Steps That Should be Taken by the Security Group, Business Continuity, and Finance Teams
Introduction
On Friday, March 10, 2023 news broke that SVB was in trouble. With this news, activities started within our organization to understand our direct exposure. As with any event what we have learned over time is that fraudsters are quick. This rang true with Silicon Valley Bank (SVB). At that point cybersecurity, third-party risk, and business continuity were not included.
When these situations arise, it’s important to ask questions like, what if your company was hit with a bank fraud event like SVB Bank? Are you prepared? Do you know what steps to take before, during and after the event? In this document we want to share a few things we learned from the SVB event and how those learnings could help you in your business.
Our first step when the news broke was to look inward. The financial and accounting teams looked at how SVB Bank impacted us directly. While the teams were looking inward the questions arose: Do we have exposure within our suppliers, followed by the cyber threat being realized? Once we had these answers we had to incorporate them into our plans.
We realized second that we had potential business continuity and/or vendor exposure that we needed to add to the list of tasks to address. While we were thinking of business continuity, we were notified via an intelligence report that fraudsters were sending out notification to take advantage of the situation by having companies change their routing and account numbers as if they were the vendor. We had to ensure that we were following the best business practices to mitigate these types of fraudulent requests. Once we got the threat reports, we had to look at our internal procedures and processes. As we looked at how we were doing business we realized we had an opportunity to make it better.
Reacting to our experience
Using what we learned, we would like to offer a template with some examples of how you can identify, address, and mitigate a fraud event. The most important thing to remember is that you must have a business continuity plan in place and that plan needs to be reviewed and updated on an annual basis, at minimum. The second most important thing to know is that once a fraudulent incident occurs you must be able to record the events not only for clarity in resolving the incident but also for future reference.
Let’s cover business email compromise (BEC) first. As we have become a global community,we need to understand that phishing attacks have become one of the most important areas for all businesses to understand. According to FBI IC3 reports, current BEC reports show that $2.7 billion in financial losses occurred in 2022. In fact, the number of incidents has been steadily rising since 2015 making fraudster attacks extremely important to identify and mitigate quickly. Research tells us that since 2018 BEC has reportedly grown 111%. Understanding the importance of liquidity, this becomes a key area to shore up preventative knowledge and practices in. So, the question becomes how do we prepare for BEC attacks? First, we needed to understand that it’s not just the responsibility of IT to keep our environment safe. There are five (5) key things all companies need to do to bulk up their knowledge in BEC attacks. They include:
- Being aware of common BEC attack scenarios.
- Training employees to recognize BEC attacks
- Creating a culture of compliance
- Building a layered defense with technical controls
- Optimizing accounting controls and systems
Ensuring business continuity
Next, let’s discuss Business Continuity steps that should be set up and taken that include the steps we took as an example. This should be done on a timely basis and as a timeline of events. Here’s what that should look like this:
How to address exposure that includes companies/people you do business with:
- In this section you would bullet point the steps you have taken to mitigate any further events. (i.e.) We have implemented additional controls that include regular auditing to mitigate potential ongoing events.
- Ensure you complete an internal audit to review information and service changes that may have occurred (on a regular basis) to validate that the change was based on an authorized request. All changes should be reviewed and approved appropriately.
- Develop a list of impacted vendors supplying services to your company.
- Reach out to critical customers/partners as soon as you can to understand areas of concern, including questions like:
- If you have identified that you do have exposure, will you still be able to meet your contractual business obligations?
- If the answer is no, you cannot meet your obligations, what exposure was identified and what is the impact to (your company)?
- If you have identified that you do have exposure, will you still be able to meet your contractual business obligations?
- Are there any other concerns you have as a result of this event?
- Do you have a business continuity plan in the event of future issues?
How to address your company’s exposure. (Include Customers and Partners in this process):
- Bullet each area of business you have addressed
- Describe who you have contacted under each bullet point and how they were contacted (i.e. email phone call, letter)
- What were the risks that you identified for your company, your customers, and partners?
If you’d like to learn more about what the Netskope Security team is talking about, check out the Inside Netskope Security section in the Netskope Community.