Following the recent high-profile IT Impersonation attacks on Marks and Spencer and the Co Op organisations.
As a company, we want to inform you of the controls we have in place to reduce this threat.
What is an Impersonation Attack?
An impersonation attack is where an attacker impersonates a legitimate user and/or a company to infiltrate the targeted organisation and its assets. This is usually done through a social engineering exercise where a user will be bombarded with calls/emails/texts/MFA requests to trick the individual into providing passwords or access to endpoints/systems/data, or to force password resets. With the rise of Deep Fakes and voice cloning, verifying identity is more challenging than ever. Attackers may use urgency or insider information to appear legitimate. Once the attacker has access, they will use this to laterally move and/or exfiltrate data.
More information of this type of attack can be accessed through the following link Incidents impacting retailers – recommendations from the NCSC – NCSC.GOV.UK.
Our Process
We take, not just our own, but also our customers’ security very seriously. This is why, in most cases, we have named individuals within our customer organisations who can request changes to their accounts. This means, password resets, configuration changes and add or removal of new user(s)/leaver(s) accounts can only be made by authorised personnel. That said, it is important that this process is communicated through your organisation.
The process of making any changes must come through communication from the customer. In the rare event we contact our customers to make changes, we will do so only with the named individuals authorised to make decisions. This will usually be done via telephone, so we can verify the contact. In the event an end user contacts us for a password reset, this will be carried out, unless already specified not too. To ensure this is communicated as securely as possible, the password will be stored on our system, which only the authorised customer contact has access. The password is then distributed to the user by that individual. Another way we process password reset is to be provided a pre-agreed PIN code, which has been provided to the user by the authorised contact. Please note, BOM staff will never ask your users for their passwords over the phone or to be entered into a separate system.
We appreciate that each customer is unique in the way they wish us to manage their changes, however, it is worth our customers reviewing their processes and deciding if these procedures need refining.
If you decide they do, please contact our Service Desk on 0800 038 7222 or emailing servicedesk@bom.co.uk.
If you have any questions regarding this or any other cyber security topic, please contact your Account Manager or the Service Desk.
Regards
David Trump
Cyber Security Director
