Cybersecurity Resilience and Best Practices for Fraud Prevention

The CFO Leadership Council conducts professional development programs with the goal of empowering CFOs across the globe empowering them to make better strategic IT decisions.

Cybersecurity Resilience and Best Practices for Fraud Prevention

The CFO Leadership Council conducts professional development programs with the goal of empowering CFOs across the globe empowering them to make better strategic IT decisions.

As part of this I was moderating the seminar titled:

Cybersecurity Resilience and Best Practices for Fraud Prevention - Why should a CFO care and what can they do about it?

Dr. Willie E. May, National Institute of Standards and Technology (NIST) and many leaders have often stated that "Cybersecurity Is Not Just an IT Issue, IT Is a Business Risk." Because financial executives are quantitative by nature, so I would like to put the cost of Cybercrime in context:

  • Per CNBC: Cybercrime costs the global economy $450 Billion
  • Forbes: Cybercrime costs projected to reach $2 Trillion by 2019

Here are a few relevant points for the broader cybersecurity community, CFOs, and the boards in most industries and organizations of all sizes.

A) When performing Risk Analysis and Risk Management, ask these questions:

  • Which assets, digital and physical, is the organization trying to protect?
  • How is the data classified? And how is it treated differently?
  • Where is the risk?
  • How could that risk change over time?

After these questions are answered, then identify where to begin. Too many companies attempt to “protect everything” and wind up “not” protecting much at all.

Few points to consider:

  • Trained people and processes should supplement IT tools. Consider the Equifax hack where the staff forgot to restart the system after patching. Relying solely on the technology will have adverse effects.
  • Do not limit penetration testing to just for one area of the company infrastructure and IT landscape. Choosing the vulnerable areas serves the organization better.
  • Companies should test across the firewall, server, web applications, mobile applications, infrastructure, for both inside and outside threats.
  • Hackers don’t play by rules. They do their homework. They are patient.
  • Perform vulnerability tests to check for potential risks, and pentest (Penetration tests) to identify if any of the vulnerable spots can be exploited.
  • Ask the CISO/CIO about the current Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) in place and how the alerts are being managed?

Choosing an Intrusion Detection System that best suits the organizational needs is critical.

The options available are:

  • Network-Based intrusion detection system
  • Host Based intrusion detection system
  • Blended option (RealSecure type systems)

Three things to consider when choosing an Intrusion prevention system (IPS) are:

  • Detection capabilities
  • Context understanding
  • Threat intelligence use

Follow all other steps, just as when any other mission-critical technology is acquired.

B) How to reduce the chances of a hack and steps to take when there is a compromise:

  • Have multiple levels of authorization.
  • Reach out immediately to the financial institution (if the finance systems are comprised.)
  • Documentation of every process is important.
  • Training is critical – specifically against several social engineering attacks (Pretexting, Quid pro quo, Tailgating, Baiting, Water holing, Diversion theft, Phishing - Phone and Spear phishing.)
  • Do not shame or punish when someone opens a malicious link. Use it as a teaching moment. Create a culture where employees are not afraid to share what they did.
  •  Do not shame or punish when someone opens a malicious link. Use it as a teaching moment. Create a culture where employees are not afraid to share what they did.
  •  Acting immediately when breached minimizes the impact on the business and the customers.
  •  Want ROI? Act fast. Contact the law enforcement authorities.
  •  A cyber break is like quicksand. One doesn’t realize that the next step taken could sink.
  •  Pay attention to the Business Email Compromise (BEC). Often companies are attacked through email by exploiting the target to allow malware or wire fraud.

C) Conquer the easy threats first:

  •  Implement simple checks and balances.
  • Do not leave all authority to one person.
  • Audit each account and user.
  • Get rid of inactive accounts/users.
  • Monitor usage.
  • Test the humans (Drop USB data sticks on the ground to see who will use it.)
  • Require training for those that fail the tests.
  • Sharks smell blood: Hackers will look for patterns and wait for a vulnerable time/opportunity.

D) What can be done?

  1. Create and implement a policy: Being breached is not about if, but when. Put the recovery protocols in place before anything terrible happens. When it does happen, systems are ready to deal with it.
  2. On the Governance side: To determine measurements, the board and C-suite should meet with the CIO, CRO, and CISO and establish the critical metrics of how often the company systems get audited, document and follow-up. Cybersecurity is only as strong as the weakest link in the company (the employees.)
  3. Ask these questions:
  • Does the organization need a cybersecurity commitment team?
  • Are the risks analyzed and understood?
  • What are the investments required and the ROI?
  • How the staff educated and what are they trained on? How that relates to the business?
  • Do employees understand their roles?
  • Is the company utilizing partners?
  • How do the vendors impact the company?
  • Does the company have a security policy or process in place for vendors?

4. Educational options:

Many frameworks are available and specialized to fit specific industries. Some banks and merchant vendors will help with free necessary assessments.

  • Figure out what data need to be protected and how those different buckets of data will be treated differently.
  • Know that there is no one blanket protection policy.

5. How to best protect passwords?

  • Password manager
  • Biometrics
  • Multi-security factors (at sign in) – e.g., using 2nd tier authentication such as enabling second level authentication that requires to send a passcode to the mobile phone
  • Use Privilege Identity Managers

E) How to validate if the policies are working or not?

When developing technology, most designers/engineers use test-driven development (TDD.) and similar TDD policies in cybersecurity to enhance the posture.

  1. Test
  2. Measure
  3. Improve
  4. Tabletop test
  5. Monitor progress.
  6. Simple clean up. Delete inactive/duplicate data.

F) How the staff, CFO’s, and the board can enhance the cybersecurity posture?

Cyber security involves Process+ People + Technology. Be engaged, ask questions, document, and follow-up. If C-suite is not versed with the latest threats or not aware of which questions to ask, work with passionate consultants whose industry expertise can fill in the gaps.

G) 15 items to consider while enhancing the cybersecurity posture are:

  1. Pay attention to the third party vendors (Remember the Target Corporation breach where the hackers entered systems through a HVAC vendor from out-of-state?)
  2. Who is accessing the network from the vendor side? Are they sharing the credentials with multiple users?
  3. Are the vendors able to access only the components of the network that they need to conduct their business? (follow “Minimum Authorization Required” rule). Who is responsible for which part of the company systems and network?
  4. Ask how often the vendor systems and policies get audited
  5. Who audits the vendor systems? Pay attention to the answers. Is it a third party independent audit or an internal audit?
  6. If the third party is employed, how reputable they are?
  7. If the internal staff is used, who the information security/audit staff performing the audit report to?
  8. If they are reporting to the CTO, conflict of interests should be considered.
  9. Are the systems getting patched?
  10. What is the formal patching process? Is it verifiable?
  11. How often does the company perform risk assessments? Is there a malware scan in place?
  12. What is the formal method for interpreting the results and what actions are taken for the evaluations conducted in the past 24 months?
  13. How are the vendors and their systems monitored currently?
  14. If Managed Service Provider (MSP) is employed or if the IT and Infrastructure is outsourced to 3rd party vendors make sure close attention is paid to MSP’s Risk Management, Risk Mitigation, Business Continuity Management policies/procedures
  15. At a few midsize companies I have consulted I noticed the C suite is entrusting cybersecurity to a few engineers with additional full-time duties. Russian proverb President Reagan used during the cold war era (Doveryai, no proveryai - Trust, but Verify), is highly relevant to all aspects of Cybersecurity, where things are not always what they seem.

If small-to-medium (SMB) size companies CFOs are dealing with a lot of in/outbound financial transactions they should shop banks for security tools with support available and ask the staff where they can avoid reinventing the wheel?

Cybersecurity is not a project, it is a process, and it is ongoing.


Executives almost immediately ask about cost of such best practices. A thorough and well implemented security plan don’t need to be exorbitantly priced.

Can you find consultants who combine excellent work at a reasonable cost? It’s not easy to find cybersecurity/business technology consultants with the needed industry expertise who can also easily prove the ROI. Instead of a typical consultant model with “ideas” only and no “implementation”, they are the ones who work relentlessly to solve the problems with passion rather than a desire for a quick contract.

My IT and business advisory processes have been honed over the past two decades across the globe in a variety of small, medium and large enterprises and assisted in expert decision making around “partner,” “buy” or “build” decisions to enable business strategies. I served in leadership capacities at a range of companies including, Cox Group, CUNA, IBM Corporation, Corcoran Real Estate, Blue Cross Blue Shield, Global Healthcare Rehabilitation and more and responsible for strategy, innovation, corporate growth, operations, P&L, and product management.

As a management consultant, I am supported by 2 proven global IT sourcing companies (610 +employees) to achieve quantifiable results, and lessen the risk of working with unknown or newly hired vendors.

I am a unique business-minded IT professional...and a technology-minded business strategist, who advances projects and initiatives with an out of the box approach…

I have observed that some departments view their role as supporting the objectives of a cost center (overhead.)

I focus on:

  1. Acquiring/developing cost-effective, business-appropriate technology, and
  2. Using IT as a means to attract, keep, engage employees and customers... while generating sales, increasing profitability and satisfied customers guided by the "Rotary 4-way test."
  • Are you prepared to accelerate the business success by transforming into an omnichannel digital enterprise, for a better long-term marketplace position?
  • Are you confident that your IT advisors are helping you exceed your business goals?
  • Are you satisfied in the way your company calculates ROIT (return on IT spend)?
  • Are you sure when a new product or service is developed, the TCO (Total cost of ownership) is reduced, and the ROIT is improved?

I help companies answer those questions and achieve their goals.

I have accreditations from Harvard University (Cybersecurity: Managing Organization's Critical Business Systems, Networks, Data and Risk In The IT Age), The Indian Institute of Technology (1 Year course in IT), an MBA from Madurai University, India, Mini MBA in Healthcare from University of St. Thomas, MN. I am a recognized public speaker, an author on Digital Transformation and Cybersecurity. I’m an experienced past board member for 3 for-profit US companies and non-profit. 1) ArtSpace International, owned 25 Art galleries in GA; 2) Global Rehabilitation, a healthcare company in MN; 3) - most mgmnt consultants are Ph.D.’s in their specialty; Non-profit – RisingStar Outreach, and serving as a President at Plymouth Rotary.; 612 322 2470; [email protected];

Panel members:

Chris Veltsos @DrInfoSec - Risk and Privacy Strategist, Minnesota State University

Damien Riehl, Vice President, Stroz Friedberg; Doug Underwood, Risk Advisory Principal, RSM

Kyle Mekemson, VP Global Treasury Solutions, Bank of America Merrill Lynch

Moderated by: Bala Guntipalli, Sr. VP - Technology and Operations;

Feel free to comment on your experiences in uncovering/ thwarting cybersecurity threats and risks.