The $9 billion BEC threat you can't ignore

Business email compromise (BEC) attacks are expected to cost businesses $9 billion by the end of 2018, according to Trend Micro estimates. In this discussion with Roger Sels, VP of information security at DarkMatter, and Jack Koziol, CEO of Infosec,  you'll learn more about BEC attacks and measures you can take now to protect your organization. Kristin Zurovitch, director of marketing at Infosec, helps guide the discussion and takes listener questions.

– Get your FREE cybersecurity training resources:
– View Cyber Work Podcast transcripts and additional episodes:

Chris Sienko: Hello, and welcome today's installment of the CyberSpeak with InfoSec Institute Podcast. Each week, we aim to bring you a new and informative information security training and security awareness topic in a variety of formats. For this week's installment, we'll be presenting webinar we recently hosted entitled Business Email Compromise: the $9B Security Threat You Can't Ignore. Our guests today are two of the world's leading cybersecurity experts. Roger Sels is the VP of information security at DarkMatter, an international defense and cybersecurity consultancy and implementation firm headed in the UAE. He is responsible for overseeing all aspects of the company's infrastructure, driving forward security policy and ensuring IT risks are well managed. Just this month, Roger was named a CISO 100 in the prestigious Middle East Security Awards.

Jack Koziol is the CEO and founder of InfoSec Institute. With years of private vulnerability and exploitation development experience, Jack has trained members of the US intelligence community, military and federal law agencies, as well as delivering security awareness and training for Fortune 500 companies, including Microsoft, HP and Citibank. Jack is the lead author of The Shellcoder's Handbook: Discovering and Exploiting Security Holes. He also wrote Intrusion Detection with SNORT, a bestselling security resource. Jack has appeared in USA Today, CNN, MSNBC, First Business, and other media outlets for his expert opinions on information security. Along with our moderator, Kristin Zurovitch, please welcome Roger Sells and Jack Koziol.

Jack Koziol: BEC hits really at the heart of the intersection between people and technology. And, in an ever-evolving world, these BEC attacks that social engineer or take advantage of people's trust or lack of understanding of technology systems makes them extremely successful. If you were to talk up to the accounts payable person in your organization and say, "Transfer $100,000 to this account," they would not fall for that. You couldn't just walk up to someone and tell them to do that. But, if you can impersonate someone by disguising yourself as them through an email or disguising yourself as a CEO through an email, then these attacks become plausible and you can see why they're such a great impact.

The other reason that they're so successful is that, in a lot of cases, they are in conjunction with other attack vectors. So, in come cases, people that are orchestrating these attacks will compromise the accounts of an executive or someone within the organization and actually send an email from their account, so you're dealing with two different attack directors. It's a BEC attack, but it has occurred because they've compromised the account of someone within the organization, and those can be much harder to detect, and a lot more dangerous. You can see how these attacks have had a big impact.

Kristin Zurovitch: Roger, based on your experience and the work you do both as VP of information security at your own organization and as a consultant, what do you see that makes these attacks so successful?

Roger Sels: Thank you, Kristin. Well, to expand on Jack's point, it's a technological attack, and the attacker can be fairly confident that, in a lot of cases, it's going to fly under the radar undetected. These are two real key elements to an attacker because they can leverage them very successfully and keep on doing that until they hit a target that is going to give them the operational outcome that they desire. It's exploiting a number of weaknesses in human psychology, and that's always been proven in the past, even, to be successful when people would actually phone you up and try to steal the information. But, now, you have an automated layer around it to be able to target more victims at the same time.

Kristin: Sure. Now, your role is actually quite unique, as I mentioned. Not only are you in charge of information security at DarkMatter, but your firm, your company DarkMatter is advising clients on how to protect their organizations and data, as well. I'm interested if you can share with us some of the real world security challenges that you're facing, these days and what kind of measures you're taking to address these.

Roger: That's a very good question. One of the things internally that we set out to do is to define the right measures across people, places and technology and apply these controls in equal parts. It wouldn't really be efficient to say, "Okay, only the next quarter, we'll focus on getting more technology," because you then would ignore a couple of controls that can be implemented at the process level, or you couldn't be gaining any efficiency and effectiveness from security awareness training of your staff, so you have to keep balancing your security program to cover all these aspects. And, that's essentially also what our teams advise our clients on, defining that overarching security program, seeing what the maturity level of the program is with the client, and then tailoring the program to address these specific issues across people, technology, and process.

Kristin: I was just wondering if you could share some specific examples within your organization where security awareness education was one of those mechanisms that you use to battle.

Roger: When we designed the security program, we built it so that the message would be reinforced. So, when new staff is onboarded, we have a security induction training. In that training, we share effective, or, sorry, actual examples of attacks that we have seen that were targeting certain members of staff. If we have people of a certain job role and we've seen attacks tailored to that job role, we will highlight that, as well. We try to tailor it a bit to the audience, and we reinforce this security awareness campaign with posters, and, I would say, quarterly messaging by myself on new threats and how to deal with them.

Specifically tailored to BEC, we have a wider anti-phishing program where we explain the psychology of the attacker and how they will try to induce a response from staff. And, the security measures that we have in place like visually marking emails, tagging them as spam, filtering them to a separate folder, so we educate people on what kind of controls we offer to the organization and what they can expect. But then, most importantly, we tell them, "Look, if you get a request that, in any way, seems abnormal, especially if a sense of urgency is being created, it is all right for you to question that, to reach out to the alleged counterparty via internal means and ask a confirmation; 'Did that message come from you?'" So, we establish that culture.

Later on, we will, then, start an internal phishing campaign. And, after a while, we also perform a more targeted team exercise. In the phishing campaign, for instance, the goal is not to trick and police 100% into clicking on the link or in sharing information, and that's what I see goes wrong in a lot of these campaigns. The planning phase and how you reach the objective are key. I saw it even with my teams. They were, at some point, really trying to figure out for this user population: what is the most effective message that's going to yield the highest click rate? I had to adjust that to say, "Well, that's not the scope of the exercise." We're also not going to relax our security controls to make our campaign more effective because we've been training people the effectiveness of certain controls and we want them to feel that this is a piece of education that we're offering and that we're not out there to get them, if that makes sense.

Kristin: That totally makes sense, and actually, I think that's a really good point. I've heard you talk about this a little bit, as well, jack, in the philosophy behind employee education. I guess, based on your experience and what you've seen with a variety of different clients, I guess, can you speak to that philosophy a little bit more?

Jack: Yeah, I think it's really important to not have an adversarial relationship with your user base as an information security professional. Security awareness programs, they're not about tricking people. They're about educating people or about building a positive culture around security champions that identify attacks that do the right thing and practice good security hygiene, so these are real important points about having an effective security awareness program that retains buy-in throughout the entire organization.

Kristin: And, as I'm thinking about educating the entire workforce, there are different levels of individuals and how well-tuned or well-honed their security aptitude might be. I think of those individuals in the organization; we tend mostly to think of IT folks or the more technically savvy or maybe developer or engineer types who may almost seem beyond needing awareness education just by their technical nature. I guess, Roger, within your organization because you also have a fairly technical staff, how do you actually go about educating or implementing the change that you need in your organization when you have so many individuals, seemingly, who are quite technically adept.

Roger: That's a very good question. We had to come up with a number of scenarios for these people because, obviously, if we send them an email saying, maybe more a advanced example where we could send a fake reset-your-Outlook-passwords type of email, that wouldn't work with these people. And, as you rightly said, we even have a couple of departments where we have, for instance, penetration testers. We have security researchers. They're even more savvy than the IT folks. What we did there is we tried to play into messaging that we knew was coming out from HR or other initiatives and see how they would respond to really nontechnical stimulants. I know, at some point, one of our team members was inviting people to obviously fake lunches with our CEO to reward their performance and to discuss their evolution in the company. And, surprisingly enough, that passed through a lot of people's defenses. Even worse, we had one gentleman who, that particular day, didn't bring in any lunch. So, I think the lesson we can draw from that is that if you teach a man to fish, he will eat for his entire life. If you phish him for free lunch, he'll starve.

Kristin: I love that, too funny. I know one of the things I also hear when it comes to BEC is there's the education portion of this. You're making sure that you equip your employees, your staff with the skills so that they can detect and help protect not only their own personal data, but the data of the company. But then, there's also kind of a policy or a procedural side of BEC because BEC, by its nature, is social engineering at its finest. I'm wondering if either of you can talk to any internal processes or policies that organizations should maybe take notice of or look at updating, reviewing, adapting because of what we're seeing on the BEC front right now? Maybe, Roger, we'll start with you.

Roger: Obviously, when you look at these policies, you have to start with high risk policies, especially when it comes to financial fraud of possibility for fraud, analyzing all of these separate processes that could lead to funds being diverted to a different account. For instance, there might be a standalone process that is just updating the details of a vendor, but, later on, is processed by a different team to make a payment or even make a recurring payment so that, at a later stage, some funds would be released. So, you have to go back to your business stakeholders and really ask the questions on, "Okay, what are the controls that you have in place to catch that? Would you catch that?" and try and assimilate that while, at the same point, raising the awareness within, for instance, such functions of handle payment, handle invoice updates or vendor or partner detail updates on the risks that they will face, and showing them examples.

Kristin: Do either of you have some specific examples of, whether it's financial or other processes within an organization that you've seen organizations change what their practice is?

Jack: Well, I think you're seeing organizations of all sizes implement much more strict international wire transfer policies, and that is in response to the most common type of BEC attack, which is an attack where a wire is sent internationally, as we've talked to you today. So, of all shapes and sizes, everyone from a small manufacturing plant of a couple hundred people all the way up to the largest organizations, you're really seeing a lot of movement around that. And, to add to that point is: policies are great, and it's great when it's backward-looking that these are the threats that have come up in 2017, 2018 are around wire transfers and international wire transfers, but where is the ball going and where are we headed with this, and how can we implement policies that are going to help us prevent the 2019 attacks?

So, I think we're seeing a shift of a lot of BEC attacks moving from the traditional wire transfer scam into other types of scams that are actually more damaging: intellectual property theft, credential theft, large scale database attacks that are ... a large Fortune 500 organization, if someone steals $500,000 from them, it's bad. It's not good, and no company wants to lose that amount of money, but it's not going to impair their business to the point where they can't operate. But, you have a large scale attack where someone steals intellectual property or steals the entire database of all their customers, those are existential events that could potentially end the business. So, looking forward-looking with policies, I think is really important as we go into 2019.

Kristin: Very good.

Roger: But then, if I may add to that, Jack, it's copying that to the right technology controls because, as you said, okay, somebody, for instance, trying to steal the customer database, that's where you could introduce a DLP or pair it with a number of other controls that can help thwart the actual fact. You would be late in the kill chain, but that should be a measure that you've thought of already and have implemented.

Kristin: And, I think that's something we can talk about right now is, you have employee education, making people cyber aware. You have policies, procedures that you're reviewing and updating as appropriate, and then there are all these technical controls that you can put in place. Maybe let's talk a little bit about the phishing kill chain and, from the point that things are coming into the organization to the point that, potentially, information might be leaving your company. Can we talk a little bit about some of the technologies that organizations should think about having in place across that kill chain? Maybe why don't we start with the front end of the kill chain, and: how do you gate things from coming in?

Jack: Yeah, well, when you're talking about the kill chain, specifically to phishing attacks, the first key element is filtering, and how good is your filtering? You want to try to identify a lot of these phishing attacks. The traditional phishing attack, spear phishing attack where you're redirecting someone to a link or you're trying to compromise them through an attachment, an executable or a document that has a zero-day exploit in it, those type of things are more easily filterable than normal business communication, which is what a BEC attack really is. It's just normal business communication, and they're much harder to filter. I think, as we move forward and we see AI and machine learning being applied more rigorously and to gateway filtering devices, I think we're going to get better at blocking BEC.

The other technology thing, and a real simple way to detect stuff — and, there's not a lot of easy wins in security — is putting banners that identify emails that come from external email addresses, a simple banner that's always auto-attached to the subject that shows that this is an external email, a lot of times, is going to identify a lot of the typo spotting, a lot of the really clever domain registration that's taking advantage of Unicode domains that are now possible. That real simple thing can reduce BEC attacks by quite a bit. I pulled a little bit of data on our system, SecurityIQ. Since we've launched our BEC feature a couple months ago, we've seen about eight million phishing temps that went out. And, organizations that flag emails from external email addresses have a much lower, 60% lower compromise rate on BEC emails, so that's an easy win that you can implement, and it doesn't cost you anything. It's a mail server configuration, but, yeah, that's early in the attack chain. I don't know if there's more I want to talk about that.

Kristin: Is there anything else you'd like to add, Roger?

Roger: Actually, I think that is the key measure to put in place against BEC. And, one of the things that we noticed internally that was very effective is not just prefacing the label to say, "Warning," or, "This is a spam message." By default, we now just classify everything with a header to say, "This is likely a phishing attempt." That just triggers that awareness immediately in people because, okay, a spam message, people are likely to start thinking, "No, it's misclassified. I was expecting this. It's from my vendor. It's from my partner." But, if you tell them, "Well, it's phishing," it's a different expectation. We've had some very positive return from staff saying, "Actually, you made me think differently before opening that email, and not just blaming the system that it was inadequately labeled."

Kristin: That's good. I guess, do we want to move maybe further down the kill chain, then? What next steps should people be looking at?

Roger: Sure. I think, as we touched upon credential test, it's quite important to have a central identity in access management solution with single sign-on and tying it into a two-factor or multi-factor authentication so that if a user's credentials would be stolen, would have been volunteered up, they're actually not usable on the estate, and that can also reduce some frustration with staff members because now you have to rotate passwords less. You can make them a little bit less complex, and it just helps make it a bit more seamless from a user point of view.

Jack: Yeah, that's a key critical piece of your infrastructure, is your IM, and also how you manage that. Another piece in the kill chain is: once a phishing email gets through your defenses, what do your users do? As Roger mentioned, awareness, training is really important. But, on a technical point of view, it's an easy way for them to alert the organization that they have received a phishing email. Technology that is integrated in whatever email client so they can push a button and report that email directly into their SOC or whatever incident response capabilities your organization has so that when these attacks do happen, the people that can take action on it at the security team knows about it. And, if your user population can do that quickly and easily with the push of a button and you reward them through your awareness program or through recognition, that's going to build a lot of cyber resiliency within your workforce if you have that piece of technology in place.

Roger: I fully agree with you, Jack, and that's also something that you can then push as lessons learned back into the security awareness program and highlight it to staff, "Well, somebody reported this email. We filtered it." In some cases, it is a very targeted email to a number of key people. We've gone as far as saying, "Okay, we will actually filter for this message across all mailboxes and preventative delete the mail so that nobody else can interact with it without actually opening or viewing content," obviously, so, maintaining data privacy. But then, we share that back with the users or the employees, and they see how they can become an integral part of this anti-phishing and anti-fraud defense program, and that seems to resonate with them quite a lot.

Kristin: And, I guess, if we keep moving down that chain, again, there are BEC attacks which will have some success. Someone will click. They will be in the process of gathering whatever information is requested, I guess. What do you do at the end of that chain to prevent information, whether it's private information, secure information from actually leaving the organization?

Jack: Yeah, there's a variety of technology solutions out there around data loss prevention. Some are easier to configure than others, and some organizations can implement these, but, some sort of monitoring of what's leaving the organization and an automated response to try and block certain flagged bits of data from going out is necessary. And, additionally, on top of that is configuring people in sensitive roles to not be able to auto-forward emails out from their mailbox, and the reason for this is, if your mailbox is compromised and someone is actively using your mailbox for a BEC phishing attack, a big piece of that exploit, if you want to call it an exploit, is setting up auto-forward emails to forward these responses back out. And, if they don't have that capability, that's going to force them to routinely or automatedly repeatedly check that account to get information. And, the auto-filtering also is used in a lot of these cases to prevent information from getting to the person's inbox that was compromised. Think of a wire transfer confirmation or an alert that, "You shouldn't do this wire. That would be filtered if that inbox was compromised," so, if it's possible, disabling auto-forwarding along with DLP can stop some of the ... can be your last line of defense.

Kristin: Sure, and, actually, Adam, who joined us, today — and, thanks for tuning in, Adam — had a question related to DLP. He's wondering: does attacker-controlled encryption bypass DLP?

Jack: In some cases, it does. But, unknown encryption detected on your network that is going out ... there's an encrypted data stream going out and you don't know what it is and where it's going, that in of itself is something that should be alerted on and could be a sign of something bad. So, now, pretty hard to detect attacker-controlled encryption from just normal web traffic, but that in of itself is something that could be suspicious. Between, definitely, DLP can't decrypt everything.

Roger: Jack, if I may, here, I'd like to share a different perspective. I don't disagree that DLP today is viable solution, but I think, in the future, we'll be moving more towards DRM technologies, and some of these are really maturing right now where, in essence, you're encrypting the file or the data, structured and unstructured data, and establishing a key server and ACLs to these keys for your organization, for partners. And, even after transmitting the data, you can revoke access to the file where it seems less frictionless setting up a DLP and where I see maybe less abilities for an attacker to counter that system.

Jack: Yeah, I personally don't have experience with those technology solutions, but it sounds really promising, and it just seems like a good idea to have control over your data regardless of where it is: in the cloud, on someone's desktop, with your partner. That is a holy grail, in a lot of cases, so if we're getting to that, that's wonderful. And, if you can make one of those work for your organization, definitely, you should.

Kristin: Very good. We have another question, here, from Johnathan. He's asking: if we look back, he's interested in either or both of your thoughts on how we actually got to this point BEC attacks, and, why is the bar to BEC attacks so low, today?

Jack: Well, I think if you look at traditional phishing attacks, you've got to get through defenses, and you've got to sneak a URL through defenses that are going to check that URL for malicious content. Or, you have to send an attachment, and we've really gotten better, as an industry. A lot of phishing attacks, those URLs are detected. A lot of content that is malicious is blocked. Even document-based content is deconstructed. There's a lot of tools out there, nowadays to deconstruct documents, put them back together and remove anything that doesn't conform to, say, the PDF standard. That could remove any sort of unknown attack into.

But, business email compromise, there's none of that, and it's easy. If you think about how hard it is, it really is, it really is very hard to create a zero-day attack for a document or for a file or a browser. You can see that the bug bounties on these things are in excess of many millions of dollars. These tools aren't available to everybody, but, spoofing an email, sending an email, pretending to be somebody else, just being a jerk, almost anybody can do that, so the bar is very low to orchestrate these attacks, so that's why we're seeing a lot more of these.

If you think about where that's going, in security, attackers are always ahead of us in terms of innovation on attack types, so you can see that that's kind of where we've gone as an industry. And also, the other part to it, just to add, not to be too long-winded, but the return on investment is great. If you're going to steal hundreds of thousands, millions of dollars from an organization and all you have to do is get three or four people together and start spoofing emails, that's a pretty good return on investment, especially if you're outside of the purview of any real law enforcement.

Kristin: Roger, did you have anything else to add?

Roger: Well, maybe just to emphasize what Jack said, that entry bar has gotten a lot lower, and, probably, indeed, because, as organizations, sorry, because, as a cybersecurity community, we've helped organizations improve their security posture. They're patching faster. They're detecting and responding to incidents a lot faster than a couple of years ago. Security controls offered by modern operating systems have also raised the bar, as Jack mentioned. It's a natural evolution to come back to the user, and I think, in the next years, likely, we'll see more multistage and multichannel type of attacks where, initially, the attacker built up some rapport with the victim, exchanges a couple of very benign emails, and then, only at a later stage, really tries to push the victim to open the link, open an attachment. Maybe there will be some emphasis added through a calling campaign following up and really adding more pressure on people, and that will be the next difficult stage of that attack to detect.

Kristin: That's actually a really interesting segue. I just got a question in from Marty, and Marty's wondering: where is this all going? He's interested in what you guys think the threat landscape might look like in two years. So, I guess this is your opportunity to look into your crystal balls and share where you do think this might go. I guess, Jack, do you have any other ideas playing off of what Roger just said?

Jack: Sure. More complex attacks, attacks that use multiple vectors ... you see phone, SMS, email. I think you'll also see social media play a part in attack vectors. As the defenses within corporations and organizations becomes better and better, the attack vector may just switch to targeting people's personal communication streams through Snapchat, email, their personal email. They move to a softer target in terms of that. As far as the nature of the attack, 2017, 2018, it's all about the international wire transfer. That's what you hear over and over again. And, as those get locked down and as people have better processes and technology to combat that, people will move to other areas within the organization that are less of a direct win in terms of a monetary compromise. So, I see the landscape shifting towards that in the next year or two.

Kristin: Very good, thanks. I have a question here from Rob. First of all, he says thanks for the webinar. He's also wondering if you can speak to some of the technical aspects of locking down links in email which can launch background processes to engage other services. And, as an example, he gives voice over IP or collaboration applications, which, with access to make background telephone calls. Any thoughts on that.

Roger: I'll take it, Kristin, if that's fine for you.

Kristin: Absolutely.

Roger: There are two aspects, and that's detecting when a second process is being launched, and you can implement a couple of controls around that. We're even seeing that in emails through [inaudible 00:38:21] where documents are being opened automatically or commands passed to other programs. Specifically, in a VoIP setting, a control that you would typically try to put up is if a session time becomes too long or if a call duration hits a certain limit, that you would reset that call. And then, if certain calls incur a different cost, that that would be a fixed barrier or parameter set to drop the call, as well.

Jack: Yeah, that's really good advice there, roger. I would even say, if you're repeatedly attacked through URLs that launch a VoIP call, detonate all those URLs. It's not that big of an inconvenience to have to switch into the app and make the call versus it being launched from a URL. So, you may have to fight some internal political battles to do that, but, if that's a problem, just shut it off. And then, intelligently filtering, as mentioned before, emails from external sources, if you have an external source and it contains a URL that launches a VoIP call, detonate those URLs. Shut them off so that people can't just click right into that. They have to go into the app and make a decision. It doesn't mean that people aren't going to go do that, and that's kind of where it comes back to security awareness and how you're training your people. But, give them an opportunity to pause their workflow, their mental workflow on clicking on a VoIP call and going into it.

Kristin: Good. And then, Rob actually had a followup question in the same vein. He's wondering about business email lockdown on mobile devices and if you have any advice or recommendations there, either of you.

Jack: Yeah, mobile is harder. With desktop email clients, we have a 20-year history of being able to augment and improve the client. So, with Outlook or if it's Gmail, we have a real robust, flexible architecture for vendors to provide additional tooling to help you. But, on the mobile space, it's good and it's bad; it's more locked down. So, you're less able to influence how the mobile client behaves, and you're more reliant on message transport into that mobile client. In those cases, you're just going to have to get more creative with how that message transport happens and when it happens, and what gateways are in place. Yeah, I think that's all I've said. I don't know, Roger, if you had any other experience on mobile email client lockdown.

Roger: I fully agree with you, Jack. It is definitely a more difficult landscape to address. And, some of the advice that you typically hand out in security awareness training doesn't really work on the mobile. You know how you educate people to always be vigilant of which email domain they've received an email from? Actually, on a mobile client, you wouldn't see the full email domain sometimes, and that's what we've seen. People will just set it up with a name of, for instance, one of our executives and a random Gmail address, send an email because, when it pops up on the mobile, all people see is the name of the executive. We've really had to think about a couple of filtering strategies, say, "Well, if the name matches with one of our executives or other key people in the organization and it doesn't match with their approved internal email address, we'll still filter it into the spam filter and give a warning that this may be a phishing attempt," but it's still hard to make that more visual on the mobile platform.

Jack: Yeah, it's especially a change just with character length and touchscreens. It's very hard to scroll to the side just to see if they've got a long subdomain, so, yeah, big challenge and definitely an area that I'm sure providers of mobile email clients are looking to address.

Roger: Just one thought to add, though: in these samples, you typically would have already locked down certain content, and people, at least in the organization, don't tend to have access to their most sensitive documents and data on the mobile. So, I guess the risk is more of being lured into malicious websites and submitting their credentials. Then, there are the other measures that we discussed on the webinar so far, the dual-factor authentication, multifactor authentication, and a number of these others like identity and access management that come into play, again.

Kristin: Very good. We do have a couple other questions that, unfortunately, we are not going to have time for, today, but we'll circle back with those of you folks that have submitted those questions after the webinar and provide some thoughts, there. I think maybe I'll do a quick recap just of some of the high level things that we've learned, today. Roger, you and Jack both highlighted three key areas that I understood where our viewers should really focus their BEC mitigation efforts. One is assessing and implementing the necessary technologies throughout the phishing kill chain whether that be filtering abilities to catch BEC attacks upon arrival. I know you talked about that, Jack. We talked about identity and access management. You had some good ideas, there, Roger, and we also touched on DLP and DRM as a future way to mitigate those types of attacks. The other thing was really taking a look at and updating any of those internal policies, procedures, particularly those related to financial transactions or sharing of private information, both internally and externally. Then, lastly, the third area was to develop a strategy to educate your employees on the threat of business email compromise. How do they detect a BEC scam? What should they do if they receive something suspicious, things like that.

Kristin: And, I think one of the key things that we certainly learned on the education front is, if you don't already have a security awareness training program in place, now is really the time to start developing and thinking about that. Here at InfoSec Institute, we've developed SecurityIQ, which Jack had mentioned previously. With more than 1,200 awareness training modules, SecurityIQ really helps you train your employees and build that proactive culture of cyber awareness that we've been talking about. In addition to an interactive BEC training module that's included in the platform, it also includes more than 20 BEC fishing templates that you can use, so you can actually simulate requests for things like wire transfers or fake invoices. Or, maybe it's W-2 information or VPN password resets. The beauty of SecurityIQ is that it actually takes it one step further by then providing you simulation reply tracking and sensitive data detection. And, what I mean by that is you can actually see who responds to a mock BEC attack and what information they may have shared via that simulation.

Chris: Thank you for joining us for this week's episode. Remember, you can subscribe to our weekly podcast, CyberSpeak with InfoSec Institute, or by visiting our channel on YouTube. Just search for the InfoSec Institute YouTube channel to see all of our videos. If you like what you heard and you want to learn more about information security training and security awareness, please visit our website, We also have a blog, which is updated every week with new articles, videos and tutorials on topics ranging from product management to penetration testing, which can be found at Thanks again for listening, and we'll see you back here next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.