A little reported, but extremely costly mistake by Lazio's finance team illustrates how cyber criminals are targeting junior finance professionals.
Italian football is currently having a real moment in the spotlight – the country’s football heritage was explored in BT Sport’s recent Golazzo documentary, harkening back to the heyday of 90s Italian football.
Then in the last few weeks, Roma preceded to wreck bookmakers’ days up and down the country with a 3-0 reverse against Barcelona in the Champions League to knock them out. Juventus fell to an extraordinary defeat against Real Madrid, a last-minute penalty seemingly sending Gianluigi Buffon off at the deep end. And Napoli have rallied against the odds all season to ensure that at least one major European league has a title race.
The Italian Job
Less-widely reported was the pickle that Lazio found themselves in. After a successful World Cup in 2014, the Dutch defender Stefan de Vrij was purchased from Feyenoord by Lazio, who decided to pay the fee in instalments to lessen the financial impact. Last month, the club received an email from Feyenoord requesting the final £1.75m payment, which they duly sent over.
Only Feyenoord never received the money; it then turned out that someone, under the guise of the club – and complete with an official email signature – had requested the money, been sent the fee and scarpered.
Lazio may be one of the more high-profile of these cases, but they are certainly not the only organisation that has fallen foul of such schemes. For the vast majority of cyber criminals, regardless of the types of attacks that they undertake, the end goal is monetary.
Picking their targets
It therefore stands to reason that financial teams are going to be targeted by cyber-criminals far more than the average employee and, subsequently, need to be trained in order to be able to spot and repel and attacks on them. The issue, however, stems from the ways in which these attacks are often carried out – through legitimate, or legitimate-looking, backdoors into an organisation.
Rather than sending something straight to a director of finance or CEO, often targets are selected that are more junior within the finance team. After all, there’s a far better chance of getting a junior team member to send over payment by posing as the CEO sending an urgent payment request, than messaging the CEO themselves. And an unlocked window gets you into the same building as the front door.
Leading from the front
The first step that any organisation should look to start with is to encourage links between those in charge of information security and those in charge of finances. Quite often, any IT or security function can feel siloed – think the physio for a football team, not one of the players themselves but someone that can come to the aid of other team members.
This is a mindset that needs to change. And that, as with any shift in perception and structure within a business, needs to start at the top. Arguably, the CFO or financial director should be as big an advocate for a proactive and savvy cybersecurity culture as those that work within the IT or security teams.
From strategy decisions through to the technology being purchased, the CFO should look to involve themselves. Rather than trying to lead security experts in their specialist area, this involvement should take the place of guidance and suggestions about what would work well, as well as a willingness to learn best practice and how security can be understood and embedded within their teams.
A two-pronged approach
The targeting of finance team members through phishing means that a dual approach to security needs to be implemented – led by those at the top of both security and finance, and equally split between training and the right technology being used, much the same way as a Juventus or Roma would prepare their players.
Training needs to be more than just PowerPoints – it should be interactive, incentivised and, most importantly, made applicable to the day-to-day lives of the finance team. Show them just how easily an issue could arise.
As for technology, increasingly organisations are turning towards user and entity behaviour analytics (UEBA), a technology that captures data from both users and logins, building up a profile of usual behaviour. This is especially important for any insider threats or attacks from within the network that may take place, such as an attacker getting hold of an employee’s login details.
If Lazio had this in place, the details of communications would have been recorded, allowing them to understand who sent the money and when, giving them a paper trail of the communications. They wouldn’t have the ability to stop the transfer at the time, but it would give them crucial records of the request coming in and being dealt with.
A culture of coldness
As a final point, applicable to finance in general, there needs to be an overarching shift in how the aftermath of security and data incidents are handled. Like a tactical mistake leading to a winning goal for the opposition, often rather than learnings being applied, blame is often the first port of call – it was this player’s mistake, or the manager’s substitution that lost us the game.
If an incident occurs – which it is likely to – then a culture of learning and understanding needs to be in place. If people are scared of the repercussions and public lambasting they are to receive if they have fallen foul to a phishing scam or similar incident, then the conversation and learnings both in and between companies will never move forward.
A collective is as strong as the leadership that drives it – that’s the same for an accountancy firm, financial team within an international business or a professional football club. When it comes to security, those in charge need to lead from the front, bringing in relatable training, intelligent technology to monitor their networks and a culture of sharing and learning that will ensure issues result in lessons. When combined, that is what gives any organisation a top-of-the-league cyber security approach.
About Jamie Graves
I’m a data security and enterprise software entrepreneur, and currently the CEO at ZoneFox.