AP_COM_CB_1

This article was first published in the November/December 2017 China edition of Accounting and Business magazine.

It is rare for finance professionals to admit in public that their company had been hacked – and then to quantify the losses. That is why it was refreshing for a finance leader of a logistics company to reveal, at the 8th CFO Innovation Hong Kong Forum, that their organisation had fallen victim to a ransomware attack. The group-wide losses: the equivalent of US$300m.

One day in June, this finance leader recounted, some employees found themselves unable to access their data. A message appeared on their computer screens demanding payment of 300 Bitcoins. ‘We did not pay,’ said this finance leader. Instead, everyone was ordered to turn off their computers. The finance team and others devised manual workarounds for orders, payments and other transactions until the systems returned to normal after two weeks.

Lessons were learned. The updating and patching of Microsoft software is now centralised. Links with third-party security and IT consultants have intensified. Another panellist, a CTO, cited the importance of back-ups. One company this CTO worked with did not regularly back up, so when it was hacked, the system had to be restored with data that was six months old.

Basic infrastructure matters. But as I moderate discussions and interview cybersecurity experts across Asia, one factor always comes up: the human element. In many cases, hackers got into company systems because employees did not upgrade operating systems to patch security flaws or clicked on malicious links in phishing emails. In business email compromise scams, the hackers’ primary targets are the CFO and others in finance, and they succeed when people are unaware of the risks.

What can be done? Formal and informal training sessions across the organisation should be held regularly. People should know that everyone is responsible for cybersecurity, not just the IT and security team. It takes just one unsuspecting person to click on a link in an email or a website for malware to dart into company systems.

Bill Sims, head of investigations and business intelligence at Stroz Friedberg, suggests that the company’s IT team should send phishing email to everyone and see who actually opens it and clicks on the malicious link. Then those employees can be prioritised for training. As for email compromise attempts, the solution is simple, says Sims: ‘Call up the person directing you to transfer funds to confirm they sent the email.’ He also suggests hiring a third party to hack into the systems to spot weaknesses.

Above all, the frontline IT and security teams must never be complacent. One CIO in Singapore once told me: ‘Every morning when I come to work, I assume we have been hacked.’ That thought kept her alert for signs of attempted breaches and actual malware within the systems all day.

Finance plays a key role in all this, and it is not to throw money at the problem. It is to allocate resources for technology and tools, but also to insist that money be spent as well on cybersecurity training for everyone.

Cesar Bacani is editor-in-chief of CFO Innovation