From strategy decisions through to the technology being purchased, the CFO should look to involve themselves. Rather than trying to lead security experts in their specialist area, this involvement should take the place of guidance and suggestions about what would work well, as well as a willingness to learn best practice and how security can be understood and embedded within their teams.
A two-pronged approach
The targeting of finance team members through phishing means that a dual approach to security needs to be implemented – led by those at the top of both security and finance, and equally split between training and the right technology being used, much the same way as a Juventus or Roma would prepare their players.
Training needs to be more than just PowerPoints – it should be interactive, incentivised and, most importantly, made applicable to the day-to-day lives of the finance team. Show them just how easily an issue could arise.
As for technology, increasingly organisations are turning towards user and entity behaviour analytics (UEBA), a technology that captures data from both users and logins, building up a profile of usual behaviour. This is especially important for any insider threats or attacks from within the network that may take place, such as an attacker getting hold of an employee’s login details.
If Lazio had this in place, the details of communications would have been recorded, allowing them to understand who sent the money and when, giving them a paper trail of the communications. They wouldn’t have the ability to stop the transfer at the time, but it would give them crucial records of the request coming in and being dealt with.
A culture of coldness
As a final point, applicable to finance in general, there needs to be an overarching shift in how the aftermath of security and data incidents are handled. Like a tactical mistake leading to a winning goal for the opposition, often rather than learnings being applied, blame is often the first port of call – it was this player’s mistake, or the manager’s substitution that lost us the game.
If an incident occurs – which it is likely to – then a culture of learning and understanding needs to be in place. If people are scared of the repercussions and public lambasting they are to receive if they have fallen foul to a phishing scam or similar incident, then the conversation and learnings both in and between companies will never move forward.
A collective is as strong as the leadership that drives it – that’s the same for an accountancy firm, financial team within an international business or a professional football club. When it comes to security, those in charge need to lead from the front, bringing in relatable training, intelligent technology to monitor their networks and a culture of sharing and learning that will ensure issues result in lessons. When combined, that is what gives any organisation a top-of-the-league cyber security approach.