Authored by : Brands Committee Chairs
Phishing is still a top-of-mind threat. In 2020, 75% of organizations around the world experienced some kind of phishing attack (https://www.tessian.com/blog/phishing-statistics-2020/) and this figure increased by 22% in the first half of 2021. And according to a Proofpoint study, 74% of phishing attacks in the US were successful. Overall, the 2021 report from Ponemon and IBM found that data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the history of this report.
The threat landscape continues to evolve, and threat actors are opportunistic in taking advantage of various events such as the pandemic, to further their reach. A successful attack can have a serious financial impact for many companies. It’s estimated that the loss is in the billions, in fact the list of the top 12 phishing breaches alone exceeds over 400 million dollars (USD) in loss. Business email compromise (BEC) was responsible for only 4% of breaches, but had the highest average total cost of the 10 initial attack vectors in the study, at $5.01 million. The second costliest was phishing ($4.65 million), followed by malicious insiders ($4.61 million), social engineering ($4.47 million), and compromised credentials ($4.37 million) (from the 2021 Ponemon and IBM data breach report).
Financial loss is just one piece of the pie. Reputation is often as important as revenue - the impact to the brand can go much deeper than just revenue loss. It can just take one incident to wipe out a carefully built brand reputation in one fell swoop. A Forbes Insight report found that 46% of organizations had suffered reputational damage as a result of a data breach; 19% of organizations suffered reputation and brand damage as a result of a third-party security breach. In other words, reputation is nearly impossible to fix once the public sees an organization in a bad light.
We often hear about big brands that have experienced a cyberattack such as Experian, the United Nations, or the anonymous breach of sites such as 8chan and Parler via host Epik. But we rarely hear about smaller businesses. Attacks and breaches can have devastating effects on smaller organizations, which don’t have the resources of large enterprises. Small to Medium Businesses (SMB) are less likely to protect themselves against these kinds of attacks yet are more likely to be targeted (https://www.insurancejournal.com/news/international/2019/02/22/518461.htm)
As technology has grown and spamming and malicious attacks become more sophisticated, it becomes critical that brands are able to protect themselves.
So what can you do?
The following provides some specific action items and practices to protect your brand from threat actors who create copycat domains that mimic real brands. These domains can harvest credentials, which in turn can lead to follow on attacks such as a ransomware attack, wire transfer fraud, data breaches or other account compromises.
At a minimum, M3AAWG recommends implementing these security requirements to protect your brand and your customers.
Create a Domain Register
A register helps you decide which domains are most important to protect. Create a register of domains your company owns (even a spreadsheet is fine, although a dedicated data management tool is better), assign the people responsible for the security and maintenance of each domain, and make sure you have a written explanation of their purpose. Any future domains must be added to this register and dropped domains deleted.
Secure Your Domain
Make domain name protection a part of your security policy. Keep registrant account information private and secure. Protect this account information for every unique user account and password. Recovery should only be possible by the most senior staff responsible for domain name administration under the most extreme circumstances.
Additional steps to secure your domain
- For your Domain Registrant account, make sure you use a strong username and password and turn on Multi-Factor Authentication. Hacker’s want access to these accounts so they can take ownership of your domain, so make it hard for them!
- Change Registrant passwords regularly. Your staff may swap roles or leave the company. If that staff member knows the password, it’s best to change it so they can’t do anything with your company domains. Ensure passwords are unique and comply with good password hygiene.
- Change your login email from the Transfer Contact email. Hackers will use tools to identify transfer contact email addresses of your domains and try to gain access to that account. If they do, they can take ownership of your domain!
Maintain Contact Info
Keeping contact information accurate and current is important. Your registrars are your main line of defense against hackers trying to take control of your domain, so by making sure your details are current and accurate you put them in the best position to help you!
Make it Official
Establish appropriate policies and practices codifying the above decisions and processes, particularly for things like domain registering, decommissioning, or reconfiguration. Introduce regular training sessions for staff.
Document it all
Documenting policies, registers, internal discussions, and external industry collaboration regarding your domains helps keep your business informed. Preparing for incidents and being ready to accept changes to your domains based on strategic decisions is important. Establish a document control policy and enforce it.
In our next blog we will explore increased security measures to further protect your brand. In Part 3 we will cover attack vectors with recommended mitigations to help you maintain a strong security posture. More details and prescriptive guidance is also provided in our Domain Management Best Practices document, available here, www.m3AAWG.org/BPK-DM02-2022