Helping CFOs navigate a cyber-connected world

Nedbank CIB execs unpack cyber-attacks and give tips on what safety measures should be in place.

Since the start of the digital revolution, cybersecurity has become critical for organisations to reduce the risk of cyber-attacks. Cybersecurity encompasses everything that relates to protecting our data, and CFOs need to understand the different layers to navigate a cyber-connected world.

Why cyber security is so important
Ian Carter, divisional executive of corporate investment bank transaction services at Nedbank Corporate and Investment Banking (CIB), said during a Finance Indaba Network webinar that the latest report from the South African Banking Risk Information Centre (SABRIC) showed an increase in finance-related crime.

“The number of incidents increased by 20 percent on a year-on-year basis with a 45 percent increase in mobile incidents. There is a reduction in web-based crime, which demonstrates a shift to the digital era and to mobile capability and information. It is reported that at least 45 percent of financial institutions have experienced some form of economic crime with a figure of 39 percent across all industries,” he said.

Ian commented that cyber-crime is prevalent and one of those key components that cannot be ignored. “Covid-19 resulted in exponential growth to digital behaviour and overall organisations are looking at improving operational efficiencies through digitising their capabilities. There are ongoing efforts by banks and organisations to digitise their capabilities. The increase in the growth in ecommerce is not only locally but globally and requires digital capabilities. The underlying component is the storage of data to enable the critical client experience. Data needs to be stored and that information is critical as it enables financial flows.”

He explained that the risks and rewards of cyber-crime differ from other crimes and a fraudster can commit his crime anonymously from any place in the world. “Whilst there are lots of capabilities and opportunities for artificial intelligence, these capabilities are also available to cyber criminals,” he said.

Ian added that technology is a critical component in combating cybercrime, not only to protect your environment, but your financial processes. He mentioned that technology and product capabilities are key, but policies and structures should be implemented, and someone should take accountability for it.

“Sadly, it is the people in organisations that are the soft targets and organisations should look at access in and out of buildings, access to systems and data, etc.”

The security layers
Vickus Meyer, executive of group technology risk, security, and shared services at Nedbank, suggested during the webinar that organisations should break security layers down to three main areas. First, policy and strategy, second, technology and solutions, and third, user behaviour.

“When these structures are in place, people can monitor and manage it for you, and you will be able to report back to the board in terms of what is being implemented and how well it is working.”
He believes that organisations should start with risk management and recognise the threats that are specific to their company. “That really helps to make sure that you are spending money in the right places in terms of the processes and technologies. When you have the right policies in place, you can design your processes and decide on the technologies that you would like to use,” he said.

Vickus added that with the implementation of processes and procedures, the management and monitoring of the solutions and the controls are even more important. “From a bank perspective, we have dedicated teams that look after monitoring, and we have taken down more than 600 phishing websites in 2021. Our goal is to try to take these websites down in less than 10 minutes to protect our clients.”

According to Vickus, there are so many technologies available, and organisations should first ascertain what they want to protect and then decide on the best mechanisms. “One can implement various processes and technologies, but you need to ensure that it is properly patched, to protect you against known vulnerabilities. The next important point is the traditional antivirus or endpoint detection. I think with many people that are working remotely, you still need to apply those basic security principles. The network access should be secured, and virtual private networks should be used.”

Vickus remarked that with user behaviour, training and awareness are key to determine what a social engineering attack is and how to prevent it.

An easy target?
Ian touched on procurement policies and how they are targeted by fraudsters. “To avoid invoice interception and fraud around those capabilities, there should be an agreement upfront in terms of what your procurement policies are. It’s not difficult to get information about any organisation. We have seen a scenario where it is as simple as understanding who the people are who authorise payments and who they're paying.

“Multifactor capabilities are there to make sure that the right people are accessing the banking capabilities at the right time. The delegation of authority and segregation and segregation of duties are critical in your financial processes. We’ve seen scenarios where passwords and multifactor devices are shared amongst parties, but they are put in place to ensure secure financial processes.”

He said that organisations should look at solutions such as account verification services that enable parties to validate who they pay.

Beware of the dangers of social engineering
Vickus mentioned that social engineering is the psychological manipulation of people into performing actions or divulging confidential information.

He said that fraudsters use the following forms of engineering to obtain user information and credentials:

  • Phishing is a technique of fraudulently obtaining private information. The phisher sends an email that appears to come from a legitimate business requesting “verification” of information and warning of some dire consequence if it is not provided. The email typically contains a link to a fraudulent web page that seems legitimate.
  • Vishing is the criminal practice of using social engineering over a telephone system to gain access to private personal and financial information of the public, for the purpose of financial reward.
  • Smishing is the act of using SMS text messaging to lure victims into a specific course of action. It can be clicking on a malicious link or divulging information.
  • Baiting is based on the premise of someone taking a bait. Something desirable is dangled in front of a victim hoping they’ll bite. This occurs most often on peer-to-peer-sites like social media where one is encouraged to download a video or music that’s infected with malware.

Watch the full webinar here.