent of businesses would be limited from offering at least one of their business lines.
“We’re seeing more cybercriminals playing the long game for greater reward,” said Rik Ferguson, vice president of security research for Trend Micro. “In a BPC attack, they could be lurking in a company’s infrastructure for months or years, monitoring processes and building up a detailed picture of how it operates. From there they can insert themselves into critical processes, undetected and without human interaction. For example, they might re-route valuable goods to a new address, or change printer settings to steal confidential information – as was the case in the well-known Bangladeshi Bank heist.”
Global security teams are not ignoring this risk, with 72 percent of respondents stating that BPC is a priority when developing and implementing their organization’s cybersecurity strategy. However, the lack of management awareness around this problem creates a cybersecurity knowledge gap that could leave organizations vulnerable to attack as businesses strive to transform and automate core processes to increase efficiency and competitiveness.
Distribution of methods used for email-only attacks based on the techniques used
The most common way for cybercriminals to infiltrate corporate networks is through a Business Email Compromise (BEC). This is a type of scam that targets email accounts of high-level employees related to finance or involved with wire transfer payments, either spoofing or compromising them through keyloggers or phishing attacks.
In Trend Micro’s survey, 61 percent of organizations said they could not afford to lose money from a BEC attack. However, according to the FBI, global losses due to BEC attacks continue to rise, reaching $12 billion earlier this year.
Ferguson continued: “To protect against all forms of BPC attacks, business and IT leaders must work together to put cybersecurity first and avoid potentially devastating losses. Companies need protection beyond perimeter controls, extending to detect unusual activity within processes if attackers breach the network. This includes locking down access to mission critical systems, file integrity monitoring, and intrusion prevention to stop lateral movement within a network.”