Executives top of the chain target for cyber attacks

There are predictions that losses from BECs will hit RM34.9b in 2018


Companies’ executives, including CEOs, will be the most likely targets for phishing emails and ransom ware attacks in a trend that will continue this year.

Trend Micro Malaysia Sdn Bhd manager of technical sales Law Chee Wan said hackers want to focus on any party that has the authority to authorise wire transfers, thus making them the highly targeted.

“This scam is known as a business email compromise (BEC). A phishing email could be anything, an invitation or e-card. A keylogger will be installed on the system and hackers will try to capture a person’s credentials via the keystrokes that are made.

“The hacker will then create other applications to trick the company into paying the ransom,” he said during a cybersecurity briefing last week.

There are predictions that losses from BECs will hit RM34.9 billion in 2018.

He added that this scam is not to be taken lightly — BECs are expected to increase 2,370% year-on-year, according to the US Federal Bureau of Investigation.

“This has so far been the most lucrative for hackers — more often than not, companies (will) pay the ransom.

“Companies usually will not disclose this information as it involves people and can cause huge uproars within the companies themselves if stakeholders find out hackers have been paid off,” Law added.

The European Union’s (EU) General Data Protection Regulation announced last year is set to have broad implications for businesses.

According to this law, which will be implemented in May this year, any security breach must be reported within three days and must include the nature of the breach, along with the individuals impacted, or face a fine worth 4% of the company’s annual revenue.

The Managing Director of Trend Micro Malaysia Goh Chee Hoh (picture) said this would also affect local companies that are doing business with any country in the EU.

Goh said another type of BEC is a business process compromise, but this takes longer and is growing at a slower rate because it is much more difficult to achieve.

“This type requires an internal person who understands the business. By tampering with the transactions, they can modify details and use various systems to commit fraud,” he said.

He stressed on the need for awareness — for example, the segregation of duties so each person knows their role and is able to pick up something that might go wrong.

“Companies — especially the ones in the banking sector — must be quick to catch something wrong, all this is (achieved) through awareness and education,” Goh said.

According to Law, the evolution of bitcoin as a method of payment has proved to be a great tool for hackers to sell and receive payment anonymously.

“Bitcoin payment has made it easy, hackers want the money fast so they target places like hospitals or giant retail outlets, where people have no choice but to pay.

Catching them takes longer, as payment cannot be traced back easily,” he said.

Guarding the perimeter at one point was sufficient enough to ensure all computers were protected, but the fact that devices are now carried around by users makes it harder.

“Endpoints are the new entry points. So, for instance, you could go to one coffee shop, move to a restaurant, then go back to the office.

“You’ve had three different wireless networks connected to the mobile and hackers only need to get into one connection to spread infections to everyone in the office through your device,” Law said.

He said, to people who develop software and applications, security is a key factor in ensuring the success of the app.

“Usually, it’s about whether the app works or not, but security should be more of a concern — especially if it involves buying or selling items over the Internet.”

Goh concluded by saying the spreading of ransomware is currently at a record-breaking speed, yet some companies have a very complacent attitude about it.

“User behaviours have changed drastically in the last 10 years, so have infrastructures. People have to be aware that one solution will not protect all, instead, we need to take a more proactive approach.

“At Trend Micro, we use something called the ‘right technique at the right time’ — this means using data collected to cover all layers of protection.”