As CEO of information security service provider Integralis, Simon Church makes it his business to know what’s going on in the never-ending fight against cybercrime.
Information Security: The CFO as a Speared Whale
“We’ve seen quite a few cases of what we call ‘whale phishing,’ which is a very targeted attack on an executive,” he reports. “Typically the phisher will launch a targeted attack to gain access, say, to the organisation’s treasury accounts.”
Church spoke to CFO Innovation’s Pearl Liu about the latest onslaughts against finance and other parts of the business, and what companies can do to protect themselves. Excerpts:
Finance is a very sensitive function in any company. Is there any particular information security threat that CFOs and others in finance need to be alert to these days?
We’ve seen quite a few cases of what we call ‘whale phishing,’ which is a very targeted attack on an executive. Typically the phisher will launch a targeted attack to gain access, say, to the organisation’s treasury accounts.
There have been very sophisticated attacks targeted to the likes and dislikes of a particular individual, or where malware was inserted into particular transactions, enabling the whale phisher to understand passwords to treasury accounts. We’ve seen cases where significant sums of money have been lost.
So how can executives protect themselves?
It’s making sure that not just your staff, but also your executives, are appropriately educated and appropriately protected. What you find is that the push, let’s call it, for the iPad and iPhone [to be provisioned in the office] was very much led by the executives, because they were the latest cool thing. It was just given to the IT department to “get me on this network,” and perhaps it wasn’t as secure as it could have been.
So you can go to any international hotel . . . in fact I saw this one particular gentleman this morning on his iPad reading the Financial Times while doing his corporate email as well. Was that email he was doing encrypted on that device? There are appropriate policies, procedures, tools that we can use [to encrypt such emails].
A lot of things that we do is around what we call the four Cs – compliance, crime or cybercrime, consumerisation, and the cloud. A lot of people are looking at cloud at the moment. There’s risk associated with going to the cloud. You have to understand the benefits of keeping the data on premise and keeping the data off premise.
In terms of keeping the bad guys out – and that could be just malicious activity or it could be action for financial gain – you have to make sure you’ve got appropriate systems, tools, policies and procedures in place to mitigate that risk, both from attacks but also data loss.
Also, you have to ensure that you are compliant from a policy and procedure point of view, compliant in terms of regulatory compliance, compliant in terms of best practice.
It seems mergers and acquisitions are accelerating in Asia and elsewhere. Is there an information technology and security dimension to M&A that CFOs and their companies need to know?
I once was told by a wise corporate executive, who is very experienced in M&A, that the best thing to do with M&A is not to do M&A. You are inherently bringing risk into your organisation. Often, acquiring a company in a different vertical or a different country will have different risks because you have different cultural imperatives.
What we’ve seen is that companies may not fully understand the nuances [around IT and security] compliance issues in each county. We see this especially in the Asian market.
For example, in Japan, if there is a breach [in information security], you have to tell the regulators within 24 hours. Now that’s not common across all the Asian markets.
In Australia, if somebody makes changes remotely, especially a systems change, you again have to tell the regulator. With large MNCs, often the systems change is done outside the country, remotely.
In Indonesia, you have to have data centres, not just the data, but the data centres, installed actually in the country.
Does the information security issue have a significant impact on the M&A process? Will it drive up the cost, for example?
I have definitely seen instances where organisations decided not to acquire a company because of the messy IT system. The acquisition of a large multinational corporation failed recently because [the due diligence] study of their IT systems and processes found they were so significantly out of compliance. The acquiring organisation decided not to acquire that company.
In M&A, the acquiring company is looking at all factors of the organisation. They are looking at how efficient the organisation is, what that organisation actually brings to them in terms of market scope and market size. Information security is definitely a deciding factor because it is directly related to the risk and the cost.
So those organisations looking to be acquired should make sure their IT infrastructure is tidy, their security policies are compliant and their employees are educated properly [on information security]. They may need remediation, where [organisations like Integralis] help with a walk- through with the organisation
Will remediation involve a lot of time and effort? How much will it cost?
The cost of the remediation really depends on how poorly or how well you run the IT organisation. It depends on the size of the deal, and it depends on the scale of the organisation. I could not give an exact number.
It also depends on how badly the organisation wants to be acquired. If you check the press and see how many M&A activities failed because of the IT system, you can understand how important remediation is in the M&A process.
What about day-to-day work? What should the finance function pay attention to in terms of information security?
I think one [situation] that we are seeing a lot recently is the too relaxed attitude to certain work practice, especially around BYOD [Bring Your Own Device].
Employees, especially the new workforce, really see BYOD as the right to use their own tools and personal devices in the organisation. I saw a survey that shows that 80% of first- generation BYOD workers felt that they have right to use those tools.
But 50% of them say they do recognise data loss and exposure are issues, which is good.
The more alarming [trend] is BYOA, Build Your Own Applications, using the employer’s data. The study found that 77% of respondents in Hong Kong felt that they were capable and willing to build their own applications. That in itself is a huge threat, specifically on data loss in financial services, in the pharmaceutical industry, in petrochemicals.
The use of business applications on mobile devices is going to cause more and more headaches. Companies do need to properly secure the devices.
Should companies consider moving away from BYOD, then? It seems the iPad and iPhone just bring more problems to the workplace.
I wouldn’t say that. They can and do bring massive productivity advantages. It’s all about appropriate use. If you are not using the device appropriately, if you leave your iPad in a taxi or the seat on train and that device is open, then that’s inappropriate use.
But that’s in the same way as leaving a laptop that is full of corporate data, or handwritten notes [about the business]. If I leave [those notes] on the seat of a taxi cab, that is as much of a risk to an organisation as an IT device. This is the thing I find interesting. People think that this is a new problem, but actually it is just a different form of the same problem.
And what we’re seeing in a lot of recruitment scenarios is that [BYOD] is actually seen as a benefit. The next generation workforce interacts very differently from, say, my generation. They interact through social media. Often social media is the best way for them to interact with other employees in other organisations, [as they do] with friends and family.
There is a blurring between work and social life. You have to make sure that you make the workplace attractive, that you enable your employees to work efficiently and effectively in the way they want to work, but ensure that you mitigate risk at the same time.
One of the CFO’s tasks, as you say, is to mitigate the risk. At the same time, he or she also needs to manage expenses. How can CFOs balance information security and cost?
How long is a piece of string? It’s risk-reward; it’s cost-benefit. I have a certain amount of money and a certain amount of operating cost based on the particular business I’m in and the current efficiency, education, knowledge, legacy and current IT systems within my organisation. I would deploy a percentage of that operating expense to information security.
Some organisations would deploy a lot more to information security than other organisations. It probably changes with verticals as well. Financial services and pharmaceuticals will probably spend a lot more on information security than other organisations. Manufacturing organisations may deploy a certain amount specifically to mitigate against the threat of loss of intellectual property.
If it’s a multinational organisation, it’s got a significant multinational brand and they will probably be spending more on information security than a local company that’s based in one particular region.
You need to step back, if you’re a CFO, to understand the business you’re in, to understand the business that you have, to understand all of the outlying risks to an organisation and mitigate as much of those risks as possible. Some CFOs may feel that compliance is more important than the balance sheet. Some CFOs would probably think that the balance sheet is the thing that they need to get done. Every day you have to make those decisions.
Information security is expensive, though, right?
Well, it does cost a lot. All services cost a lot and it depends on what your perspective is [about] the value of a particular service. There are many cases out there where organisations suffered massive loss to their brand and their business because of a security breach.
To a certain extent, you should regard information security in exactly same way as you would insurance on your own building.
The actual fact is the risk is even higher because you could always go and get another building, but if your brand is significantly tarnished by an information security issue or by significant [failures in regulatory] compliance, the whole company can collapse. We’ve seen this happen in many well publicised cases in the last few years.
Read more on