By Will North, Chief Security Officer at MHR

The first thing a hacker will ask themselves is, where is the money? No matter what industry your business operates in, their attention will turn to your finance team. Cyber security and data protection go hand in hand, and with finance teams often having key data at their fingertips, such as payroll or data from other departments leveraged for Financial Planning & Analysis, it’s vital that they are clued up on cyber security.

Cyber-attacks have increased drastically in recent years, and according to an IOCTA report, 73% of breaches are financially motivated. Businesses must ensure they are vigilant and as prepared as they can be to both existing and future cyber threats, including ensuring that the finance teams are aware of how they can prevent attacks. According to the World Economic Forum 2022 global risks report, cyber security failure is expected to be one of the critical threats the world will be facing in the next two years.

Best practice

Ensuring best practice is one way your finance team can avoid cyber security threats.

For instance, enforcing multi-factor authentication (MFA) will allow your business to reduce cyber-attacks as it’s a more vigorous way of verifying the identity of a user. MFA can most commonly be recognised in two steps: the first being a password request, and the second a code sent to a user’s mobile phone in order for them to verify their identity. As passwords can easily be guessed or obtained, having this second step of identification provides your business with an added layer of protection. MFA is easy for finance teams to implement in their everyday working habits, and more importantly, its effectiveness is illustrated by the fact that it is a mandatory requirement across Europe for processing financial transactions.

The cloud is another way of ensuring best practise. The cloud ensures that important and private data isn’t stored locally on any team members’ laptops or devices, preventing data breaches in the event that someone loses their laptop or has it stolen. However, if private data is backed up onto the cloud, the cloud itself should also be protected.

To do so, use a cloud service that encrypts your files to ensure that third parties do not have access to your private information. Secondly, you need to look at your privacy settings once signing up for a cloud service provider. When signing up for a cloud service provider, if you don’t configure your privacy settings, you risk your private information being shared across other apps connected to the provider. It is therefore advised to double check that the correct privacy settings have been selected on your devices to avoid the risk of someone outside of your team accessing your private data.

Additionally, when it comes to sensitive data, access should be kept only to those who need it. Following the Principle of Least Privilege means that an employee is only given the authorisation to data that is needed to complete their tasks, which can help limit the number of individuals who can access data, thus limiting the number of possible entry points for bad actors. To put this principle into action, businesses need to implement access control. Under this, selective restriction is applied to certain data, only accessed once an individual has verified who they are (authentication) and have been allowed access to the selected data (authorisation). With authentication and authorisation, another layer of protection can be added to data used by the finance team.

Due diligence

When it comes to your finance department, having a strong security defence is not optional, it’s essential. When your finance team is working with third party suppliers, it’s crucial to ensure that their governance and processes are ship shape before you begin working with them. Implementing complete cyber security due diligence will ensure this protection before your organisations start working together.

But what is cyber security due diligence? Fundamentally, it is the process of recognising, monitoring and then mitigating against the opposing cyber risks of third-party vendors. Cyber security due diligence is particularly important when it comes to company mergers or acquisitions that may call for the price restructuring of a deal. Once these threats are identified, organisations can take action to keep cyber threats at bay.

Cyber-aware culture

Just as you would ensure that your company culture is positive and inclusive, you should also take the time to ensure your company culture is also a cyber aware one.

One way of doing this is with frequent and engaging training sessions. First and foremost, you should ensure that you provide your employees with thorough training around cyber security during the onboarding process. However, it’s equally important for employees to maintain and expand on their knowledge of cyber threats throughout their careers. Consider offering training sessions that cover the new techniques hackers are using and explaining what they can do if they come up against these threats. Establishing a continuous conversation around the subject will remind employees to be mindful of the severity of these threats and give them the correct tools and knowledge to help prevent your business from a cyber security attack.

Another way to ensure employees are always made aware of threats is by using company newsletters to keep the conversation alive. It is a time efficient and simple way of presenting the key things for employees to look out for and is also something they can refer back to. Webinars can also be a great way of providing information in further detail. The more avenues available for cyber awareness and education in your business, the greater the chance of preventing these attacks.

Collaboration

Having weak spots in your business only allows gaps for cyber attackers to worm their way in, so businesses should encourage strong collaboration between their finance and IT teams.

According to Gartner, 93% of finance leaders say they expect to see leaner work functions – that is, with fewer employees – that are digital and data-driven by 2025. However, the bigger the role data and technology plays, the bigger target a business becomes for cyber breaches.

As such, finance and IT teams must work together to understand the processes, priorities and challenges faced, so that they can make sure IT systems support the financial operations of the business. Regular communication between teams will be a key way of doing this and discussing any potential threats or irregularities will be vital when it comes to preparing a strategy that mitigates against cyber threats. Fundamentally, creating a positive open conversation across IT and finance teams means that cyber threats will be less likely to occur.

It is the responsibility of the business to establish core training and a cyber aware culture that will enable employees to recognise and combat cyber threats. These tools are especially important in finance teams, which are they under the largest threat. Creating an ecosystem which enables the whole business to support this added risk, and work together to find solutions when cyber security issues do arise, is fundamental.