In the last two years, there’s been a clear increase in the number of cyberattacks, according to the Norwegian Computer and Data Breach Survey 2018. And the threats are varied. Malware and viruses remain a top concern, but there’s a rising number of distributed denial of service (DDoS) attacks which aim to shut down or disrupt systems. And there’s been a significant increase in attacks which exploit humans through social engineering and phishing.
This isn’t just something that IT departments should be worried about—it’s also bad news for treasuries and finance departments. As you handle payments and sensitive data on a daily basis, your employees and processes are prime targets for attacks. And a successful breach could do lasting damage to your business.
Why threats are on the rise
More Nordic companies are moving their processes to the cloud. But many still maintain parts of their legacy infrastructure, resulting in complex IT estates. That can make protection harder and open up vulnerabilities—especially when your organisation or department is under pressure to transition fast.
“Digitalisation is happening so fast,” says Jack Fischer Eriksen, CEO of the Norwegian Business and Industry Security Council (NSR). “In the Nordics, we’re often the first in the world to try new technologies. While that’s something to be proud of, it can also leave companies vulnerable and make them targets for cyber criminals.”
The pool of threat actors is also expanding. Threats aren’t just coming from organised crime or sophisticated hackers—these days anyone can launch an attack. You don’t need advanced IT skills or knowledge, as premade tools like malware and botnets are readily available for purchase on the darkweb, complete with instructions.
In the Nordics, we’re often the first in the world to try new technologies. While that’s something to be proud of, it can also leave companies vulnerable.
“I’ve seen DDoS attacks where cyber criminals are simply testing their own abilities,” says Hasse Kristiansen, Head of Cyber Security, KPMG. “They might buy a botnet on the darkweb for $10 and test it against a random company’s authentication system . If the right defences aren’t in place, they could take down a system for hours.”
Another driving force is the changing payment landscape. The Single Euro Payments Area (SEPA) Instant Credit Transfer scheme recently came into force, moving Europe closer to ubiquitous real-time payments. But as payment cycles speed up, it can be harder to intercept attacks before your money has left the company—or even before its left the country.
Social engineering and phishing
Social engineering and phishing attacks showed the most significant growth in 2018—rising ten percentage points in the last two years. Phishing is when employees are contacted by email. The attacker often manipulates the target into clicking on a link infected with viruses or malware, or creates an identical webpage to trick them into giving away confidential information like passwords. But deception can also happen through other channels—vishing is done through voice or phone, and smishing takes place through SMS.
Social engineering is powerful because it exploits human weaknesses. It doesn’t require advanced technology, and it’s used by organised crime and amateurs alike because it’s so effective. These attacks aren’t just used for short-term gain—they can also be used for long-term extortion schemes.
“Phishing can be used to plant malware and then hold the company to ransom, steal insider information and sell it to competitors, or even to blackmail victims,” says Arne Røed Simonsen, Senior Advisor at NSR and Editor of the Norwegian Computer and Data Breach Survey 2018. “And it can be done across borders, from anywhere—it’s a global problem.”
The rise of CEO or BEC fraud
In particular, CEO fraud or Business Email Compromise (BEC) is a rising concern for treasuries and finance departments. These attacks begin with careful, extensive research. When the criminal is ready to launch an attack, they send an email impersonating a CEO, CFO or someone in a position of authority. This can be done through hacked or spoofed email accounts. The email might instruct an employee to disclose sensitive company information or perform a payment transfer to a fraudulent account. And it’s amazing how often it works.
“Email attacks are becoming much more sophisticated and difficult to detect. They’re no longer just amateur pieces thrown together with Google Translate—often they’re using the language flawlessly,” says Simonsen. “The attackers don’t just learn who the CEO is—they obtain intimate knowledge of the company’s team members, internal routines and procedures.”
Cyber criminals also know that the best time to impersonate a CEO or CFO is when they’re overseas, at a conference or otherwise engaged—and they can often find this out through social media. “We’re telling the world about ourselves. Your social media followers might see that you’re travelling, which plane you’re on, even which hotel you’re staying at. And we do see a correlation—attacks on treasuries often happen when the CEO or CFO is abroad,” says Eriksen. “When it comes to travel security we can be quite naïve.”
We’re telling the world about ourselves. Your social media followers might see that you’re travelling, which plane you’re on, even which hotel you’re staying at…Attacks on treasuries often happen when the CEO or CFO is abroad.
Advanced technology can be used to make these attacks even more effective. Detailed reconnaissance can be done through Remote Access Control (RAC), where the attacker takes over the video or microphone of employees’ laptops and listens to their conversations, or spies on their on-screen activities.
Arm yourself with knowledge
Cyber criminals are getting smarter—they’re working around the clock to develop new methods and hone their traditional techniques. Many Nordic companies are struggling to keep up as the threat landscape evolves. So what’s the best way to defend your finance department as you prepare for the year ahead?
Improving cyber awareness is a crucial first step. You should make sure everyone in the treasury is aware of the risks and warning signs, especially when it comes to social engineering and phishing attacks. Employees shouldn’t be afraid to question an email, SMS or phonecall—even if it purportedly comes from a person of much higher authority.
You should also instil a culture of openness rather than blame. When an attack happens, you don’t want employees to stay quiet because they’re embarrassed or afraid of reprimand. They should feel confident about raising the alarm. The faster the incident is reported to the IT department and your bank, the easier it is to mitigate and reduce the extent of the damage.
Knowledge is power—that’s why Nordea is a Gold sponsor of this year’s Norwegian Computer and Data Breach Survey 2018. Read the report for more detailed findings, or stay tuned to TxB Insights for actionable recommendations about how to improve your cybersecurity.