Cybersecurity challenges in a digitalised finance function

Cybersecurity challenges in a digitalised finance function

Mon 05 Oct 2020

Cyber criminality is a phenomenon that each and every one of us has encountered, either personally or via mainstream media coverage. And sometimes – perhaps because it is in the press or because it is an issue related to information systems – the finance function regards itself as being at a distance from this thorny subject. Yet this is not the case, and some current and future challenges appear to indicate that the finance function should keep a keen eye on an issue that is so important today.

The many faces of cyber criminality

What do we mean by cyber criminality, and what does it mean specifically for finance roles? Cyber criminality may be defined as an individual’s capacity to penetrate an information system without permission, or to deflect it from its primary purpose in different ways.
A non-digital analogy can be made with houses: there is an information system in place and the hacker will try to force the locks to reach their objective.

Despite its constantly changing nature, cyber criminality ultimately targets a rather reduced number of objectives which are outlined in several categories:

  • Preventing a system from working correctly, such as denying service or blocking entry. Let’s use a house as an analysis here: a comparison is blocking the door.
  • Collecting the data present on a system to use it for the wrong purposes, such as theft of information. Comparison= house looting.
  • Taking a system, or the data within it, hostage to benefit the cyber criminal in some way, such as ransomware. Comparison: an unexpected change of lock.
  • Use an information system as a medium to communicate, deliver a political message or even allow a third party to make use of digital infrastructure to illegally broadcast content. Comparison: house squatting.

What are the applications for the finance function?

Of course the first risk is misappropriation of financial assets, or outright theft by using fraudulent transfers in different ways: embezzling a cash flow tool through the improper use of bank card details stored on the company’s infrastructure, or – less directly – by the improper substitution of the suppliers’ or employees’ bank details.

There is no lack of means to misuse funds, the most classic ones mentioned above have happened several times in our experience. Besides those, there is a less direct but just as damaging way which is the misappropriation of financial information. For example, a competitor or a shareholder wishing to make a lucrative, but illegal, deal enters the target company’s system to collect any confidential information in order to make money from it.

Even more dangerously, a hacker enters a website or depositary system of an official public document (such as annual reports) and modifies some of the data, providing information that is incorrect and incredibly risky to the company. This example has already happened and in some countries may lead to sanctions for the company that has suffered damage and fails to quickly correct the erroneous information shared.

As you can see, the finance department is exposed to cyber risk because it has a high concentration of attractive information.

So, can the finance function defend itself? To answer this question, we need to characterise the means enabling these hackers to act, and there are three types. They seek to:

  1. Use passwords which are not complex enough. Or in other words, to find locks which are quite weak.
  2. Take advantage of the naivety or gullibility of individuals in order to make some of the manoeuvres used by the hackers easier.
  3. Look for applications in the system they wish to attach, which have not been rigorously updated and which publish their gaps in security via code on their website.

The best weapons against cyber threats are educating teams and collaborating with it

Therefore, finance must recognise that the information passing through their department is subject to hacking in different ways. It is responsible for its hardware and software infrastructure, as well as ensuring that:

  • The IT manager or the chief information security officer has taken all necessary measures to protect its data and access.
  • The passwords used by its teams are reasonably robust and that simple passwords such as ‘holiday’, ‘sun’, or ‘toto’ are not permitted.
  • A communication policy on the challenges and risks of cyber criminality is regularly circulated among staff, and that clicking aimlessly on attachments or enticing messages becomes a practice that well and truly belongs in the past.

It is all the more important that these requirements are respected since the General Data Protection Regulation (GDPR), applicable since May 2018, creates a new challenge in securing access to personal data. The efforts by the finance department to securing IT systems will not be done in vain – on the contrary, cyber security and data privacy are critical issues that will continue to increase in importance in years to come.