When I perform cybersecurity assessments, my attention quickly turns to the finance team. It doesn’t matter what the industry is. It doesn’t matter the size of the organization. It doesn’t matter where the client’s CISO tells me I should focus. The finance team is always a prime target for scrutiny.
When people ask why, I echo infamous bank robber Willy Sutton’s response: “Because that’s where the money is.” I know it, and more importantly, criminals know it.
Unfortunately, finance team members, especially at smaller firms, often don’t believe that they would personally be targets. They figure there are much larger organizations than theirs where criminals would rather expend the effort. This mindset makes them perfect targets. CFOs, therefore, need to ensure their teams receive the proper awareness training.
Fundamentally, a good awareness effort involves letting people know:
Most organizations fail at the “why.” They fall back way too much on fear. Then, when an attack doesn’t happen, some portion of users get complacent, while others believe that the organization is crying wolf. So, they ignore the information, put off watching the training video and get loosey-goosey about awareness.
In the finance realm, frankly, the reason people need to work securely is simple. Public and would-be public companies are subject to laws that state financial results must be accurate. Any compromise of computer systems can impact that accuracy.
Phishing is constant, as is ransomware, but there are also criminals specializing in attacks against financial teams.
Vishing is an alternative form of phishing in which a criminal calls up one of your finance people and claims his company hasn’t received payment on an invoice. The scammer will ask for a direct email, send an attachment and ask the employee to open the attached invoice while they are on the phone.
The fake invoice contains malware that gives the attacker access to the company network. Vishing happens frequently and is a reason organizations are more often requiring invoices and similar documents to be uploaded onto cloud accounting software and rejecting documents received in email.
There are also many cases in which criminals contact companies, saying they need to update a vendor’s payment information. I worked with one organization at which these attacks came in weekly. In this case, a criminal claims to work for a vendor, tells the finance pro that his company changed banks and requests that future payments go to the new account.
I end up working with these organizations to establish verification mechanisms to ensure that any out-of-process requests are handled in a formal way that proactively prevents this and other types of accounts payable fraud.
Criminals can find your team members with minimal effort. Earlier this year, for example, a LinkedIn data breach resulted in an account database containing email addresses, phone numbers, links to other social media profiles and professional details for some 500 million users being sold online. Attackers just need to search for “accountant,” “CFO” or “accounts payable” roles, identify an individual, do some research on the person and company — easy if you’re public — and find someone who can write or speak passable English.
“Hi, Joe? Pam from Supplier Corp. here, we met at that trade show. Loved your photos of the booth by the way! How are the kids, back in school? Great, great! Suzy looked adorable in that Facebook post. Hey, so really hope you can help me out before I get in big trouble. I was supposed to have changed the routing number for our payment two weeks ago but it slipped my mind...”
The primary defense against these attacks, and the next ones coming down the pike, is baking security into your financial — and all business — processes. Security should not be additional, layered-on, optional or otherwise outside the way employees do their day-to-day jobs.
A security-conscious finance leader does not, for example, leave it to the discretion of any individual clerk to change a supplier’s payment information. By developing standard, repeatable, mandated processes that take into account the ways your people could be fooled or go rogue, you protect the business.
That’s not to say you don’t need security awareness training for your team — the fact is, most regulations and standards require some form of traditional instruction. At most companies I work with, this means everyone watches a video and takes a short, can’t-fail-it quiz once a year. Frankly, I don’t put much value in videos alone. They rarely translate into consistently improved behaviors, but they are part of most compliance efforts, and they can’t hurt.
A worthy add-on is a good phishing simulation tool, which I have found can make people aware, especially if they fall for the simulation. People are more likely to remain vigilant if they or a colleague gets tricked. I recommend that you not use obvious, simplistic phishing sims; opt for more sophisticated programs that some percentage of your people will fall for.
But still, if you’re still forwarding invoices via email for approval, making exceptions without escalating, manually comparing invoices to purchase orders or not enforcing segregation of duties, all the phishing simulations and videos in the world may not help.
I don’t recommend going overboard on standalone security training. Spend that time and money keeping abreast of new attacks, automation and, most critically, making sure that controls are built into your processes to thwart criminals looking to compromise finance pros. Then, your focus can be on ensuring that your team knows how to do their jobs.