NYDFS, HIPAA, GDPR? As Cyber-defenses are Hardened to Comply with an Alphabet Soup of Regulatory Mandates, Organizations are Growing More Vulnerable to Cyberattack—Not Less
Name the industry, and it’s safe to say that regulatory governance efforts have IT and security teams racing to erect new cyber-defenses to address a rising tide of domestic and international mandates.
But if that isn’t painful enough, a swelling wave of business email compromise (BEC) scams and other advanced email attacks are threatening to blow all your best-laid compliance efforts to smithereens.
Just ask Equifax. On September 20, British regulators fined the credit reporting agency £500,000 for failure to follow its own security policies after a BEC attack led to the exposure of data on 147 million customers, including 15 million in the UK.
The fact is, there are a proliferating number of regulations being put in place today, whether it’s new AML laws, GDPR, California’s far-reaching new Consumer Privacy Act. And that’s on top of old favorites such as Sarbanes-Oxley and HIPPA. As regulatory fervor grows, virtually every organization in every sector has been hardening defenses and putting new policies and processes in place to avoid steep fines for data breaches.
But while you’ve been busy beefing up cybersecurity to meet stringent new data protection and reporting rules, the bad guys have been quietly mastering an attack vector that lets them bypass those defenses completely: email. And most email security systems in place today can’t do a thing about it.
The fact is, organizations receive, on average, one new phishing email every six minutes.
Some of these messages hide malware or remote access trojans (RATs) in innocuous-looking attachments. Others contain links to phishing sites. And truth be told, Secure Email Gateways (SEGs) and other defensive technologies do a pretty good job of catching these and other, more overt phishing expeditions.
Far tougher to detect: messages that combine advanced identity deception tactics and social engineering techniques to fool recipients into thinking they’re coming from a trusted executive, colleague or outside vendor.
There’s nothing in the header, nothing in the email code to raise suspicion. Nothing apparent in the content or sender infrastructure to set off alarms, either. According to Verizon’s 2018 Data Breach Investigations Report, 4% of the time, these malicious missives succeed at hoodwinking staff and even C-suite executives into divulging sensitive data, handing over login credentials or initiating a fraudulent wire transfer.
The typical attack lures in its first victim in under four minutes, with average losses in excess of $130,000 per incident. In a recent survey, 92% of organizations report having been hit by BEC schemes, translating to more than $12.5 billion in losses since 2013.
Now, there are signs that a growing number of regulations may just be making things worse.
Beyond immediate losses from a successful email attack, organizations also face the associated costs of detection, escalation, legal expenses and more.
Then there are those data breaches. Today, 93% of all breaches begin with an email attack. The average loss, according to the 2018 Total Cost of a Data Breach Report from Ponemon: $7 million. For financial services, the average is $12 million. For the healthcare and technology sectors, it’s $14 million.
Adding insult to injury: regulatory fines. For HIPAA, failure to protect consumer data can cost $55,910 for each violation, up to $1.6 million in a year, for instance. With GDPR, fines equal 4% of global revenue or $40 million, whichever is higher—for each incident. There can also be significant reputational damage to the organization and its executives, and in the case of some regulatory mandates, even criminal charges.
It’s so bad, some industry observers are speculating that fraudsters may soon start extorting companies over the stolen data itself—on top of all the other ways they’ll monetize it. Why? Because organizations will happily pay a smaller ransom for non-disclosure than what would be far steeper fines and other consequences.
As realization of their vulnerabilities to advanced BEC scams sinks in, some organizations will react to threats as individual security incidents. They’ll feel the pain, but not look for a systematic approach to dealing with it. Some might try to tweak existing email security controls—usually to no avail. But others have already begun to implement AI-based solutions that enable what some call “the intelligent inbox.”
This is the direction we’ve taken at Agari, and have implemented at some of the world’s largest banks, government institutions and online enterprises. At their most essential, this approach uncovers BEC attacks when other key factors—content, sender reputation and so on—don’t raise flags.
Here’s how it works. AI runs on top of a massive global data set consisting of around 2 trillion email messages annually to assess such factors as telematics in the email header, sender-recipient relationships, and behavioral context.
With the vast majority of emails being legitimate, we’re able to use this approach to model good messages and to ferret out anomalies that just don’t seem to match what we might expect from historical interactions.
Each anomaly is scored, and when specific threat thresholds are met, the message can be intercepted before reaching its target—thus blocking attacks that would otherwise go completely undetected. What’s more, this AI-based solution get smarter with each new email analyzed, and each new member organization contributing to threat intelligence. It’s an application of the network effect.
For organizations, the benefits can be significant.
Perhaps for the first time ever, employees can click on anything in the inbox and know that it’s safe to open, and safe to respond to. That in itself can result in tremendous time and cost savings, removing the tedious routine of individuals assessing the legitimacy of each email they receive.
Then there’s the time drain that goes with making calls and using back channels to verify a message’s validity if it comes into question.
At the same time, security teams are relieved from an endless stream of incident requests, many of which are false positives. Not to mention the scramble that comes from reacting to a very real security threat when humans fail to recognize an email attack and are tricked into taking an action.
No matter the path organizations take to defeat BEC, it can’t come too soon. In one recent incident, for instance, hundreds of US utility companies stretched thin by regulatory demands failed to detect and stop a Russian-backed BEC campaign that led to hackers taking over their control rooms. As CSO reports, this was after the Department of Homeland Security warned them of the attack.
In another, a network of Denver-area health clinics was fined $400,000 for falling prey to a phishing attack that led to the personal health files of 3,200 patients.
Though details may differ by industry, these organizations are hardly alone, and the attacks won’t stop. With effective security governance so central to complying with a growing list of regulations, the only question is how well and how fast organizations can prevent BEC attacks and other advanced email threats from costing them big.
To learn more about business email compromise (BEC) attacks and how to protect your organization against a growing number of threats, download the Business Email Compromise Report from Agari