Cyber Risk DSI: Finance

In the second of our cyber risk department-specific inquiries (DSI) we’re taking a closer look at the risks faced by an organisation’s finance department and how these can best be mitigated.

Welcome to another edition of Cyber Security: Beyond the headlines. Each week we’ll be sharing a bite-sized piece of unique, proprietary insight from the data archive behind our high-quality, peer-reviewed, cyber security case studies.

A company’s finance department is often a high value target for cyber attacks for two key reasons:

1. It is the final authorisation step before money leaves the organisation. Often funds have exited the company’s control by the time an attack on the finance department has been detected.
2. It is where sensitive non-public company information is aggregated and stored. Getting access to this information without detection provides attackers with an almost undetectable cyber crime opportunity.

Our data shows that in this area specifically attackers are dedicating significant time to designing their attack approach such that they’re highly likely to slip under the radar of most established control mechanisms.

Contrasting this with what the victims tend to experience on the defense side — a company’s information security team which are likely under-resourced and overwhelmed — the victims are often extremely surprised by the ingenuity, thoroughness and tenacity of the attackers.

In the cases we’ve analysed the weaknesses that tend to be exploited are around the remote nature of modern work: very little communication is done face-to-face or by telephone anymore and employees tend to trust what arrives in their inbox. Couple this with the fact that it’s very easy to establish who works in a finance department and you get the sense that the issue is perhaps bigger than reported.

Worth noting that unlike with the theft of customer data the company has very little motivation to publicise a successful attack of its finance department.

What are the main areas of weakness in the finance department to be cognisant of? Our data points to the following:

• Long an attractive target for old-fashioned wire frauds, these have been made much more convincing of late through obtaining access to the CEO’s email account (or faking it) and peppering the content of the email with authentic titbits gleaned from a thorough study of relevant employees’ social media accounts. The FBI’s Internet Crime Complaint Center, or IC3, reported a 270% increase in this kind of attack since January 2015.
• Individuals in the team have access to sensitive company financial data and projections, they have foresight before others which could materially affect the company’s share price. Hackers gaining access to this through stolen credentials circumventing most company’s endpoint security controls which will not alert on the seemingly authorised activity and all of this ‘normal’ activity will be buried in massive security logs, this concealment creating the perfect insider trading crime.

After the attack on Union Bank of India, where attackers attempted to steal $171 million, forensic experts said they believed the use of the malware was “not a single occurrence, but part of a wider and highly adaptive campaign targeting banks. The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks”.

The CEO scam attack on Austrian aerospace manufacturer FACC AG targeting the finance department involved the use of a fake identity and cost the company in excess of Euro 40 million. It resulted in the swift firing of the company’s CFO, reorganisation of the finance department and ultimately the CEO was also fired.

The attack on the US Securities and Exchange Commission led cyber security experts to draw the conclusion that attackers were focusing increasingly on insider trading opportunities as trading on stolen information is extremely hard to detect in the market. The standard approach to identifying insider trading of examining who has access to the material non-public data and their close associates is useless when fighting cyber criminals.

Some now even believe that Russian organised crime have access to computer models that allow them to keep illicit trading under the ceiling of detection.

It’s an unfortunate fact of cyber security that rather than competing with the attackers in many ways you’re competing against your industry peers when designing your defense. Performing departmental deep-dives like this throughout your organisation will help you mitigate more effectively and ensure you’re less of a target compared to rivals.

It will also help highlight how much the attack vector, specifically in a department like finance, is human rather than technological. As Douglas Maughan, Head of Cybersecurity Research at the US Department of Homeland Security said: “We’ve had too many computer scientists looking at cybersecurity, and not enough psychologists, economists and human-factors people”.

Found this interesting? Sign up to receive these insights every week directly in your inbox and check out our previous editions at Cyber Security: Beyond the headlines.