“If traditional information security is about building a broad defence against attack, cybersecurity is really an attacker-centric approach. It's the knowledge of your attacker that drives your cyberinitiatives,” said Sean Howell (pictured), MD of Redshift Cyber Security, during this morning’s CFO masterclass on The Art of Breaking In, presented as part of the CFO Summit 2017. Howell, a professional hacker, provided welcome, albeit unsettling, insight and encouraged CFOs to start thinking like attackers in order to best protect themselves and their organisations. All businesses are at risk because all businesses possess information that it vital to their operations and thus vulnerable to exploitation from hackers, he added.
"You have to think about what is valuable in your business, whether it is intellectual property or financial information."
Cybersecurity is a global threat to any person and every organisation with a digital footprint, to the point that the World Economic Forum (WEF) puts it high on the list of global risks every year. Last year, an IBM report stated that spam emails loaded with ransomware (malware that scrambles data and demands a ransom to decode it) had increased 6,000% in 2016, compared to the previous year, and that the scam was on track to becoming a billion-dollar industry.
- Also from this CFO Summit: Dealmaking is about people - McDonald's SA CFO Zafar Mahomed
- CFOs + Cloud & Volatility = Value. Join CFO Summit 2 in Cape Town on 22 February (click to find out which top CFOs will be speaking!)
There seems to be no end to security breaches of large corporations, which have had massive implications for not only their profitability and reputation, but society as well. This is why it is important for top executives, CFOs in particular, to have a sense of urgency in approaching matters of cyber security.
Trusted path
Although many companies have security systems in place, they have more vulnerability than they know, and this is how hackers thrive. Howell called it the trusted path, saying that it is what attackers perceive as the easiest way to break in. "They are quite lazy so they won't go to where the most security controls are," he said. They will infiltrate systems by getting low-level employees' access credentials to break in. That way, when they perpetrate hacks, it seems as if it is someone in the company that is doing it. It could be done by getting the payroll administrator, for example. Firewalls are not walls at all. Attackers don't look at a firewall and think, let's smash it down."
Getting logins can be particularly easy, especially because there is always someone in the organisation who uses a basic password, like 'Password1', for example. And to find that person, hackers simply try that password for each employee, using LinkedIn to get their full name and surname to use as a username.
Howell did a demonstration showing CFOs how easily a phishing attack worked, creating a clone website of the CFO.co.za website, which took all of five minutes. During the demonstration, he also showed how easy it was to create macro spreadsheets which, once clicked one, gave a hacker complete control of a particular machine. "Information on how to do this is freely available on the internet. There are YouTube videos on how to do this," he said.
Role of CFOs
During the panel discussion, Graham Blain, Head of IT Governance Risk and Compliance at Standard Bank Group, said one of the most important roles of the CFO in the context of cybersecurity was to elevate the discussion at boardroom level.
He said the fact that these issues don't get enough attention at executive level was exacerbated by the secrecy. Unlike in the US, where companies are mandated to disclose such security breaches, cybersecurity breaches in South Africa are not talked about, which gives attackers more power because it means they can use the same attack on many different companies who made have been able to prevent an attack by learning from the experience of their peers.
"In the past, I was very mindful of being accused of dispensing fear, uncertainty and doubt, and sensationalising this issue. But, having moved into the organisation I'm in and the role I'm currently in, I'm confident that the situation is far worse that what was portrayed here. There is a lot of skulduggery going on," said Blain.
Major breaches
Blain spoke about the hacking of the power utility in Western Ukraine, which resulted in several days of dropped power. After shutting down the power, the hackers flooded the call centre so that there was no way anyone could find out what was going on. It caused untold mayhem from a socio-political perspective because there was no news coming out of this organisation, as nobody could get hold of them to find out what the situation was.
In the corporate world, similarly, from a data loss perspective, 2016 saw the world record for data breach broken twice by the same organization, Yahoo. According to CNNMoney, the breach saw Yahoo's purchase price drop by $350 million when it was bought by Verizon.
"The Target breach in the US is another great example. The final analysis suggested that it cost them hundreds of millions to remediate the situation when they lost credit card data. Access was through a third party: their air-conditioning servicing company's account on their network was used to breach the entire system. The company's entire board was replaced and most of the executive as well. It was an organisational catastrophe."
When Sony was breached a couple of years ago, the company suffered massive reputational damage owing to the disclosure of its payroll data, among other things, which showed disparities in pay that inferred significant gender and racial discrimination.
Closing the session, Graham said: "As the finance community you need to lean in. This isn't somebody else's problem. You are executives in your organisation and you are part of the solution to this challenge, and it's an onerous task. Look after your own stuff as well because finance is a significant trusted path into organisations and, as a CFO, you will be a target, like it or not."
