Watch out for whalers
One step up from phishing attacks are whaling attempts (aimed at bigger ‘fish’) where a quite convincing-looking and well-timed email is received by the finance team, purporting to be from the CEO who is perhaps overseas, and asking for a significant amount of money to be transferred to a bank account with the bank details in the email.
Finance teams should be educated about whaling, and processes implemented so that a phone call is made to the CEO to confirm the instruction, or the CEO uses a pre-arranged ‘safe’ word in the email to authenticate the request.
- Training for employees is vital to ensure they understand the criticality of data and how it, and they, may be targeted.
- Find, classify and protect your organisation’s sensitive data.
- Deploy software updating/security patches as soon as possible after their release to reduce vulnerability.
- Employ data encryption to protect sensitive data in transit and at rest.
- Use ﬁrewalls, anti-malware and intrusion detection to protect your environment.
- Use identity management to control user activity.
- Understand where your organisation’s data is stored and by whom. What level of resilience and recovery plans are in place over these data stores?
- Evaluate and control risks in the supply chain.
- Monitor and control devices connected to the corporate network, especially smart devices.
- Create, regularly update and test both recovery and resilience plans, enabling you to manage a signiﬁcant attack.
- Ensure compliance with the data privacy (personally identiﬁable information) regulations for the jurisdictions in which your business operates.
- Understand the parties to which the organisation should report cyber intrusions.
- Consider buying cyber insurance.
- Consider implementing 2-factor authentication to access all devices in your organisation.
- Do not click on emails from unknown senders; always verify the address.
- Use malware-blocking software.
- Always update your system and applications with the latest software updating/security patches.
- Use public wi-ﬁ with caution as it may be more vulnerable than private/office systems.
- Vary passwords between websites or services to prevent a compromised account opening up access to others.
- Use credit monitoring services to deal with suspicious activity.
Source: Cyber and the CFO. Article first published by Acuity.partica.online. (2019). [online] Available at: https://acuity.partica.online/acuity/august-september-2019/insight/the-era-of-the-cyber-resilient-cfo