Cybersecurity: Why FDs need to lead the fightback?

Jon Abbott

As cybercriminals become more sophisticated, finance teams can no longer ignore the growing threat. Jon Abbott of ThreatAware explains how FDs can take control

With cybersecurity now a key threat for business, FDs are facing pressure from all directions. Investors want reassurance that they are managing the risks, clients want to know that their data is safe, and regulators insist they have good governance in place. Meanwhile as the people who hold the purse strings, FDs and their teams have become key targets for cybercriminals using sophisticated confidence tricks.

Not only can a security failure be costly and embarrassing for the company, but it can also have a direct impact on FDs themselves – either because they can be personally liable in their role as company directors or because employers and shareholders demand they are held to account.

Last year the FD of film company Pathe’s Dutch arm was sacked after paying over €19 million into a bank account in Dubai. Edwin Slutter had been authorised by the Dutch CEO Dertje Meijer to transfer the funds as the two men believed they were acting on instructions emailed from their Paris headquarters and the money related to an acquisition that was underway. When their mistake came to light, both lost their jobs and later filed for unfair dismissal.

While cybersecurity will be an unfamiliar area for most FDs, it is now vital that they update their skills. Indeed, the latest government guidance suggests that all senior managers should have a basic understanding of cybersecurity. The National Centre for Cyber Security states: “Executive staff should be as aware of the major vulnerabilities in their IT estate as they are of their financial status, and should understand how those vulnerabilities could impact the core business.”

So where do you start? The first step is to understand the current cybersecurity landscape.

The changing threat landscape
Contrary to popular belief, the number of cyberattacks has been declining over the past two years. According to the government’s Cyber Security Breaches Survey 2019 which was released in April, one in three businesses (32 per cent) was a victim of an attack or breach in the previous 12 months – down from 46 per cent in 2017.

However for those firms which are victims, attacks are becoming more costly and frequent. The nature of attacks is also changing. Attacks which rely on human vulnerability such as phishing (identified by 80 per cent of victims) and others impersonating an organisation (identified by 28 per cent) are now more common that viruses, spyware or malware attacks (28 per cent).

It is clear that as IT teams shore up their defences, attackers are choosing softer targets and preying on people instead. ‘CEO fraud’, which involves emails purporting to come from a senior director and instructing funds to be transferred into a third-party account, is one example. Humans are now the weakest link and increasingly the targets are FDs and other senior decision makers.

Dealing with the changing threat landscape requires a more integrated approach than before. IT teams by themselves cannot safeguard against these type of scams. Take those phishing emails, for example. While your IT department may help stop them getting through, your staff will need to know what to look out for. You should have a process for reporting and checking suspicious emails and have a response in place in the event failures occur.

So while anti-virus software and the like continue to be critical, businesses also need to have the right policies and procedures in place. The fact is that cybersecurity now involves people throughout the organisation – from frontline staff to finance teams – and FDs and other board members need to be leading the fightback. As the FCA states, firms need to have a ‘security culture’ – which is sound advice for all of us and not just for regulated firms.

Here are a few tips to get you started:

1. Understand the basics
While no-one expects FDs to know all the technical details, it’s useful to understand the basics. The government’s Cyber Essentials guide outlines the five key principles. Your internet connection should always be secured; devices and software should be secured by passwords or two-factor authentification; and access to data and services should be controlled by ensuring privileges are only given to those that need them. Businesses also need to have malware and viruses protection in place; and software should be updated regularly – known as ‘patching’.

2. Implement staff training
Ensure that all of your team are aware of what to look out for, and understand their roles and responsibilities. Appropriate training should be carried out as and when required, and certainly when new team members join.

3. Create a framework
Build a relationship with your IT team and liaise with them to develop an integrated approach. While they should take care of technical aspects such as browser software and patch tools, you will need to ensure you have the right policies and procedures in place, for example on granting or removing access rights. Create a framework that brings together all your cybersecurity defence tools in one place.

4. Monitor the threats
Carry out regular audits to ensure that procedures are being adhered to and keep records for compliance purposes. Ensure you have monitoring in place which will allow you to detect threats and act on them at an early stage. Ideally the monitoring system should not just cover cybersecurity tools but the whole security framework and a;sp incorporate some type of alerts – for example if patches have not been updated, or staff training has not been carried out.

5. Achieve a recognised standard
All businesses must comply with GDPR but achieving a recognised standard shows that you are serious about cybersecurity. The Cyber Essentials scheme is very cost-effective while ISO/IEC 27001:2005 is a more in-depth.

6. Have a response plan in place
Even with safeguards in place, it is not possible to prevent every incident so in the event of a failure, having a response plan in place could help to minimise the impact. Under the GDPR rules, you will also need to report any breaches involving personal data to the Information Commissioner’s Office within 72 hours.

Cybersecurity may not be part of their traditional skillset, but as the threats becomes too close for comfort, FDs need to take charge. Working closely with IT teams to develop a coordinated defence is the only way to win this battle.

Jon Abbott is co-founder of cybersecurity platform ThreatAware and CEO of London-based managed service provider Priority One.

Pictured: Jon Abbott, Co-founder ThreatAware