Two-Fifths of Firms Have Suffered "BPC" Attacks
Over two-fifths of organizations have fallen victim to a so-called Business Process Compromise (BPC) attack, despite widespread ignorance from senior execs about the threat, according to Trend Micro.
The security giant polled over 1100 IT decision makers responsible for security across the UK, US, Germany, Spain, Italy, Sweden, Finland, France, Netherlands, Poland, Belgium and the Czech Republic.
It found that 43% had been impacted by a BPC: a type of highly targeted attack in which hackers look to manipulate an organization’s unique business processes to their own ends.
They typically involve an initial compromise followed by plenty of lateral movement inside the victim organization to conduct reconnaissance on security gaps and internal processes.
Perhaps the most famous case of a BPC to date was the attack on Bangladesh Bank where hackers installed multiple layers of malware into the bank’s IT systems to exploit the communications process between the bank and SWIFT. A total of $81m was lost, although the figure could have been much higher if an eagle-eyed employee had not spotted a spelling error on a transfer.
Vice president of security research, Rik Ferguson, claimed cyber-criminals are increasingly playing the long game for greater reward.
“In a BPC attack, they could be lurking in a company’s infrastructure for months or years, monitoring processes and building up a detailed picture of how it operates. From there they can insert themselves into critical processes, undetected and without human interaction,” he explained.
“For example, they might re-route valuable goods to a new address, or change printer settings to steal confidential information — as was the case in the well-known Bangladeshi Bank heist.”
The good news is that security teams are aware of the threat, with 72% claiming that BPC is a priority for their cyber strategy. However, half (50%) of management teams don’t know what a BPC attack is or how it could impact the organization, Trend Micro warned.
Source: Information Security Magazine