It is crucial to provide Security Awareness Training for your finance team to help them understand the risks associated with financial data and transactions and prevent potential security breaches.
In December 2021, a hacker pretending to be the CEO of a French metallurgy company made a phone call to the company accountant and managed to trick the accountant into sending an “urgent and confidential transfer” of EUR 300,000 (£264,000) to a fraudster’s bank account. The gang behind this Business Email Compromise (BEC) scam stole around $40 million (£33 million) before being caught by Europol. These types of scams are an increasing concern for the financial department of an organisation and pose a huge risk to information security.
The financial team in an organisation has always attracted cybercriminals because it holds the company’s purse strings, and cybercriminals follow the money. As such, anyone on the finance team must become a potential target for scammers and fraudsters. Ransomware attacks, BEC/CEO scams, and cyber threats that harvest login credentials are all part of the increased risks associated with a finance department and its team members.
Security Awareness Training for finance teams is essential in tackling human-centric scams like BEC fraud. Here are MetaCompliance’s best practices to ensure your finance team is aware of the risks of their roles.
Five Best Practices to Deliver Security Awareness Training for your Finance Team
The finance team are like sitting ducks unless your security awareness focuses on the specific risks they face. Here are our five best practices to ensure your security training is effective:
Focus On High-Risk Threats to The Finance Department
The finance team is at risk from specific vulnerabilities as they can transfer money or have privileged login credentials with access to financial information. This power level held by the finance team in an organisation means that specific threats are more likely to target this department. Therefore, Security Awareness Training program is most effective when it is tailored to specific roles in an organisation, and a finance team member is one such role.
Role-based Security Awareness Training tackles specific types of threats made against certain employee roles. Create a role-based Security Awareness Training program that builds on foundational security awareness by focusing on the types of risks and threats that a finance team member or department is likely to experience; these include the following:
- Business Email Compromise (BEC): educate employees about how this sophisticated, multi-stage cyber attack is carried out. Ensure they understand how cyber attackers use social engineering to trick them into believing they are a C-level executive or a critical supplier.
- Invoice Fraud: typically involves a company supplier being compromised but is also a subset of BEC fraud. Fraudsters then pretend to be from the supplier, requesting payment of an invoice.
- Chief Executive Officer (CEO) Fraud: another variant of a BEC scam, fraudsters impersonate a C-level executive to trick the finance team into paying a fake invoice. Often the fraudsters will hack or spoof a C-Level email account.
- Salary Diversion Fraud: fraudsters impersonate an employee and request that the payroll department changes their account details so that their salary is paid to the fraudsters.
Build Phishing Simulations That Reflect the Risks To Finance Teams
The UK’s ICO recently fined Interserve Group Limited £4.4 million because of failing to use appropriate security measures to prevent a cyber attack; the attack began with a phishing email sent to an employee in the accounts department. A series of events, such as downloading the malicious attachment in the email and not following company security protocols, resulted in the loss of sensitive personal data of 113,000 employees. Even with anti-phishing gateways, phishing messages slip through as cybercriminals innovate to evade detection.
Phishing simulation exercises tailored for the type of risks levelled at the finance team are a must-have best practice in effective Security Awareness Training. Some advanced phishing simulation platforms will provide a variety of phishing templates that you can use to tailor your phishing training exercises to meet the needs of your finance department team.
Create Role-Play Scenarios
Financial teams are at risk of Business Email Compromise and other related types of multifaceted fraud that use social engineering. To ensure that Security Awareness Training is effective, create scenarios where typical stages of a financial scam are played out with the finance team so they can begin to recognise the tricks fraudsters use. Role-based scenarios should be used alongside traditional Security Awareness Training and simulated phishing exercises to emphasise the complex manipulations that scammers use.
Don’t Forget Security Hygiene
The finance department doesn’t just look after money; it also has sensitive financial and personal data. The Verizon 2022 Data Breach Investigations Report (DBIR) found that a variety of human error issues caused cyber attacks and led to exposed data.
Human error caused 82% of data breaches, according to the report. Errors included mis-delivery of emails, e.g., sending data in an email to the wrong person. So, when training financial teams about their role in security, remember the details, such as ensuring that email recipient lists are checked before sending important information.
Extend Security Awareness to Remote Workers in The Finance Team
The UK’s Office for National Statistics (ONS) found that 38% of employees said they had worked from home at some point over the previous seven days. Finance department employees will likely want to work from home, as studies show this factor is essential in employee retention. The emergence of the four-day week is also likely to see remote and hybrid work continue to be a popular part of attracting talent.
When creating a Security Awareness Training campaign that targets finance team members, ensure that you train employees on the security risks of remote working. Weave in elements such as the employee’s role in maintaining regulatory compliance and security hygiene issues such as using secure gateways and VPNs.
By using these security awareness best practices and focusing on the unique challenges of working in a finance team, your company can reduce the risks of insidious and costly crimes such as BEC fraud.