Organizations are increasingly turning to software-as-a-service (SaaS) offerings to save money on on-premise applications. Improved security is also touted as a benefit, because the vendor looks after upgrades and patches.
However, a quarterly report issued Tuesday by international insurer Beazley Group is a reminder that the cloud doesn’t solve all security problems, such as employees falling for phishing scams. Email compromises accounted for 23 per cent of incidents reported to the Beazley Breach Response (BBR) Services team during the second quarter, says the summary. “Attacks targeting business email accounts continued to climb in the second quarter, particularly for organizations using Office 365,” it adds.
(Source: Beazley Group)
“For larger scale email compromises, if the majority of users sent and received PII (personally identifiable information) or PHI (personal health information), the total cost of legal, forensics, data mining, manual review, notification, call center and credit monitoring can exceed US$2 million,” the report notes. “And even for the smaller scale email compromises, the costs can easily exceed US$100,000.”
To give an idea of how those totals could be reached the report cites a case study of an unnamed health system apparently running Office 365 that was hit by a widespread phishing campaign. The malicious email message included a link to an official-looking website where users were asked to enter their credentials. A forensic investigation revealed that approximately 20 users’ inboxes at the institution were compromised. Assuming the contents of all inboxes were downloaded, those mailboxes had to be searched for personal and health information of patients in case they needed to be notified. Upwards of 350,000 unsearchable documents were found, which then had to be manually gone through. The legal fees, forensic costs, programmatic review, and manual review of documents alone cost just under US$800,000. The cost of notification to patients, call center and credit monitoring was an additional US$150,000.
In addition to using phishing as a weapon, the report notes more sophisticated attackers may exploit PowerShell to log in to Office 365 and do more extensive reconnaissance. “If they are able to compromise credentials for a user with the right administrative privileges, they may be able to search every single inbox for the entire organization.”
If two-factor authentication is available email attacks can easily be prevented, the report notes. It also recommends disabling the ability for third-party applications to access Office 365, which can reduce the likelihood of an attacker using PowerShell for reconnaissance or other purposes.