Installing Cybersecurity Controls in your Finance Department

The author of this articleJean-Marie Bequevort - Expert Practice Leader
Adopting stronger internal controls when your finance team works from home? Cybersecurity controls are extremely relevant for finance managers. Especially since financial market regulators started requesting companies to disclose cybersecurity risks and incidents that are material to investors. Here are some practical tips to protect your company from cyberfraud in the next few weeks and beyond.

In recent months, a large number of news outlets have reported that cybercriminals have intensified their activity, using the COVID-19 pandemic to rob, exploit and disrupt organizations. Their preferred instruments are phishing emails, malicious apps, and websites. Crimefighters assume that a company’s vulnerability increases when its employees work from home, and the ability to detect and respond to intrusion is more difficult than usual.

If you want to understand how home-office work can facilitate cyberattacks, I advise you to read the McKinsey article ‘Cybersecurity’s dual mission during the coronavirus crisis’  I specifically thought the higher success rates of phishing emails and fake call center agents in home office environments to be pertinent. There’s basic ‘social control’ in an office setting, with coworkers acting like a ‘human protection shield’ when they talk to colleagues about suspicious emails.

Business email compromise

Over the last 12 months, I was asked to review the controls of several finance departments who fell victim to business email compromise, a form of email fraud that has become one of the most frequent tools for social engineering.
Those investigations reveal a clear pattern of action: the attacker had falsified the contact details of the supplier and made a specific request to an accounts payable accountant to modify the bank account details to pay open invoices. The request appeared genuine (company logo and information etc.) as the attacker had previously hacked the supplier database to obtain precise customer details and contact.

It is widely known that cybercriminals use publicly available information (your company websites, Linkedin, etc..) to target specific employees and trick them into providing credentials and passwords.
Impersonation of external audit companies

Another scheme affecting finance departments is the impersonation of external audit companies. In that case, an employee of a company receives an email request from the lawyer of the external audit firm (the email address is usually spoofed) requesting a fund transfer. That email is subsequently followed by an email (also a falsification) of a senior executive of that company (CEO, etc..) confirming the urgency and confidential nature of the lawyer’s request.

Our other sites

The author of this articleJean-Marie Bequevort - Expert Practice Leader

Grow your career

Come join us

Expand your business

Let's work together

Sign up for the latest industry insights
Set preferences