In recent updates, the focus has been on reminding individuals about the threat of Business Email Compromise (BEC) attacks and highlighting what these attacks look like in different stages. These updates also aim to provide important information on how these attack techniques have evolved since the last training session. “Regularly inform your employees through training programs about the development of BEC threats and tactics,” said David Derigiotis, Chief Insurance Officer at Embroker, a company specializing in corporate and cyber insurance. He emphasized that simulation tests and other audits should be part of these regular updates. “Fraud has evolved from email to fake audio calls where executives from the leadership team are impersonated. Use simulated phishing and social engineering exercises to test and strengthen employees’ ability to recognize suspicious requests, whether they come in the form of emails or fake audio or video calls.”
Executives and CEOs are advised to mandate that Chief Information Security Officers (CISOs) incorporate BEC-specific procedures into their Incident Response Plans (IRP). Companies should establish guidelines that require security teams to regularly update these IR plans and test their effectiveness. In this regard, security and legal experts recommend that companies involve the legal department in all stages of incident response. The legal department should be particularly involved in incident communication with internal and external stakeholders to ensure that the company does not increase its legal liability in the event of a BEC attack.
“It is best to have these discussions before a breach occurs and plan as much as possible to address issues in advance, rather than taking actions that could inadvertently increase liability that wouldn’t have otherwise existed, or increase liability beyond what already existed,” explained Reiko Feaver, a privacy and data security attorney and partner at Culhane Meadows.
The evolving nature of BEC attacks underscores the importance of staying ahead of these threats through regular education and updating response plans. By proactively training employees and involving legal counsel in incident response, companies can better protect themselves from the financial and reputational damage that can result from a successful BEC attack. It is crucial for organizations to adapt to the changing tactics of cybercriminals and prioritize cybersecurity measures to safeguard their sensitive information and assets. Through collaboration and vigilance, businesses can mitigate the risks posed by BEC attacks and enhance their overall security posture.