Date posted: 4/12/2020 5 min read

“Passwords are like underpants – they need to be changed often”

As cyber-attacks continue to spike mid-pandemic, making cybersecurity a focus in your business now is vital, says CFO Stephen McCarthy.

In Brief

  • It has been estimated by the Morrison Government that cybersecurity incidents costs Australian businesses $29 billion each year.
  • Cyber attacks are not only increasing year on year, they’re also becoming more sophisticated.
  • Businesses should investigate the specific risks to them, identify weak areas and then address them.

When discussing cyber attacks with other finance professionals, most of us realise it’s a matter of when you will be attacked and not if.

This is where our roles in finance have become increasingly intertwined with chief security and information officers: finance teams are often number one on the hit list for cyber criminals.

In Australia, attacks have been doubling every couple of years. This is not surprising considering the lucrative nature of cybercrime. In fact, it has been estimated by the Morrison Government that cybersecurity incidents costs Australian businesses $29 billion each year.

And mid-pandemic, cyber attacks continue to spike as criminals prey on these insecure times. The FBI recently reported that the number of cyber-attack complaints were up to 4000 a day, representing a 400% increase since pre-coronavirus.

So how, as CFOs, can we ensure we’re doing everything to protect the business?

How to avoid a cyber attack

Cyber attacks are not only increasing year on year, they’re also becoming more sophisticated. Many gangs now operate like modern corporations, with expertise drawn in globally and technology used at scale to siphon billions of dollars annually off unsuspecting individuals and organisations.

The tactics used include social engineering, malicious software, phishing, ransomware, business email compromise (BEC) and, in some cases, attempts to use business insiders to perform fraudulent attacks.

Over 20 years of working in finance I have seen a variety of attacks – starting in my junior days with more paper-based systems and falsifying of invoices and payments, to more sophisticated attacks which now arrive mainly via email.

It is imperative to stay up-to-date and assess the risks to your organisation by researching the current methods and understanding how attacks may occur. Knowledge is the first line of avoiding attack.

“It is imperative to stay up-to-date and assess the risks to your organisation by researching the current methods and understanding how attacks may occur.”

Once the risks are understood, investigate the specific risks to your own business, identifying weak areas and addressing them. This should involve testing current processes and systems and identifying any areas of vulnerability.

I’ve seen the best results here when the companies I’ve worked for have used external experts. Often when you’re in the weeds, risk is underestimated, with many thinking they run a very tight ship, when this is often far from the case.

Does your overall security need improving?

Here’s an analogy I use with my team. Passwords are like underpants – they need to be changed often, shouldn't be shared and shouldn't be left lying around for others to see.

Gone are the days where having a password you can easily remember is acceptable. Use a password tool or use a combination of letters, numbers and symbols and do not allow them to be re-used. Multi-Factor Authentication (MFA) should also be used where possible – a secondary layer of authentication (typically SMS) ensures the user accessing the application is legitimate.

Speak with your IT team to determine whether company passwords can be strengthened or if MFA can be utilised.

User access restrictions should be in place and regularly checked to ensure employees who have moved internally or left the business no longer have access to systems they no longer require. This is an increasing problem with the cloud-based systems the majority of businesses are using now.

With the increase of working from home there are increased vulnerabilities – specifically ransomware and account takeovers – when using remote access.

“With the increase of working from home there are increased vulnerabilities – specifically ransomware and account takeovers – when using remote access.”
Stephen McCarthy, CFO InfoTrust

Cybersecurity controls such as endpoint detection and response should be the bare minimum in place and regular updates need to be performed.

Having a backup for any breaches is also important to consider, ensuring minimal disruption and business continuity.

Time to strengthen your banking process

When understanding your risks and analysing your processes, it’s imperative to look at the banking process. I have seen breaches in this area cumulating in millions of dollars of fraud – so identification of any weaknesses is so important.

Segregation of duties and multiple authorisations are advisable, although this can be trickier for small businesses. Ensuring the person processing the invoice and the person paying the bills are segregated is an absolute minimum.

An approvals process for invoices and the use of technology, for example, paying by EFT via an ABA file are some simple techniques.

Even with the use of technology, one risk we’ve identified is the falsified changing of a company’s details. Always verify this by calling the organisation after receiving a letter, on headed paper

Training your team increases protection

Ninety per cent of breaches are down to a human error.

Finance staff, in particular accounts payable, should be fully trained to learn additional skills, have a questioning mind to spot irregular activity and react efficiently to raise issues with others quickly.

Cyber security awareness training helps your team to recognise spam, phishing and falsified information.

It is clear that some employees’ passwords may have a greater value to cybercriminals, therefore guidance to employees that are deemed a higher risk on how to set strong passwords and report on potential scams should be part of security awareness training. Common sense is not an excuse in this regard.

Top tips to keeping your business safe and secure

Consistent, regular staff updates on the evolving nature of cybercrime and the threats being faced will assist in creating a security-conscious workforce culture.

If the leaders of the business set the example, this will flow down through the business. Praising and rewarding individuals for identifying scams can help inspire individuals to participate in securing the business, too.

Here are my key tips for individuals to keep your department and business safe;

  • Never transfer money to a stranger
  • Don’t give out information
  • Don’t click on hyperlinks
  • Use tough-to-crack passwords
  • Use technology – antivirus and threat detection
  • Don’t shop on unfamiliar websites – if it’s too good to be true, it’s probably risky
  • Don’t download from pop-ups

For attacks where cybercriminals masquerade as a senior player to directly target important individuals within an organisation, put the following in place if you don’t have this already: 

  • Implement a multi-layer security system
  • Establish secure financial transfer rules
  • Make email security training mandatory
  • Incorporate email protection solutions
  • Update cybersecurity training and policy

As CFOs it is clearly our responsibility, alongside our security and information technology peers, to keep our organisations safe from ever-increasing cybercrime.

Even small changes in our daily activities and reminders to staff can safeguard against a breach that could put the whole organisation at risk.