by Bharat Mistry
Business Process Compromise (BPC) cyber-attacks are not often covered in the media. Their distant relative — the similarly sounding Business Email Compromise (BEC) — tends to get most of the billing, especially after the FBI branded it the most costly threat of 2018. But the truth is that this broad category of attacks is a major threat to organisations. Last year we revealed that 43% of US and European firms had been impacted by BPC.
In the latest findings released from that survey this week, the vast majority of financial services firms have called out BPC as a serious threat. Yet a lack of awareness at senior levels may be holding back efforts to combat it.
Playing the long game
Like BEC, BPC attacks hijack everyday business processes, but that’s about where the similarity ends. While BEC scammers use social engineering to achieve their goals, BPC attacks are far more complex, meaning they’re mainly carried out by serious organised cybercrime groups. Once the hackers have gained access to a target network, usually via classic spear-phishing techniques, they will often conduct months of painstaking reconnaissance before they strike. The idea is to build a detailed picture of internal business processes, IT systems and protocols, enabling them to hijack processes to achieve their ends without setting off any internal alarms.
Often, the aim is to covertly alter internal payment processes — as per the infamous Bangladesh Bank heist, in which $81m was transferred to accounts under the control of the attackers. But it could also be “piggybacking” — as we saw in a two-year attack culminating in 2013 where hackers hijacked transportation processes at Antwerp Seaport. This allowed them to remotely identify and then intercept containers in which they had smuggled two tonnes of narcotics. BPC has also been used in the past for financial manipulation, causing a fluctuation in the Dollar/Ruble exchange rate after a Russian trading system was targeted.
The case for
It’s no surprise that 66% of financial services organisations we spoke to across the US and Europe claimed BPC was a major threat to their business. But there are issues: 51% cited a lack of awareness of the threat among senior management. That’s bad news as it could prove a barrier to investment in mitigating measures. Security bosses will have to work harder to communicate in business terms the risks associated with BPC. The relatively large number of banks that have haemorrhaged money from such attacks in the past will help them make their case.
Once that money is secured, how should it be spent? CISOs must remember that it’s almost impossible to prevent a determined attacker from breaching their defences. That makes it more important than ever to invest not just in perimeter security but also tools to spot unusual activity inside the network. Proactive steps could include:
- Behavioural monitoring, intrusion prevention and file integrity monitoring to spot suspicious activity inside the perimeter
- Application control can make it harder to interfere with mission critical systems
- Regular pen testing and quality assurance to detect vulnerabilities
- Regular red team exercises to test security readiness
- Separation of duties to limit the threat posed by malicious insiders
- Require two people from different teams to perform critical tasks, making it harder to hijack processes
- Employee awareness training to minimise chances of successful phishing/social engineering attacks
Financial services is by no means the only industry at risk from BPC attacks. But in an already highly regulated sector, organisations must ensure their GDPR and PSD2 compliance efforts don’t detract from the equally important task of tackling advanced cyber threats like these.