Cybersecurity: Another hat for the modern CFO to wear?

Cybercriminals with unlimited amounts of resources are taking Australian businesses under siege.

But CFOs are stepping up to the plate, playing a crucial role in mitigating the risks, ensuring good security hygiene, and creating a culture of organised cyber resilience.

CFO Magazine A/NZ hosted a special cybersecurity focussed CFO Lunchtime Live WebCast with over 280 CFOs and finance leaders joining online, featuring two of the region’s leading experts in cybercrime, plus exclusive insights from a local CFO who has personally experienced a cyber breach – I was invited to attend this enormously beneficial and timely event to report on the key findings.

James Solomons, CFO of Xref hosted the one hour discussion and questioned Gavin Levinsohn, Chief Growth Officer, Eftsure, Robert Thorpe, Managing Director, Finance & Operations, Allegro Funds and Mark Chazan, CTO and Co-founder of Eftsure on the topic of cybersecurity and the role of the CFO.

As James pointed out, cybercriminals can not only be quick, but can be hard to detect, with the average Australian data breach taking 211 days to detect and 85 days to contain. The average lost last year was $50,000 in Australia, which is a big hit for any business.

The growing threat

Cybersecurity is a growing threat, points out Eftsure’s, Gavin Levinsohn.

The Australian Cybersecurity Centre reveals that the nation’s business fraternity lost $29 billion to cybercriminals in 2019, which rose to $33 billion in $33 billion in 2021. When you take into account the potential for underreporting, that figure is much more likely to be around $45 billion, Levisohn says.

More than 300,000 incidents of cybercrime were reported last year, which accounts for one every 90 seconds across consumer, business, credit cards, tax-related crime and everything else in between. Depending on the breach, it can be very reputationally destructive, too.

It’s suggested that costs are between three and five times higher than the dollar amount lost once you take into account the subsequent lack of productivity, the destruction of working capital, legal costs and forensic costs, he says.

Social engineering scams such as compromised emails or executive impersonation scams, such as someone impersonating a trading partner is one of the top concerns.

“CFOs often underestimate how pervasive the threats are. Companies are under constant attack, so you need to always be looking for vulnerabilities. It’s about trying to remain safe when there has been a vulnerability via a supplier, which can be tricky.

“These are very sophisticated and nuanced scams, right down to the language, the turn of phrase,” he says.

A case in point

Allegro Funds reveals it experienced a successful cybercrime hack in 2018. Robert Thorpe, Managing Director, Finance and Operations explains it occurred within two portfolio companies simultaneously, just before Christmas. A hugely busy period for the company.

Thorpe explains: “One of portfolio companies made a payment to a major supplier, which had gone from a legitimate email address from the supplier.

While the bank account details had changed, the payment was made because the email politely requested the payment ahead of Christmas so staff could be paid. Nothing appeared untoward, he says.

“The language on the email reflected the same language as usual, so you couldn’t tell this was a fraudster working in the background.”

The cybercrime was uncovered when the company called a week later asking for the payment, explaining it hadn’t arrived yet.

The finance team quickly called their lawyer, sought a court injunction, and contacted the bank. They managed to put a stop on the destination bank account, but the account had been emptied.

Thorpe says: “The immediate reaction was how can we get the money back, and whether we are covered by insurance. We had to go to court, and the toll on our people just before Christmas was horrendous.”

At the same time, a second portfolio company was hit when a similarly worded email arrived requesting a payment from a fraudster impersonating the supplier. The change in bank account had been approved and so that money went out the door as well.

“The experience triggered us in a way to being alert to these matters. It really feels like you’re under attack, and it’s a case of really clamping down, and putting a stop all payments immediately, taking a breath, seeing what else is loaded in our system and contact suppliers to ensure payments are going to the right place,” he says. 

“It’s created a level of awareness that I didn’t have beforehand. When you’re in that situation, it’s not somewhere you want to be again,” he says.

Thorpe set up a working group to investigate what happened, and how. “The objective isn’t to blame someone, it wasn’t anyone’s fault. The cyber criminal had got the upper hand. These aren’t university students sitting in a dark room, this is a legitimate business and it’s a volume game for them,” he says.

Over the course of the next six months, the finance team managed to recover 80 per cent of the money and arrests were made, but half of the recovered funds were used for legal fees and court fees.

Thorpe says staff training and additional checks and balances have been implemented. Staff are trained not to click on links, and if they do, there is a system in place so they can tell the right people so the network can be reviewed and cleansed. “It’s a constantly evolving game and the key is to be ahead of it, rather than be reactive,” Thorpe says.  

The privacy maze

The other issue is that banks are required to protect the financial recipient, Eftsure CTO and Co-founder, Mark Chazan adds.

Privacy laws also often prevent the recipient bank from disclosing the name of the person you have sent the money to. “Trying to get the money back is tough, because the bank usually is required to contact their customer (the recipient)  first to ask them if they have a right to the funds transferred to them and if the recipient ignores the request or says they are legitimately theirs, it’s then up to you to sue the person you’ve been duped into paying , but you don’t know who they are,” he says.

“If it ends up in the press, the bank may pay it back due to reputational risk issues or as a goodwill gesture, but otherwise, it’s really about you taking responsibility before making the payment,” he says.

“Fraudulent funds can pass through three of four accounts and then make its way out of the country before you’ve even had a chance to make a phone call to try and recover it,” he says.

Organisations need to create a culture of complete awareness of the dangers, implement training and follow-up training as scams are continually evolving.

NEW THREATS ON THE BLOCK

1) Video conferencing software is subverted using a compromised email account, a fake Zoom or Teams meeting is set up with someone who makes payments. When they join the meeting, the person impersonating someone inside the organisation messages to say they are having technical problems, and then type in details of an urgent payment.

2) Fraudsters are keeping a close eye on public speeches make by key people in an organisation, training technology to replicate their voice, and utilising that to instruct people in an organisation to make urgent payments.

3) An email is sent from a compromised email account within the organisation requesting that a payment is made, but not to contact them about it because they’re in a meeting, and to just go ahead with it.