Insular McAfee Labs Report “2016 Threats Predictions”

I recently read McAfee Lab’s 2016 Threat Predictions Report. It’s worth a few minutes of your time.

McAfee Labs Report 2016 Threats Predictions cover

A highlight for me was a great quote:

Everywhere we go and in everything we do, we are leaving a trail of “digital exhaust.”

On the downside, the report is disappointingly consistent promoting this trend: Organizations depending far too much on preventative technology for cyber risk reduction. We certainly need preventative measures, especially automated ones. But putting most of your cyber risk reduction money in technology-based solutions is not setting you up for success to fight tomorrow’s greatest threats to your digital assets.

As you well-know, McAfee is a vendor of technology solutions. So from that angle I’m not surprised to find McAfee’s otherwise insightful report largely ignoring the people, process, and management aspects of cybersecurity. Still, it would have been so much more useful to their audience and more powerful for their brand if they had gone beyond this narrow view of the world, apparently informed by their existing catalog of solutions.

Here’s the standout example: No mention was made of business email compromise (BEC) as an emerging threat. Which is unfortunate because BEC has become a very effective way to digitally steal millions by using the anonymous nature of email to compromise people and process. In fact, the FBI recently reported the global losses due to BEC as $1.2 billion in just two years. It’s as bad as you think:

According to IC3, since the beginning of 2015 there has been a 270 percent increase in identified BEC victims. Victim companies have come from all 50 U.S. states and nearly 80 countries abroad. The majority of the fraudulent transfers end up in Chinese banks.

Let’s put a face on it: In June 2015, Ubiquiti Networks lost $46 million from BEC. To their credit, Ubiquiti disclosed the loss in a 8-K statement in August.

While you can put some email filtering in place to help detect BEC, training your finance people and strengthening the controls in your payments processes is where you’ll get the real prevention. Would you handle it some other way?