I recent­ly read McAfee Lab’s 2016 Threat Pre­dic­tions Report. It’s worth a few min­utes of your time.

A high­light for me was a great quote:

Every­where we go and in every­thing we do, we are leav­ing a trail of “dig­i­tal exhaust.”

On the down­side, the report is dis­ap­point­ing­ly con­sis­tent pro­mot­ing this trend: Orga­ni­za­tions depend­ing far too much on pre­ven­ta­tive tech­nol­o­gy for cyber risk reduc­tion. We cer­tain­ly need pre­ven­ta­tive mea­sures, espe­cial­ly auto­mat­ed ones. But putting most of your cyber risk reduc­tion mon­ey in tech­nol­o­gy-based solu­tions is not set­ting you up for suc­cess to fight tomor­row’s great­est threats to your dig­i­tal assets.

As you well-know, McAfee is a ven­dor of tech­nol­o­gy solu­tions. So from that angle I’m not sur­prised to find McAfee’s oth­er­wise insight­ful report large­ly ignor­ing the peo­ple, process, and man­age­ment aspects of cyber­se­cu­ri­ty. Still, it would have been so much more use­ful to their audi­ence and more pow­er­ful for their brand if they had gone beyond this nar­row view of the world, appar­ent­ly informed by their exist­ing cat­a­log of solu­tions.

Here’s the stand­out exam­ple: No men­tion was made of busi­ness email com­pro­mise (BEC) as an emerg­ing threat. Which is unfor­tu­nate because BEC has become a very effec­tive way to dig­i­tal­ly steal mil­lions by using the anony­mous nature of email to com­pro­mise peo­ple and process. In fact, the FBI recent­ly report­ed the glob­al loss­es due to BEC as $1.2 bil­lion in just two years. It’s as bad as you think:

Accord­ing to IC3, since the begin­ning of 2015 there has been a 270 per­cent increase in iden­ti­fied BEC vic­tims. Vic­tim com­pa­nies have come from all 50 U.S. states and near­ly 80 coun­tries abroad. The major­i­ty of the fraud­u­lent trans­fers end up in Chi­nese banks.

Let’s put a face on it: In June 2015, Ubiq­ui­ti Net­works lost $46 mil­lion from BEC. To their cred­it, Ubiq­ui­ti dis­closed the loss in a 8‑K state­ment in August.

While you can put some email fil­ter­ing in place to help detect BEC, train­ing your finance peo­ple and strength­en­ing the con­trols in your pay­ments process­es is where you’ll get the real pre­ven­tion. Would you han­dle it some oth­er way?