The best way to prevent a cyberattack is to educate your employees

CFO Community Conversation reveals that hackers exploit the employees in the business.

On 27 October, CFO South Africa hosted another edition of its CFO Community Conversations, bringing back a popular session from the Finance Indaba on cybersecurity.

A number of high-profile corporate security breaches this year have highlighted the fact that it’s not a matter of whether your company will be attacked, but when. And with increasing regulations demanding that companies go to extreme lengths to secure their data, this risk area falls squarely under the CFO’s job description.

Kicking off the conversation, cybersecurity expert Nathan Desfontaines from Cybersec gave a snapshot of the current security landscape and the things CFOs should be concerning themselves with right now.

“The attacks we’ve seen are usually social engineering exercises,” Nathan said. These are manipulation techniques that exploit people to gain private information or access. In cybercrime, these scams tend to lure unsuspecting users into exposing data, spreading malware infections, or giving access to restricted systems. They’re built around how people think and act, once an attacker understands what motivates a user’s actions, they can deceive and manipulate the user. The hackers also try to exploit a user’s lack of knowledge.

But Nathan explained that these hacks are inevitable. “The preventative plan has been to put in robust systems to stop these from happening, but attackers are finding new ways to bypass these systems.”

He said that the best way to prevent cybercrime is to raise awareness around it.

“It’s worth changing the thinking to a resilient culture where you are in the position to detect a cyberattack and to stop the bleeding when it does happen rather than trying to prevent it. Because it’s an unrealistic target with the attack landscape changing constantly.”

The other speaker, Bidvest Insurance FD Alastair Petticrew, agreed with Nathan, saying that you can have the best governance and IT systems in place, but your first and last line of defense is people. “Hackers will look at your business’s weakest point, which is its people.”

To raise awareness in their business, Bidvest Insurance plays phishing games with their employees by sending fake emails and challenging their employees to spot them. “We also have an emergency drill where people have to leave the building and we see who left their computer open. They get a post-it on their computer saying ‘You’ve been hacked’,” Alastair explained.

Bidvest Insurance has also subscribed to Interpol’s alert emails, which sends you messages of the different ways hackers are operating at the moment. “We’ve used these messages to try and educate the staff.”

Attendees then had a chance to pose their cybersecurity questions to Nathan and Alastair, and to share their experiences of cyberattacks.

[More to follow.]