Often, business leaders assume cyber security is the IT department’s sole responsibility. This is a common misconception. Given the valuable data held by finance functions, and the cyber security issues that have arisen as a result of hybrid working models, it is vital that CFO’s and Finance Directors understand the threats their organisations face and are involved in managing the risks.
For the last Blake Morgan FD Connect event, Wolfberry’s CEO Damon Rands joined Blake Morgan’s Elisabeth Bell to discuss the latest cyber threats impacting finance teams. Here we overview what was discussed, some useful tips and what controls finance leaders can implement to protect their organisations.
For businesses, knowledge is power
Cyber security has greatly evolved in the past two decades. There is now a more mature market with an increased awareness. But worryingly, not necessarily an understanding of those cyber risks.
We are constantly bombarded with statistics, often without context or explanation. The true risks around cyber security can be lost in the noise. What is most important, is to understand what data and processes you have, and therefore need to protect, and what appropriate and proportionate controls you can use to wrap them in. If you don’t understand what you’re trying to protect, you won’t be able to choose the right control mechanism. And further still, to truly protect financial data and infrastructure, it’s important to foster a culture of cyber security throughout the firm, rather than leaving the responsibility to finance and IT departments.
Tip 1: Don't buy oversized products, and remember to change the defaults
Firewalls are an essential control for protecting data, but most businesses often misjudge and buy products that are oversized. Firewalls block ‘bad guys’ and can range from a few hundred pounds to several hundred thousand pounds. Buying oversized products can result in an overly complex product which they only use about 10% of its capability. To make matters worse, the remaining 90% is never used and is usually left with default configurations. If those default settings remain unmanaged, the firewall itself then becomes a vulnerability.
Tip 2: Have clear roles and responsibilities between providers
In general, most businesses have the following providers:
- Internal IT providers
- External IT providers
- App providers
These three main groups of providers are responsible for different aspects of an organisation’s cyber security strategy. Problems can arise when there is little to no communication between providers and can become unclear who is responsible for what. This can create vulnerabilities in business infrastructure. Business leaders should be clear on the roles and responsibilities of their providers and should communicate regularly with them. This doesn’t need expensive technical controls and it is important to regularly review providers to ensure they provide the services the business requires.
Tip 3: Use controls and segmentation to protect from phishing attacks
Eighty-three per cent of businesses experienced a phishing attack in the past year according to the Department for Digital, Culture, Media and Sport. Phishing is extremely lucrative, relatively easy and inexpensive to administer.
During the discussion, one Finance Director (FD) spoke about their experience of a phishing scam and thankfully, the business was prepared to limit its impact. Due to controls and segmentation, the attack could only corrupt the files that the targeted director had access to, rather than bringing the whole organisation to a standstill. Surviving successful phishing attacks is dependent on robust backup controls. Not having a backup strategy or having an untested strategy often results in businesses finding it very difficult to recover from an attack. Wolfberry has previously helped a business that lost its whole system to ransomware. Following a click on a phishing email, an attacker sat on their system for three months before encrypting all their data, dating back to files from 1974. As the business did not have a backup solution in place, they had to rebuild their organisation from scratch and start all over again.
What steps can FDs take?
The key to withstanding a phishing attack is to be prepared.
- Provide cyber security training to all your staff, irrespective of job title. It only takes one click from any user to compromise a business. Creating a culture of cyber security can turn users from a weakness to an added layer of protection.
- Make sure your staff are aware and understand cyber security risks. Choosing systems and technical controls is important, but most risks come from the users that are using those systems.
- Share what an up to date attack can look like. Finance departments receive targeted attacks in the form of fraudulent accounting and invoice emails. These can be very convincing and staff who are not prepared are likely to fall for them.
- Carry out phishing simulations regularly. One attendee carries out simulation attacks three times a week. Those who get caught out are given extra training to ensure they are able to spot the red flags. Performance in these simulations is also included in performance reviews, as the organisation recognises that cyber security is critical to the business.
Is cyber insurance worthwhile?
Wolfberry does recommend that businesses have cyber insurance. Whilst an insurance policy is worth having as part of the recovery process, it will not stop a cyber-attack. It can also have a negative impact on people’s attitudes towards cyber security. It encourages the attitude of, ‘who’s going to want to hack us? We have insurance anyway’. It is essential to continue to protect your business as much as possible.
Cyber insurance is a new market and we expect it to quickly evolve in the next few years. More cases are setting precedents, and it’s likely insurance firms will begin to crack down on claims by businesses that have done very little to protect their data. Beware, insurance firms will not pay out if the attack is from a nation-state, as it is considered an act of war.
Mondelez vs Zurich
In 2017, Mondelez, one of the world's largest snack companies, was hit by the NotPetya cyber-attack that used exploits to penetrate systems running Microsoft Windows software. Laptops froze, email was unavailable and access denied to files on the corporate network. In addition, logistics software that orchestrates deliveries and tracks invoices crashed. Even with teams working around the clock, it was weeks before Mondelez recovered. Once the lost orders were tallied and the computer equipment was replaced, its financial hit was more than $100 million, according to court documents.
Despite huge disruption, at least they had cyber-attack insurance which would cover loses. Or so they thought. Zurich, their cyber-attack insurance company, refused to pay out for the insurance claim. They argued the attack was orchestrated by the Russian military and Mondelez was not covered because it was an act of war by a “government or sovereign power”. This is a prime example of why companies should not purely rely on cyber insurance.
Overall, Wolfberry recommends that organisations have cyber insurance on top of wrapping their data and systems in preventative controls. Hopefully in the future insurance firms will also reflect cyber security accreditations, such as Cyber Essentials, Cyber Essentials Plus and Information Assurance for Small and Medium Enterprises Consortium (IASME), in their insurance costs to encourage companies to think about governance.
Should organisations hide email addresses?
In general, it is not advised to plaster contact information all over websites and social media. There is not much point, however, in trying to hide email addresses completely. If an attacker wants to find an email address, they usually can. Most businesses use Office 365 and there are also free tools available to quickly enumerate emails. In less than 30 minutes, a skilled attacker could obtain a list of their chosen businesses’ email addresses.
Steps CFOs can take to mitigate cyber risks
- You can never entirely avoid an attack, but businesses with a plan of what to do when it happens, always respond better.
- Have a playbook ready for different categories of attack. This is so everyone knows their role, and what to do next.
- Understand what data you have and the process in place. Create an asset register, this can help grasp what data you have, where it is stored and what happens to it in transit
- Purchase the right level of protection and tailor it to your firm.
- Governance is the glue that holds a business’s technical controls together. Make sure you keep a tight control.
- Have a business continuity plan and a disaster recovery plan that is regularly tested and reviewed.
- Act quickly – especially if the breach contains personal data. With GDPR, businesses have 72 hours to realise they have been breached, gather as much information about the breach as possible and then report it to the Information Commissioner’s Office.
- Physical security is as important as cyber security. Consider red teaming – this is a rigorous.
Wolfberry provided a wealth of insight to the FD Connect attendees during our recent virtual cyber security roundtable. If your business has been breached and your data has been compromised Wolfberry can help. Their Surviving Ransomware service is free to anyone who needs it and is an accessible resource for all with no fees or obligations to later purchase a service from Wolfberry.
This was a part of the FD Connect programme run by Blake Morgan. If you would like to find out more and receive invitations to future sessions, you can sign up here.
Enjoy That? You Might Like These: