How Stagecoach stops BEC attacks with security training, email controls

A move to the cloud during the pandemic created an uptick in business email compromise attacks. Here's how the UK bus operator responded.

Cybersecurity  >  Email security threats, such as phishing
CHUYN / Getty Images

Business email compromise (BEC) attacks, where scammers impersonate or even hijack legitimate email accounts to commit fraud, is on the rise. According to Barracuda’s latest Spear Phishing report, BEC attacks make up made up 12% of all spear-phishing attacks throughout 2020, an increase of 7% on the previous year. These types of attacks are highly successful at tricking people into doing the threat actors’ bidding. They are also difficult to spot, let alone stop, especially when coming from compromised internal accounts.

Perth-based Stagecoach Group, which operates buses and coaches across the UK, learned this when it began its move to the cloud. An uptick in BEC attack attempts forced the company to take steps to improve its email security.

Security education is a journey, not a destination 

As group CISO at Stagecoach, Lee Cartmell has been leading its security function for over two years and has helped guide the company through a transformation to the cloud and a more modern security approach. He is keen on ensuring security isn’t a blocker on the business by demonstrating its value to the board.

“People aren’t going to get on a bus because we've got great information security controls, but we can be subject to fines, regulations, and so on if we don't have the proper controls in place,” says Cartmell. “We need to give the board that awareness that I'm not just costing you money. Look at what I'm saving you from and look at what we're helping you from.”

To continue reading this article register now

Make your voice heard. Share your experience in CSO's Security Priorities Study.