Hackers have numerous ways to assault a company, from spyware to denial-of-service (DoS) attacks that can overwhelm a server or network with internet traffic. But ransomware attacks are some of the most concerning for experts in the finance and cybersecurity spheres.
“Ransomware is probably one of the things that keeps me up most at night,” said Allison Ward, CPA, a US-based partner with CapinTech, a CapinCrouse company that specialises in cyber consulting.
Ransomware attackers breach corporate networks and use encryption software to digitally lock files and data, making it impossible for the victim to use their own information, and then hold the company’s data hostage.
As the victim scrambles for a solution, the attackers make an offer: If the company pays a ransom, its files will be unlocked.
It can be an especially lucrative method of attack, since the hackers are extorting money directly from their victims instead of needing to find a third-party customer for stolen data. And they are targeting companies of all sizes.
“Organisations sometimes have a false sense of security if they are smaller, if they outsource, if they don’t maintain systems on-site,” Ward said. But, she said, “The impact can be so significant, and I think it can impact pretty much everyone.”
Here’s how experts say companies can strengthen their defences, create a culture of security, and prepare for the worst.
Assess and maintain technological defences
Finance is a common target for cyberattacks, as it manages valuable data and important software systems. In addition, the CFO may hold or share responsibility for maintaining security technology and protocols, said Tin Lau, FCMA, CGMA, chief risk officer for Mirae Asset Securities in London.
“Cybersecurity is more and more important as firms have more and more of an online presence — and unless the CEO has a [chief information security officer] or equivalent junior person, someone’s got to pick this up,” Lau said. “You can’t avoid doing it.”
Finance and IT may share responsibility for systems and data, though the technology team may not even be aware of the status of certain systems under finance’s control, said Darron Sun, FCMA, CGMA, CPA (Australia), a Hong-Kong based CIO for a not-for-profit organisation.
“We have to implement robust cybersecurity measures,” Sun said.
It’s key that finance leaders take responsibility, determining who owns key systems and responding appropriately, Sun said. That means keeping software up to date to fix known vulnerabilities; ensuring that firewalls and detection systems are in place; and employing experts to probe for vulnerabilities. Finance leaders should also ensure that backups of sensitive data are kept in multiple places, preferably including a backup option that is not connected to the company network or the internet.
In addition, finance ultimately must ensure that these fundamental defences — including both the technology and regular testing to ensure its functionality — are properly funded and meet regulatory standards.
“If your company has zero budget for cybersecurity, you will have zero cybersecurity,” Sun said.
Train staff to prevent attacks
Digital defences only stop some attacks. In other cases, attackers use tactics to trick employees into taking actions that compromise security.
“Ransomware is often something which is triggered through human behaviour,” said Kasun Premechandra, who is based in Sri Lanka and leads portfolio management for the Finance Change division of the London Stock Exchange Group.
Attacks commonly start with phishing attempts — fake messages that contain files or links that will allow the attackers onto the network if they are activated by the user.
And the attackers are becoming more sophisticated.
They may use generative AI to create fake video or audio messages from executives, or convincingly customised emails, that urge employees to download a file or click a link.
“All it takes is one person to get busy, fall for a voice attack, and disclose their MFA [multi-factor authentication] code,” Ward said, “and the bad actor has access.”
The strongest defence is to train individual employees to identify and reject phishing attempts. Training exercises can help them learn the telltale signs of an attempted attack (see the sidebar “How Phishing Attacks Can Present” at the bottom of this article).
Besides conducting training, companies should regularly test their staff’s ability to identify phishing content. Phishing simulation software sends emails to employees in the style that cyberattackers might use. If an employee clicks the link, nothing bad actually happens — except that managers are alerted that the employee fell for a phishing attempt.
“These kinds of actions can give a very strong signal to the staff: They have to pay attention to phishing,” Sun said.
The goal of these tests and training, Premechandra added, is to create a culture where each employee understands that security is their responsibility — a process that begins at onboarding and continues throughout a worker’s tenure.
“It’s all about training, bringing awareness, and then empowering the staff so that they can be a human firewall, so that they will think for themselves, and then they will prevent threats from reaching the organisation,” he said.
Plan for the worst
Every company has to consider the possibility that, despite preventive efforts, their data will eventually be held hostage.
One way to prepare is to improve the company’s data backup strategy. In the event of an attack, a well-prepared company might be able to simply restore backup data instead of paying the ransom to unlock the compromised data.
But it’s key to keep these backups separate from operational systems, since the attackers will aim to lock or destroy any backups they find. Leaders also should think carefully about what data to back up — attackers may target unexpected but important information, such as contact information databases of employees.
Companies must also plan for responding to cyber-ransom attacks.
“We have to develop an effective cyber incident response plan … and we have to minimise impact,” Sun said. (See the sidebar “Incident Response Plan — Key Elements” at the bottom of this article.)
“Documentation is key and important,” Ward said. “The more you do on the front end [before a potential attack], the more prepared you’ll be on the back end.”
In an emergency response, each department will have an important role to play.
IT will most likely lead efforts to repel the attackers and restore data. The company’s general counsel may be negotiating with the attackers. But finance will be advising both of those teams: What financial data has been compromised, and how easily could it be replicated? How much will a plan of action cost, and how will it affect the company’s finances?
The company needs “a clear chain of command and a playbook, so everyone knows what they’re doing”, Lau said. In an emergency response, there must be “a very small group of decision-makers with access to the latest available information to make a decision quickly”.
A response plan also should detail how the company will disclose information to the public and to partner companies, Sun said.
“Sometimes the information or the data being ransomed may not only affect your company but may affect your business partners,” he explained.
It may be appropriate to keep response plan documentation totally isolated from the company network so that it’s not revealed to attackers.
Paying the attackers is a last resort, the experts stressed. Giving money to attackers gives them more resources and motivation to continue their attacks. They may even return to the same victim later.
“Law enforcement recommends not paying, and we tell our clients we don’t recommend paying,” Ward said, “but that’s sometimes a lot easier said than done.”
Even paying the ransom may not end the crisis, Premechandra added.
“There is no guarantee that they will give you the decryption code or decryption key,” he said.
Practise your incident response plan
Companies should regularly practise their cyber-ransom response plans, whether it’s through tabletop role-playing exercises or more advanced digital simulations.
“We have to do some training and drills on the incident plan because no one can guarantee your plan is working well [if it’s not practised],” Sun said. “Training and drills are important to improve everyone’s response during a high-pressure situation. The purpose of a drill is to make sure everyone knows their roles or responsibilities.”
Ward added that there should be unexpected wrinkles in these fictional scenarios, making them more realistic and less routine.
“Make it challenging for yourself. Act like things will go wrong,” she said. “What if the right person wasn’t there? What if you didn’t have access to get to a certain system? Those types of challenges can make you talk through things and find where gaps may be.” The threat won’t be going away soon, Ward warned. Any company may face a cyber incident or even a breach. Strong technological defences only represent the first line of protection.
The real question — and the way that finance leaders may ultimately be judged — is how well teams have trained for and responded to the crisis.
“Organisations that are really prepared have a better response,” Ward said. “A lot of times, the criticism comes not because you had a breach, but because of the response and not being prepared.”
Finance ultimately must ensure that these fundamental defences — including both the technology and regular testing to ensure its functionality — are properly funded and meet regulatory standards.
Incident response plan — key elements
According to the experts interviewed for this FM article, a response plan for a cyber incident should address the following:
- Containment and eradication: Steps and methods for containing attackers and expelling them from the network.
- Contact information: Contact details for potential third-party partners who will aid in response and key responders within the company.
- Data backups: Information about the availability and frequency of data backups and procedures for accessing, restoring, and validating backups.
- Task delegation: Delegation of responsibility for key tasks such as communication with stakeholders, restoration of various systems, and potential negotiation with attackers.
- Communication plans: Strategies for keeping internal and external parties informed.
- Cyber insurance policies: Details of cyber insurance policies, including the limits of coverage and claim initiation procedures.
- Legal and regulatory compliance: Laws and regulations that may apply to the response, including timelines and processes for regulatory reporting.
- Negotiation guidance: Guidance for negotiators about the circumstances in which the company might pay a ransom.
How phishing attacks can present
These are the common characteristics of a phishing attack to look out for:
- Unfamiliar senders or unexpected or unsolicited email from reputable senders.
- Urgent language that creates pressure to act quickly.
- Generic greetings that don’t use an individual’s name.
- Spelling and grammar errors or unusual phrasing.
- Email domain spoofing, in which the sender uses a slightly altered domain name, often changing a single letter in the domain name of the employer or another reputable company.
- Mismatched URLs, where the text of the email appears to point to one domain but the underlying URL actually leads elsewhere. (This can be identified by inspecting the link in the email client, often by right-clicking or hovering over the hyperlinked text.)
Andrew Kenney is a freelance writer based in the US. To comment on this article or to suggest an idea for another article, contact Oliver Rowe at Oliver.Rowe@aicpa-cima.com.
LEARNING RESOURCES
Cybersecurity Fundamentals for Finance and Accounting Professionals Certificate
This certificate programme will help you gain an understanding of the importance and impact of cybersecurity risks on your organisation or client, including an introduction to the AICPA’s cybersecurity risk management reporting framework.
COURSE
AICPA & CIMA RESOURCES
Article
“Cybersecurity Poses Present and Future Challenges, Report Finds”, FM magazine, 16 January 2024
Guidance
CGMA Cybersecurity Tool: Risk, Response and Remediation Strategies 2023
This tool provides essential guidance to finance professionals to minimise the financial, brand, and reputational impact of cybersecurity threats, including how to implement risk strategies, build cyber resilience, and develop the capacity to respond quickly and effectively to cybersecurity attacks.
