The Business Advisory Blog

The Business Advisory Blog

Insight, news and updates from Alliott NZ Chartered Accountants, Auckland New Zealand. The views expressed here are the views of the author and should be discussed in further detail should an article be relevant to your individual circumstances.

While every effort has been made to provide valuable, useful information in this publication, this firm and any related suppliers or associated companies accept no responsibility or any form of liability from reliance upon or use of its contents. Any suggestions should be considered carefully within your own particular circumstances, as they are intended as general information only.

Vanessa Williams
Published on

Watch out for whalers

One step up from phishing attacks are whaling attempts (aimed at bigger ‘fish’) where a quite convincing-looking and well-timed email is received by the finance team, purporting to be from the CEO who is perhaps overseas, and asking for a significant amount of money to be transferred to a bank account with the bank details in the email.

whaling ship albany wa copyFinance teams should be educated about whaling, and processes implemented so that a phone call is made to the CEO to confirm the instruction, or the CEO uses a pre-arranged ‘safe’ word in the email to authenticate the request.

Organisational checklist

  1. Training for employees is vital to ensure they understand the criticality of data and how it, and they, may be targeted. 
  2. Find, classify and protect your organisation’s sensitive data. 
  3. Deploy software updating/security patches as soon as possible after their release to reduce vulnerability. 
  4. Employ data encryption to protect sensitive data in transit and at rest. 
  5. Use firewalls, anti-malware and intrusion detection to protect your environment. 
  6. Use identity management to control user activity. 
  7. Understand where your organisation’s data is stored and by whom. What level of resilience and recovery plans are in place over these data stores? 
  8. Evaluate and control risks in the supply chain. 
  9. Monitor and control devices connected to the corporate network, especially smart devices. 
  10. Create, regularly update and test both recovery and resilience plans, enabling you to manage a significant attack.
  11. Ensure compliance with the data privacy (personally identifiable information) regulations for the jurisdictions in which your business operates. 
  12. Understand the parties to which the organisation should report cyber intrusions. 
  13. Consider buying cyber insurance.
  14. Consider implementing 2-factor authentication to access all devices in your organisation.

Personal checklist

  • Do not click on emails from unknown senders; always verify the address. 
  • Use malware-blocking software. 
  • Always update your system and applications with the latest software updating/security patches. 
  • Use public wi-fi with caution as it may be more vulnerable than private/office systems. 
  • Vary passwords between websites or services to prevent a compromised account opening up access to others. 
  • Use credit monitoring services to deal with suspicious activity.

Source: Cyber and the CFO. Article first published by (2019). [online] Available at: 

Topics: credit culture cybersecurity data employees Insurance Privacy risk security