Business email compromise (BEC) attacks, where scammers impersonate or even hijack legitimate email accounts to commit fraud, is on the rise. According to Barracuda\u2019s latest Spear Phishing report, BEC attacks make up made up 12% of all spear-phishing attacks throughout 2020, an increase of 7% on the previous year. These types of attacks are highly successful at tricking people into doing the threat actors\u2019 bidding. They are also difficult to spot, let alone stop, especially when coming from compromised internal accounts.Perth-based Stagecoach Group, which operates buses and coaches across the UK, learned this when it began its move to the cloud. An uptick in BEC attack attempts forced the company to take steps to improve its email security.Security education is a journey, not a destination\u00a0As group CISO at Stagecoach, Lee Cartmell has been leading its security function for over two years and has helped guide the company through a transformation to the cloud and a more modern security approach. He is keen on ensuring security isn\u2019t a blocker on the business by demonstrating its value to the board.\u201cPeople aren\u2019t going to get on a bus because we've got great information security controls, but we can be subject to fines, regulations, and so on if we don't have the proper controls in place,\u201d says Cartmell. \u201cWe need to give the board that awareness that I'm not just costing you money. Look at what I'm saving you from and look at what we're helping you from.\u201dSecurity awareness training is a high priority for Stagecoach. The message must reach staff whose work is more physical than your average office employee. Stagecoach does this by tailoring the security messaging to specific roles and helping employees enact security in their personal lives, which then drives better behaviours in the workplace. \u201cQuite rightly, they are only interested when we explain it in a way that it matters to them,\u201d Cartmell says.\u00a0The company releases two-minute learning videos and leaflets explaining how employees can protect themselves at home and in the workplace. The security team also runs roadshows on issues such as \u201cHow you secure yourself in personal life\u201d, \u201cHow to secure your social media\u201d, and \u201cHow to secure your personal emails\u201d.\u00a0\u201cWhen something does go wrong or they get something they're unsure of, they're much more likely to come to us and say, 'I have had this email that was from Spotify but with two T's,\u2019\u201d says Cartmell.\u00a0COVID, cloud leave users unsure about security at homeWith COVID forcing companies to adopt remote work at scale, companies have had to rethink how they approach security education and awareness. Companies that may have never been set up for home working culturally or in terms of technology suddenly had to ensure people were productive and secure.Cartmell says that while Stagecoach saw reduced bus operations during the pandemic, from an IT perspective the company was much busier. The IT and security teams rapidly enabled remote working for its staff even though the company had never embraced it. \u201cAs you can imagine, primarily if you're not in a bus depot, a garage, or a support function building, you were not really seen to be working, because you need to be where the bus is and where the people are. What Stagecoach does is serve people and serve the public. So, we had to very quickly teach the company how to work from home and how to work from home securely.\u201d\u00a0Cartmell and his team had to go beyond their usual security education efforts to ensure staff knew how to work securely on laptops and other devices, locking PCs at home, storing them out of sight in case of a break-in, and communicating with the security team if something occurs that might not be as easy to detect beyond the corporate firewall.Next stop: Greater email securityAs part of its digital evolution, the company had adopted a new email gateway solution from Proofpoint. \u201cThe previous email gateway we had was fine, but it wasn't giving me any visibility,\u201d says Cartemell.The issue of email account takeover attempts didn\u2019t go away, so Cartmell added two-factor authentication and ID-as-a-service platform via Proofpoint's People-Centric Security. The visibility into potential malicious activity that has been blocked has been invaluable, especially when talking to the board. \u201cI can see the Emotet viruses that are sent to us and how many of them we stop every month. I can see all the remittance-type email attachment emails that are sent to financing and stopped before they go through.\u201d\u201cBefore, I could say \u2018we\u2019re getting loads of emails that are potentially harmful\u2019, and they'll trust me, but actually being able to show them over a four-month period eight million emails were destined for Stagecoach and around one-and-a-half million [safe emails] actually make it through to your environment, that was really valuable.\u201dThere have been attacks on other companies in the industry, and after those companies gave Stagecoach a heads-up on what they were seeing, Cartmell was able to identify similar malicious emails had already been blocked before they had reached employee inboxes. \u201cIt\u2019s brilliant that I can show that to the board.\u201dIs DMARC worth the fare?Stagecoach has also implemented Domain-based Message Authentication, Reporting and Conformance (DMARC) to protect its 1,200-plus domains. An email protocol designed to prevent unauthorized use of domains and email spoofing attacks, DMARC use is growing despite often being difficult to implement.\u00a0\u201cIt\u2019s difficult to get through, definitely,\u201d Cartmell says. \u201cMany organisations will have a large number of domains and similarly named domains that they register and hold onto for fear of spoofing. When you're looking at your sending domains and your main domains, email or messages are going to be coming from and to, I think it\u2019s really valuable, and from a reputational risk [perspective] I think that's absolutely fantastic.\u201dAside from configuration and implementation, one of the challenges around DMARC is how it can easily start blocking legitimate emails from domains that might be little-used or known to many in the company. \u201cWe\u2019re forever aware of not having a negative impact on the organisation certainly at a time like COVID,\u201d says Cartmell. \u201cThe last thing we want to do is stop a marketing email go out with a fantastic offer because we've turned on DMARC and we've missed something.\u201dTo prevent this, the security team monitors emails rejected due to DMARC controls for those that should have been allowed through and then quickly remediates the issue. Cartmell adds that preparation is key and that security should ensure that different business functions know the change is going ahead so that they know what to look for and can inform security about the different domains that are important to the business.