South Africa's largest law firm, ENSafrica, has recently been ordered to pay a cybercrime victim R5.5 million after a syndicate successfully hacked into a client's email during a property transaction.

The hackers altered the bank account number in a PDF invoice sent by the law firm, resulting in the client losing a substantial amount of money.

ENSafrica was handling the conveyancing of a house. Unfortunately, the funds intended for the law firm's trust account, were redirected to the account of a hacker and swiftly taken away. The client took legal action against the law firm, alleging that they had failed in their duty of care by negligently not informing her of the dangers of hacking or taking necessary measures to prevent it.

This court decision serves as evidence that companies can face consequences for using plain and unsecured email for invoicing purposes. The judgment stated that the law firm failed to provide adequate warnings to the client regarding potential cyber threats.

Insider threats are a problem for every industry, but financial services are by far the prime target for data theft. No other industry is tasked with handling and securing more sensitive data. For large financial institutions with large numbers of employees, it is critical to have visibility into employee activities that raise red flags signaling potential abuse.

Insider abuse and data misuse account for more than a third of data breaches in financial services organisations. Protecting against insider threats requires solutions that can discern between legitimate use and malicious intent and be deployed quickly at global scale.

Cybersecurity expert and J2 Software CEO John Mc Loughlin says DTEX has helped a global financial institution increase visibility into its insider threat landscape, allowing the company to mitigate against previously unknown threats in a scalable way without interrupting business-critical processes.

The risk from malicious insiders has long been a priority for CISOs and has now become a top priority for other executives and board members. Employees require access to sensitive information, but heavy-handed approaches using complicated and static rules can frustrate users. This hampers productivity and leads users to search for workarounds that can also put data at risk.

Employees, contractors and partners understandably have concerns about what activity is monitored. They have questions about what data may be in scope or out of scope. More importantly, users may wonder how these monitoring systems may be biased against them and intrude on their personal privacy.

There’s one consistent and prevalent security gap in every digital enterprise in the world. Regardless of the industry, whether it’s financial, healthcare, residential or logistics, the common denominator remains the same: the human element.

In a profit-driven, ethically-unconstrained criminal enterprise like phishing it is not surprising that threat actors have evolved to match the times. Rather than focus on techniques, this article will discuss how phishing applications have changed to match new security standards.

Only 22% of Microsoft clients have adopted two-factor protection, so the traditional phishing attacks are still effective against most small to mid-sized operations. In the case of the enterprise client, we are seeing a transition towards phishing attacks that can seamlessly target two-factor protected accounts.

In a Proofpoint survey (www.securitysa.com/*phish1), 83% of organisations said they experienced a successful email-based phishing attack in 2021, versus 57% in 2020. That equates to a 46% increase in organisations hit with a successful phishing attack last year.

Of those 54% experienced a breach of customer or client data and 48% saw credential or account compromise, 46% experienced ransomware infection. In 2021, Microsoft blocked 25,6 billion Azure AD brute-force authentication attacks and intercepted 35,7 billion phishing emails.