Categories
Security

Increase in remote work sparks insider threat concerns

Any horror movie junkie will tell you, if the protagonist gets a creepy phone call, it’s probably coming from inside the house. That same logic can be applied to cybersecurity and insider threats — especially now that more than half of US employees are working remotely. In fact, insider threats increased by 25 percent last year, thanks in large part to remote work. 

Insider threats are largely misunderstood, yet their costs to organizations can be just as high as attacks by cybercriminals. And while breaches by insiders are most often the result of well-intentioned negligence, remote work has further complicated (and diluted) office security, leading to an increase in the use of shadow IT. Of course, we can’t forget that deliberate, malicious sabotage by insiders, though less common, is also made that much easier by remote work.

Remote work a boon for insider threats

As of today, more than half of the American workforce is working remotely “always” or “sometimes,” according to a February 2021 Gallup. More than a year into the pandemic and remote work is holding strong — and so are insider threats. 

In fact, insider threats have risen sharply over the last three years in volume and cost. The 2020 Cost of Insider Threats Report by Ponemon Institute found that malicious insider threats increased by 47 percent from 2018 to 2020. In addition, the cost of those threats surged 31 percent over the same period, from $8.76 million to $11.45 million. Of all industries, retail and finance experienced the most growth in insider threats over the two-year period. 

But a rise in remote work is adding fuel to the fire, leading to an even greater increase in insider threats through the pandemic and beyond. Forrester found in its Predictions 2021: Cybersecurity report that breaches caused by employees increased by 25 percent in 2020, thanks in large part to remote work. 

So why does remote work cause insider threats? 

Insider threats were far less threatening before the rise of remote work. Before the pandemic, a minority of organizations’ employees worked remotely, so security policies were lax. (As were the security habits of remote workers.) A lack of physical oversight made it difficult to enforce stronger policies or even to push out updates. Weakened traditional office security infrastructure, going from brick-and-mortar to virtual, also allowed for more mistakes by employees and more opportunities for malicious actors. 

Malwarebytes Labs’ 2020 report on Covid’s impact to business security found that 20 percent of organizations experienced a breach because of a remote worker. Pandemic conditions often led to hastily thrown-together remote infrastructures built by potentially outstretched, overworked, or underfunded IT/security teams. Work from home (wfh) user behavior also led to mistakes, resulting in security breaches. That behavior has only been exacerbated the longer the pandemic has stretched on. 

Margaret Cunningham, principal research scientist of Forcepoint X-Labs, recently conducted a survey of 2000 European workers’ wfh behaviors to determine why insider threats happen. She found that while younger workers reported a much higher use of shadow IT than older workers, an average of 50 percent were using some sort of shadow IT. That’s a lot of people and a lot of different exposure points for organizations’ assets and data. 

The survey found that mistakes were made by users because of:

  • increased stress (especially for caretakers, such as parents or those caring for a sick or disabled family member) 
  • blending of personal and professional boundaries 
  • lots of distractions 
  • well-intentioned innovation or creative problem-solving 

This last one is interesting and may be a harbinger of increased insider threats to come. An employee may be working on something potentially innovative or creative to get their job done, but in doing that, they create security issues.

All of this well-intentioned behavior doesn’t mean the entire US workforce is benevolent. While the majority of insider threats are honest mistakes, there are still plenty of malicious insiders. Ponemon’s 2020 Insider Threats Report also found that 23 percent of insider threats are deliberate, malicious acts. 

Case in point: In Q4 2020, Shopify was breached in an insider incident. The customer data of about 200 merchants was exposed by two employees who were scheming to steal transaction data. The data exposed included details like email, name, street address, and order details, but didn’t involve complete payment card numbers or financial information. 

While malicious insider threats are less common, they are more costly than those made by careless mistakes. Ponemon found that careless or negligent employees cost organizations an average of $307,111 per incident, and malicious insiders or credential thieves cost $871,686. The cost of insider incidents on the whole has surged by 31 percent over the last two years. 

So what can organizations do to mitigate these risks? What’s NOT going to work is making it even harder to do work because of stringent security policies. We need to think more about what people are doing and why. 

Cunningham’s survey showed that the sense of being burdened by security policies mirrors the use of shadow IT: It’s parallel. We may need to loosen our guard in one area — allow some low-risk security faux paus — in order to shore up the other. Security and IT teams should also be more communicative about why they’re blocking access or what’s at risk. 

For more information on risk mitigation for insider threats, check out this article on building a secure, cloud-based remote workforce: https://blog.malwarebytes.com/business-2/2020/03/remotesec-achieving-on-prem-security-levels-with-cloud-based-remote-teams/

For a refresher on best wfh security practices, consider sending your employees this article: https://blog.malwarebytes.com/how-tos-2/2020/03/security-tips-for-working-from-home-wfh/

Here’s a video interview of Margaret Cunningham discussing the factors that influence remote worker behavior: https://www.bankinfosecurity.com/remote-work-creates-insider-threat-concerns-a-16240

Categories
Security

Business email compromise cost businesses $1.8B in 2020

I know looking back at 2020 for any reason can be a less-than-appealing thought. But in the case of business email compromise (BEC), it would not only be a dangerous oversight, but a costly one. In fact, last year BEC cost organizations nearly $2B.

That’s what the FBI discovered (among many other unsavory finds) in its annual Internet Crime Report released March 17. The report states that businesses suffered losses totaling $1.8B, a more than threefold increase from the $54 million lost in 2019. And although the FBI received the most complaints about phishing scams, BEC far outpaced phishing in financial damage, underscoring its tremendous cost — and the need for more awareness.

Last week, the FBI issued another warning to state, local, and tribal governments about BEC — unfortunately, the BEC attacks do not appear to be slowing in 2021.

BEC a growing problem for organizations

People complained to the FBI about business email compromise (BEC) 19,369 times in 2020. That sounds like a hefty number… until you stack it up against the $1.8B in collective losses caused by BEC, according to the FBI’s annual Internet Crime Report. If we divide the cost of BEC losses among the 19,000+ victims evenly, that’s an average of a little less than $100,000 per business. That’s not a loss many businesses could take on the chin lightly.

While BEC might have barely cracked the top 10 most-reported cybercrimes in 2020, it blew away the competition in victim losses. The second-most costly crime was confidence fraud/romance scams at around $600,000, over $1B less than BEC, and it’s not a cybercrime particularly targeted to businesses.

Yet how many could tell what business email compromise looks like? How to spot a BEC scam and properly report it? The best methods to protect against it? Last year, BEC was the most expensive cybercrime, and it was reported far less phishing and its counterparts — vishing, smishing, and pharming — which ensnared nearly 250,000 in 2020, according to the FBI report.

If you’re wondering why I didn’t mention ransomware, it’s because the $29 million in losses reported to the FBI do not paint an accurate picture of the total devastation ransomware wreaked on businesses last year. The FBI’s record is so low because it doesn’t reflect estimates of lost business, time/productivity, wages, customer and company data, equipment, or any third-party remediation services acquired. Which makes the $4.2B in total losses reported from cybercrime in 2020 that much more nauseating.

Getting back to BEC, last week, the FBI warned state and local governments that the onslaught of BEC attacks is not slowing in 2021. The organization issued a Private Industry Notification stating that these smaller government organizations are being targeted by BEC attackers because they have inadequate resources and cybersecurity controls. The FBI cites two risks contributing to these attacks: the move to remote work and the failure to provide sufficient training to the workforce.

So what does business email compromise, or email account compromise (EAC) as some call it, actually look like? BEC/EAC is a sophisticated scam that targets both businesses and individuals that are transferring funds. BEC typically happens when a threat actor compromises a legitimate business email account through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds.

But as cybercrime has evolved, so have BEC/EAC attacks. In 2013, BEC/EAC scams routinely began with the hacking or spoofing of CEO or CFO email accounts. Fraudulent emails were sent to unknowing recipients requesting wire payments. Not wanting to question the directions of their superiors, employees typically responded by sending the money first, asking questions later.

Over the years, BEC has evolved to include compromising not just business emails, but personal, vendor, and lawyer email accounts as well. Fraudulent requests have expanded to include W-2 information, large amounts of gift cards, and other personally identifiable information (PII).

In 2020, the IC3 (branch of the FBI researching cybercrimes) observed an increase in the number of BEC/EAC complaints related to sophisticated, multi-pronged cyberattacks. In these variations, an initial victim is first scammed via extortion, tech support scam, romance scam, etc. into providing the criminal with PII. The PII is then used to establish a bank account that will receive stolen BEC/EAC funds, which are then exchanged for cryptocurrency.

Try getting out of that mess! Actually, as with most cybercrime, the best protection is prevention. Here are a few tried and true tips for protecting against BEC/EAC.

  • Keep an eye on the usual phishing red flags, such as odd formatting, bad grammar, or false email addresses.
  • Mind the money: BEC emails typically target someone with access to financial records/finances and may make strange payment requests, such as wiring money to an unknown location.
  • Pay special attention to emails sent by people claiming to be accountants, lawyers, or executives, especially those with a sense of urgency. They may be trying to convince you to wire money in support of a business deal, such as an acquisition. Even if the deal is real, the request may not be.
  • Watch out for vendor email compromise, especially an attack where a threat actor has successfully infiltrated a vendor’s email account. The sender’s domain name is genuine and the transaction may seem legitimate, often with proper documentation attached (because the account has been hacked, not spoofed). However, the processing details direct payment to a different account controlled by the scammer.
  • Add BEC/EAC awareness to your company’s security training regimen. Your IT/security team should be able to recognize a standard phish from BEC, and your other employees should at least get a sense that something’s not right with this email. Anyone working directly with vendors, processing payments, or handling financial records should sit for this training as well.
  • Training alone isn’t enough. Compliance is required to head off BEC/EAC. Employees targeted by BEC are typically mid-level and might be nervous approaching an executive, lawyer, or other purported requester to verify unless there is an accepted protocol for reporting potential fraud.
  • Build a layered defense with technical controls, including multi-factor authentication, encryption, virtual private networks (VPNs), and enterprise security software, like Malwarebytes Endpoint Detection and Response.

For more on the FBI’s Internet Crime Report and the impact of BEC in 2020, read our Malwarebytes Labs blog:
https://blog.malwarebytes.com/business-2/2021/03/report-reveals-the-staggering-scale-of-business-email-compromise-losses/

To read the full Internet Crime Report:
https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf