The end of the financial year is a busy time in any business as sales teams race to achieve their numbers and finance teams prepare for tax season. This creates a perfect environment for cybersecurity scams.
The most common ones are phishing related, where criminals steal people’s passwords and credentials. Seemingly legitimate emails trick recipients into divulging credentials, which then let the hackers access the network posing as authorised users. Top-level executives are a prime target for these scams for a number of reasons.
First, CEOs and other executives usually have clearance for all sections of the network. This makes their credentials more valuable.
Second, busy executives often don’t notice that the email they’ve received is a scam because it looks legitimate. Because they’re so busy and the email seems to be from a trustworthy source, they often click on the links without thinking twice.
Third, the end of financial year is a time when businesses often receive emailed invoices and other communications, so a CEO, CFO, or even CIO is more likely to take these at face value. Sometimes, attackers create fake invoices that look so real, businesses simply pay them. It then becomes incredibly difficult to recover those funds. Make sure you constantly vet your internal processes and keep communicating to help improve your cybersecurity defences.
The key to a more successful cybersecurity stance is a combination of technology, people and processes. And, while many businesses have now invested in strong cybersecurity technologies, a breakdown in processes and human error are often to blame for successful cyberattacks.
To avoid falling victim, business leaders need to instil a strong culture of security in the organisation. To be successful, this needs to come from the top down; if an executive doesn’t take security seriously then neither will their staff.
Doing this requires regular education for employees via formal training and informal reminders and tips. Security teams need to communicate frequently regarding current threats and standard safety procedures.
Successful training approaches go beyond focusing on compliance, which can be ineffective and disengaging for employees. Instead, companies should consider gamification to increase engagement and excitement around cybersecurity best practices.
It’s also important to create an open culture when it comes to reporting potential breaches. Creating a punitive atmosphere only discourages people from coming forward in time to fix the vulnerability. Instead, organisations should praise staff for coming forward, then move quickly to address the breach.
Technology can help augment the people-based approach. For example, threat intelligence tools can automatically identify phishing sites and prevent employees from visiting them. This can help prevent leakage of password-based credentials to unknown sites, even if they aren’t officially categorised as phishing sites. Businesses should also use policy-based multifactor authentication enforced at the network level.
Importantly, everyone in the organisation, but especially business leaders, must be aware that the end of financial year is a peak time for cybersecurity scams. They need to remain extra vigilant during this time and refrain from clicking on links in emails, regardless of how legitimate they may look.
Instead, they should pass these emails to the security team for investigation. While your company should be ahead of the curve with security technology, making sure your people are aware of scams and trained and your processes are solid, can make your financial year end on calmer waters.