Gartner forecasts that global spending on security and risk management will exceed US$150 billion in 2021 adding cloud adoption and remote working to the mix of reasons for the spend.
A 2020 Gartner CFO Survey found that nearly 3 out of 4 CFOs intended to shift at least 5% of their previously on-site staff to permanently remote roles post-COVID-19. Many finance processes are already running remotely, and they incorporate some of the most sensitive data within an organization, including customer and supplier financial data.
“CFOs should neither ignore these fresh vulnerabilities nor go it alone,” says Alexander Bant, practice vice president, Gartner. “CFOs especially need to collaborate with both IT and risk managers to make sure new cybersecurity risks stemming from the adoption of remote work don’t outpace the policies designed to protect vulnerable data.”
FutureCFO spoke to Sim Beng Hai, APAC head of technical sales at ESET, for his perspective on the heightened state of security for remote workers, as viewed from the perspective of the CFO.
What are the different types of remote work threats targeting executives, including CFOs and CEOs?
Sim Being Hai: With many still working from home due to the pandemic, employees have gotten used to performing many administrative tasks electronically via email and online messages, and cybercriminals are taking advantage of this because they have more opportunities to impersonate anyone.
Our recent ESET Threat Report T2 2021 revealed that there has been a 104% increase in public-facing Remote Desktop Protocol (RDP) services brute-force password attacks in May - Aug 2021, as compared to Jan - Apr 2021.
A type of remote work threat to CFOs and CEOs is social engineering, which relies more on psychology – they take advantage of people’s trust, fear, or inattention.
What are the dangers of social engineering?
Sim Being Hai: Social engineering is a particularly dangerous threat to CFOs and CEOs as cybercriminals can potentially obtain sensitive financial information from the organizations if they are successful in impersonating them. Some common tactics are phishing and business email compromise.
Based on our T2 Threat Report, we found that the three most impersonated brands in phishing emails were Microsoft, DHL and DocuSign. DocuSign being one of the most impersonated brands is especially significant to CFOs and finance departments as it is a tool used to sign electronic documents.
In some of the phishing attempts that we’ve seen, the targeted recipients are from finance departments who were asked to ‘open and review’ an invoice by clicking a link. Such phishing emails usually direct the victim to a fake website to steal sensitive data such as login credentials and banking details.
What can CFOs do to prevent such attacks from happening?
Sim Being Hai: There are several measures that CFOs can take to prevent such an attack. For example, they can ensure that the finance department and key employees are familiar in finance-related standard operation procedures (SOPs). And if there's any deviation from the SOP, it should be flagged.
They should learn how to recognise impersonation messages, as when CFOs and the finance team are aware of the impersonation attacks, they will stand a better chance of avoiding them.
In addition to staying updated on the latest phishing tactics and attacks, CFOs can ask the IT security team to create a simulation to test if employees can resist the temptation to click on everything that looks interesting. They can also explore the option of cyber insurance to protect the company’s assets from subsequent compliance penalties and settlement costs.
Can you describe what types of processes or workflows can be implemented to minimise or prevent social engineering attacks?
Sim Being Hai: To assist in identifying emails originating outside of the organisation, CFOs can ask the IT security team to mark all inbound emails from outside of the corporate network with an ‘External’ tag to help identify emails originating from outside of the organisation.
On the technology front, companies can use appropriate security solutions to detect and block phishing and spam emails; protect passwords with another layer of security by implementing multi-factor authentication, antimalware solutions for cloud storage, and more.
Organisations must recognise that every individual is responsible for the cybersecurity of the company. Leaders also need to constantly remind employees of the dangers that can be caused by behaviours such as using an insecure connection or device, indiscriminately clicking on links, or visiting risky websites.
How can organisations protect themselves from remote work threats?
Sim Being Hai: Organisations can build a strong cybersecurity posture by providing regular cybersecurity training to all employees, including top management and I.T. personnel, and such training should demonstrate or simulate real-world scenarios and be actionable.
Every employee in the company needs to be aware of the dangers that cyberthreats pose to companies, as well as the protocols to follow when faced with a cyberattack. What is important for companies is also to develop security policies that employees can understand easily so that they identify what steps they need to take when they encounter social engineering and other remote work threats
To what extent should the CFO support these and what type of support can the CISO, the CIO and the rest of the organisation expect from the finance office?
Sim Being Hai: The finance office is one of the most important functions in organisations. CFOs need to collaborate closely with CISOs, CIOs, and the rest of the security team to be involved in the process of creating the framework and SOPs in security policies to ensure that all areas of the finance processes are well protected against cyberthreats.
By having CFOs as a part of the security process early, they can provide the perspective of finance teams which is critical to protect critical company assets.