How Stagecoach stops BEC attacks with security training, email controls

A move to the cloud during the pandemic created an uptick in business email compromise attacks. Here's how the UK bus operator responded.

Cybersecurity  >  Email security threats, such as phishing
CHUYN / Getty Images

Business email compromise (BEC) attacks, where scammers impersonate or even hijack legitimate email accounts to commit fraud, is on the rise. According to Barracuda’s latest Spear Phishing report, BEC attacks make up made up 12% of all spear-phishing attacks throughout 2020, an increase of 7% on the previous year. These types of attacks are highly successful at tricking people into doing the threat actors’ bidding. They are also difficult to spot, let alone stop, especially when coming from compromised internal accounts.

Perth-based Stagecoach Group, which operates buses and coaches across the UK, learned this when it began its move to the cloud. An uptick in BEC attack attempts forced the company to take steps to improve its email security.

Security education is a journey, not a destination 

As group CISO at Stagecoach, Lee Cartmell has been leading its security function for over two years and has helped guide the company through a transformation to the cloud and a more modern security approach. He is keen on ensuring security isn’t a blocker on the business by demonstrating its value to the board.

“People aren’t going to get on a bus because we've got great information security controls, but we can be subject to fines, regulations, and so on if we don't have the proper controls in place,” says Cartmell. “We need to give the board that awareness that I'm not just costing you money. Look at what I'm saving you from and look at what we're helping you from.”

Security awareness training is a high priority for Stagecoach. The message must reach staff whose work is more physical than your average office employee. Stagecoach does this by tailoring the security messaging to specific roles and helping employees enact security in their personal lives, which then drives better behaviours in the workplace. “Quite rightly, they are only interested when we explain it in a way that it matters to them,” Cartmell says. 

The company releases two-minute learning videos and leaflets explaining how employees can protect themselves at home and in the workplace. The security team also runs roadshows on issues such as “How you secure yourself in personal life”, “How to secure your social media”, and “How to secure your personal emails”. 

“When something does go wrong or they get something they're unsure of, they're much more likely to come to us and say, 'I have had this email that was from Spotify but with two T's,’” says Cartmell. 

COVID, cloud leave users unsure about security at home

With COVID forcing companies to adopt remote work at scale, companies have had to rethink how they approach security education and awareness. Companies that may have never been set up for home working culturally or in terms of technology suddenly had to ensure people were productive and secure.

Cartmell says that while Stagecoach saw reduced bus operations during the pandemic, from an IT perspective the company was much busier. The IT and security teams rapidly enabled remote working for its staff even though the company had never embraced it. “As you can imagine, primarily if you're not in a bus depot, a garage, or a support function building, you were not really seen to be working, because you need to be where the bus is and where the people are. What Stagecoach does is serve people and serve the public. So, we had to very quickly teach the company how to work from home and how to work from home securely.” 

Cartmell and his team had to go beyond their usual security education efforts to ensure staff knew how to work securely on laptops and other devices, locking PCs at home, storing them out of sight in case of a break-in, and communicating with the security team if something occurs that might not be as easy to detect beyond the corporate firewall.

Next stop: Greater email security

As part of its digital evolution, the company had adopted a new email gateway solution from Proofpoint. “The previous email gateway we had was fine, but it wasn't giving me any visibility,” says Cartemell.

The issue of email account takeover attempts didn’t go away, so Cartmell added two-factor authentication and ID-as-a-service platform via Proofpoint's People-Centric Security. The visibility into potential malicious activity that has been blocked has been invaluable, especially when talking to the board. “I can see the Emotet viruses that are sent to us and how many of them we stop every month. I can see all the remittance-type email attachment emails that are sent to financing and stopped before they go through.”

“Before, I could say ‘we’re getting loads of emails that are potentially harmful’, and they'll trust me, but actually being able to show them over a four-month period eight million emails were destined for Stagecoach and around one-and-a-half million [safe emails] actually make it through to your environment, that was really valuable.”

There have been attacks on other companies in the industry, and after those companies gave Stagecoach a heads-up on what they were seeing, Cartmell was able to identify similar malicious emails had already been blocked before they had reached employee inboxes. “It’s brilliant that I can show that to the board.”

Is DMARC worth the fare?

Stagecoach has also implemented Domain-based Message Authentication, Reporting and Conformance (DMARC) to protect its 1,200-plus domains. An email protocol designed to prevent unauthorized use of domains and email spoofing attacks, DMARC use is growing despite often being difficult to implement. 

“It’s difficult to get through, definitely,” Cartmell says. “Many organisations will have a large number of domains and similarly named domains that they register and hold onto for fear of spoofing. When you're looking at your sending domains and your main domains, email or messages are going to be coming from and to, I think it’s really valuable, and from a reputational risk [perspective] I think that's absolutely fantastic.”

Aside from configuration and implementation, one of the challenges around DMARC is how it can easily start blocking legitimate emails from domains that might be little-used or known to many in the company. “We’re forever aware of not having a negative impact on the organisation certainly at a time like COVID,” says Cartmell. “The last thing we want to do is stop a marketing email go out with a fantastic offer because we've turned on DMARC and we've missed something.”

To prevent this, the security team monitors emails rejected due to DMARC controls for those that should have been allowed through and then quickly remediates the issue. Cartmell adds that preparation is key and that security should ensure that different business functions know the change is going ahead so that they know what to look for and can inform security about the different domains that are important to the business.

Copyright © 2021 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)