The simplicity of business email compromise attacks will increase targeted scams
One of the newest cybersecurity terms to familiarise yourself with is business email compromise (BEC). This is where an organisation’s finance department is tricked into transferring funds to a cybercriminal’s account.
These attacks are comparatively simple to carry out and according to research by security firm Trend Micro, the average payout for a successful BEC attack is USD 140,000—the price of a small house. This is big compared to the average payout for a ransomware attack, which is usually 1 Bitcoin, valued at USD 722 when the research was revealed in late 2016, but which has now risen to USD 1700 at the time of writing.
BEC attacks will rise in popularity because of their low technical barriers, because they are hard to detect and once the money is transferred abroad, it is challenging for law enforcement agencies to coordinate and capture the criminals.
Business process compromises will gain traction, particularly against the financial sector
Another new type of attack we expect to see more of is business process compromise (BPC). This involves first hacking into a network and then modifying the information in a particular business process to reroute funds or services.
The biggest incident of this was the Bangladesh Bank heist which led to the loss of USD 81 million, which was transferred to accounts in Sri Lanka and the Philippines. However these types of attacks are not just restricted to financial transfers as shown in 2012 when Antwerp Seaport’s shipping container system was hacked so to cover up drug smuggling.
Cybersecurity practices tend to focus on protecting against intrusions rather than monitoring whether a particular business process is modified, leaving this a particularly vulnerable attack vector to a determined attacker.
Data protection regulation implementation and compliance will raise administrative costs across organizations
In Singapore, the Personal Data Protection Commission (PDPC) has been actively investigating reports of inadequate data protection and handing out fines to organisations in breach of their obligations set out in the Personal Data Protection Act (PDPA). As more of these incidents are publicised, organisations in Singapore will be increasingly motivated to change their policies and business processes, raising administrative costs.
Another related factor is that in 2018, the EU’s General Data Protection Regulation will come into force, meaning that all organisations that capture, process, and store the personal data of EU citizens must comply. Enterprises found in breach of this regulation can be fined as much as 4% of a company’s global turnover for non-compliance. As a result, compliance and data protection will become even more important for organisations over the coming years.
Sign up for CIO Asia eNewsletters.