There’s an unfortunate truth that cyber attacks can take on many forms for SMEs, but Business Email Compromise (BEC) in particular is a growing threat. This targets organisations by infiltrating work email accounts to deceive individuals into transferring money or divulging sensitive data. Often aimed at senior executives, or those with financial authority within SMEs, BEC attacks exploit the trust and urgency inherent in business communications.
To help you get a clearer understanding of this subject and get your SME better protected against such threats, here we’ve explained more about this situation, considered some other key cyber threats and given guidance on what you can do to prevent them.
The Rise of BEC Attacks
BEC attacks, a sophisticated form of phishing, have seen a significant increase in the last decade. A recent government report highlighted that in 2023, 84% of businesses and 83% of charities experienced phishing attacks within the past year. These attacks are not only becoming more frequent, but also more cunning in their execution.
New Guidance from the NCSC
In response to the escalating threat, the National Cyber Security Centre (NCSC) has published new guidance specifically tailored for smaller organisations. This useful guidance can be a good start for your SME as it provides practical steps to mitigate the risk of falling victim to BEC attacks, even if you don’t have extensive resources or cyber expertise.
Detecting and Preventing BEC Attacks
BEC attacks are notoriously difficult to detect. Attackers employ various tactics to create a sense of urgency, pressuring victims into swift action. The NCSC’s guidance suggests several strategies to bolster your defences:
- Reduce Your Digital Footprint: Limiting the amount of personal and organisational information available online can make it harder for attackers to target you. Remember that the more information hackers have about you, the easier it is for them to gain access to your digital accounts
- Educate Your Staff: Training employees to recognise phishing emails is crucial. Look out for unusual requests, especially those involving financial transactions or sensitive data. Also, keep in mind that most cyber attacks happen because of an error made by a human. You fight that with the use of adequate training programs that would let the staff know exactly what to do to prevent and deal with hacks.
- Apply the Principle of Least Privilege: Ensure that employees only have access to the information and systems necessary for their role. This limits the potential damage if an account is compromised. Letting people have access to more only creates unnecessary pressure and responsibility.
- Implement Two-Step Verification: Adding an extra layer of security can prevent unauthorised access to your email accounts. There are different types of two-step verification options based on the exact programs that would be used.
The guidance also outlines steps to take if you suspect an email account has already been compromised or if a fraudulent payment has been made. Acting quickly can mitigate further damage. Having software in place to let you know when the system was compromised can help a lot.
Beyond BEC: Protecting Other Areas
While BEC attacks are significant, other areas like payroll systems are also prime targets, especially if they’re managed via technology.
If you do use digital payroll solutions and technologies – or you’re looking to use them – then be sure to consider or switch to those with additional security credentials. PayCaptain, for example, is ISO 27001-certified and Cyber Essentials-certified, meaning it has secure systems in place to protect and manage a business’ financial data and mitigate the risk of cyber threats.
Planning and Preparedness
Implementing the steps detailed in the NCSC’s guidance will significantly reduce the likelihood of BEC attacks and indeed attacks on other online areas where your data could be compromised. However, it’s also crucial to also plan for these potential compromises.
The NCSC’s ‘Exercise in a Box’ provides a valuable resource for practising your response to cyberattacks in a safe environment. Regularly testing your response plans ensures that your team is prepared to act swiftly and effectively in the event of an actual attack.
Stay Protected
By educating your staff, reducing your digital footprint and utilising advanced cybersecurity software, you can create a robust defence against BEC and other cyber threats. So remember to stay vigilant, stay informed, and ensure your SME is prepared to respond to any cyber incident.
