SMEs can take the target off their backs

As today’s attackers target human weakness rather than relying solely on exploiting technological flaws, businesses are turning to cloud-based solutions that leverage machine learning to spot bogus emails and activities.

Alongside generic scams, Australia has also seen a rise in targeted attacks, such as Business Email Compromise scams, where attackers infiltrate corporate email systems and do their homework in order to impersonate senior executives. Attackers also scour publicly available sources like business social networks in search of easy prey, such as newly-hired finance staff, to craft their attacks.

The attacker waits until the opportune moment and sends a convincing message from a senior executive’s email account, requesting the staff member transfer funds offshore or change bank account details. It’s timed to ensure the apparently urgent email arrives when it is difficult to confirm the request with the supposed sender.

Traditional methods of spotting spoof emails can fail to detect these attacks, which is where machine learning has a role to play in spotting suspicious activity from seemingly legitimate sources, says Garth Sperring – Practice Lead network and security with cloud and managed service provider Nexon Asia Pacific.

Often, attackers will reuse the same infrastructure in multiple attacks leaving a cyber fingerprint.

Modern cloud-based security solutions, like Cisco Umbrella, can identify those fingerprints and provide an automated and accurate first line of defence for all users.

Robust security requires multiple layers of defence, Sperring says, rather than just focusing on the perimeter or on the security of end devices. Increasingly, corporate users connect from many locations and devices – they are no longer behind the traditional firewall; they use cloud services.

Employing security services that watch for suspicious activity rather than simply check credentials is critical, just as a vigilant security guard would question someone in the office acting suspiciously, even if they were wearing a seemingly valid security pass.

“Scanning traffic for threats needs to go beyond simply checking the authenticity of the sender details and studying the language,” he says.

“When detecting sophisticated attacks, your security needs to be smart enough to consider the context and whether this is usual behaviour for that user at that time.”

One of the biggest threats to smaller businesses is complacency, Sperring says, as they work on the mistaken assumption that sophisticated attacks are only aimed at the big end of town and won’t happen to them. Just like businesses, bad actors are also taking advantage of the cloud, automation and economies of scale to broaden their horizons.

These tools make it more feasible and lucrative for them to launch sophisticated targeted attacks against SMEs, which tend to have weaker defences than large enterprises.

Bad actors are leveraging new technologies as force multipliers, to the point where human defenders struggle to keep pace. Businesses must respond in kind, Sperring says, using the same tools to help combat the threat.

Nexon Asia Pacific has seen a rise in such attacks, he says, and real-time visibility into what’s happening across the business is a crucial line of defence. This extends beyond email to cover the availability, accessibility and integrity of all key data and systems.

These broader defences need to be co-ordinated to understand context and correlate events. Suspicious behaviours might include a user logging in from different locations at the same time, appearing to be in two places at once.

This level of real-time visibility allows for preemptive actions to thwart an attack, such as automatically forcing users to provide an extra level of authentication, disconnecting devices from the network or blocking their access to specific services and business resources.

SMEs are viewed as “soft targets”, Sperring says, not just because they tend to employ weaker defences than enterprises but also because they are less likely to appreciate the severity of the threat.

“Security is not a one-off project, not just a box to tick on a checklist, it needs to be continuous, and it needs to be holistic,” he says.

“It’s not just about bolstering your cyber defences; it’s about fostering cyber resilience, so you’re better equipped to defend against attacks and also to weather the storm if they do hit their mark.”

Cyber resilience doesn’t just consider the financial risks to the business but also the operational and reputational risks. It all takes into account the ever-evolving nature of the security landscape in terms of scale, sophistication and attack vectors.

“No one wants to become a newspaper headline but, for many businesses, they only start to take security seriously after they fall victim,” Sperring says.

“It’s not until they feel the pain that they decide to do something about it, which is like waiting until you crash your car before you finally decide to get car insurance.”