Installing Cybersecurity Controls in your Finance Department

Phishing and fake call center agents

In recent months, a large number of news outlets have reported that cybercriminals have intensified their activity, using the COVID-19 pandemic to rob, exploit and disrupt organizations. Their preferred instruments are phishing emails, malicious apps, and websites. Crimefighters assume that a company’s vulnerability increases when its employees work from home, and the ability to detect and respond to intrusion is more difficult than usual.

If you want to understand how home-office work can facilitate cyberattacks, I advise you to read the McKinsey article ‘Cybersecurity’s dual mission during the coronavirus crisis’. I specifically thought the higher success rates of phishing emails and fake call center agents in home office environments to be pertinent. There’s basic ‘social control’ in an office setting, with coworkers acting like a ‘human protection shield’ when they talk to colleagues about suspicious emails.

Business email compromise

Over the last 12 months, I was asked to review the controls of several finance departments that fell victim to business email compromise, a form of email fraud that has become one of the most frequent tools for social engineering.

Those investigations reveal a clear pattern of action: the attacker had falsified the supplier's contact details and made a specific request to an accounts payable accountant to modify the bank account details to pay open invoices. The request appeared genuine (company logo and information etc.) as the attacker had previously hacked the supplier database to obtain precise customer details and contact.

It is widely known that cybercriminals use publicly available information (your company websites, Linkedin, etc..) to target specific employees and trick them into providing credentials and passwords.

Impersonation of external audit companies

Another scheme affecting finance departments is the impersonation of external audit companies. In that case, an employee of a company receives an email request from the lawyer of the external audit firm (the email address is usually spoofed) requesting a fund transfer. That email is subsequently followed by an email (also a falsification) of a senior executive of that company (CEO, etc..) confirming the urgency and confidential nature of the lawyer’s request.

Cybercrime countermeasures

With the current circumstances increasing the vulnerability of companies to such fraudulent schemes, finance managers must re-evaluate and strengthen their procedures.

1. Grow fraud awareness

The first step is to ensure all finance team members are sufficiently ‘fraud aware’. Training and cheat sheets on red flags should be provided to create extra vigilance for fraudulent initiatives like payment requests from new suppliers, the opening of a new bank account for an existing supplier, or for urgent payment requests directed to a non-domestic bank account.

In a recent project for a large Belgian company, management invested a lot of effort in training and communication, including humoristic desktop screensavers and elevator posters explaining the dos and don’ts for account payables and purchasing employees.
The second step is to verify that key controls are in place at each step of a process: authorization controls, master data changes, and change confirmation.

2. Install key controls

In the case of accounts payable, the following should be in place :

• Authorization controls: the accountant must always validate that users are authorized to request changes to a bank account or other payment information. The approach is either to call the supplier’s representative or to request physical evidence from the bank.
• Review of master data changes: a supervisor or manager reviews all changes to the vendor master file.
• Change confirmation: the accountant always sent a confirmation message to the vendor when a change to bank routing information is made.

3. Get cyber insurance

The third step is to review the company insurance program to determine if it covers social engineering and other cyber-related fraud losses. Insurance provides added protection when controls fall short.

A wide range of products is now available with most banks and insurance companies in Belgium. You receive technical assistance in the event of loss of data, financial protection in the event of lost sales (e.g. a server failure), and legal support in the event of reputational damage. Some products cover broad cyber issues while others are very specific to social engineering fraud.

As you explore your current or possible coverage, I recommend you pay attention to these three aspects:

1. the coverage of liabilities for damages to third parties (suppliers, customers,..)
2. the geographical coverage as the consequences of cyber incidents are not limited to business locations
3. the existence of restrictions for older technologies (Windows XP,..)

The price of cyber insurance depends on various factors, such as the size of your organization, your type of business activity, whether you have an online sales channel or not, etc. One thing is certain: the cost of insurance remains marginal compared to the potential operational impact.

Check IT and Security controls

Those actions are within the direct scope of finance but are not a substitute for proper IT and security controls. CFOs and finance managers must also challenge their colleagues on the existence of IT controls and practices including multi-factor authentication, antivirus and anti-malware software, URL filtering, simulated phishing tests, email encryption, etc.

Adoption and understanding of email authentication protocols such as Sender Policy Framework (SPF) and DMARC (Domain-based Message Authentication, Reporting and Conformance) are strongly recommended. Those protocols are designed to give email domain owners the ability to protect a domain from being used in business email compromise attacks, phishing emails, email scams, and other cyber threat activities.

Call your bank. And the police

In the event you fall victim to computer fraud, the first action is to call your bank and the police immediately. If you identify the scam the same day the payment is made, the chances of the money being “frozen” in the banking system are higher. The chances of recovering your money will diminish by the day.

Recently, the Federal Cyber Emergency team has provided useful guidance on how to protect yourself from social engineering during Covid-19.The recommendations are valid for everyone and worth reading.

I believe cybersecurity controls are extremely relevant for finance managers especially since financial market regulators started requesting companies to disclose cybersecurity risks and incidents that are material to investors.

I welcome your comments and opinions