As the tax deadline for many corporations and small businesses approaches next week, hackers are on alert. These bad actors know many finance teams are scrambling to meet deadlines, ensuring everyone has the data they need to properly and efficiently complete compliance-related tasks.
With this in mind, hackers actively strategize ways to go after employees this time of year. Usually, they target employees who possess this data from multiple angles. Employees, mostly unwillingly, can put their company’s integrity and operations at risk with the click of a mouse.
From training employees to be aware of scammers, to working with cybersecurity professionals to ensure data security, finance leaders who wish to protect their company long-term must consider prioritizing cybersecurity. This is especially true if they feel their organization lags behind competitors or peers in data protection.
Nathan Jenniges, vice president of products in cybersecurity at the former cell phone manufacturer turned cybersecurity company, BlackBerry, believes that the certainty of taxes and data breaches are very similar.
“In this digital world, nothing is certain except death and taxes — and cyberattacks,” said Jenniges, a former VP of product management at McAfee Enterprise. “It’s not a matter of 'if' but 'when' an organization will be targeted; it’s tax season, and cyber criminals are even busier this time of year. All it takes is one employee clicking a suspicious link, and an entire company’s data could be compromised.”
How Hackers Target Employees
Allocating resources to cybersecurity tech products as if they are insurance policies is not enough. Companies need to make their employees aware and train them with a level of legitimacy equal to the data they possess. According to Jenniges, an uninformed employee can be a hacker’s best tool.
“Employees need to know that weak passwords and human error – including trusting emails about an order or call from a bank — will let hackers in,” Jenniges said. “During events like the holidays, the World Cup, or tax season, we see increased phishing attacks and targeted attacks trying to disrupt the event, such as preventing the timely processing and submission of taxes.
“Data is worth more than ever on the dark web — bank details, passwords, even tax histories,” Jenniges said. “It’s getting harder to recognize targeted attacks, meaning anyone working from home or outside the office must be vigilant and work with their employers to spot and report suspicious activity.”
Data is worth more than ever on the dark web — bank details, passwords, even tax histories. — Nathan Jenniges, BlackBerry
Jenniges spoke about phishing, or using fake emails or text messages, as the key method hackers have used to target employees who deal with valuable information regularly.
“Phishing attacks have become increasingly sophisticated and can be difficult to recognize, making this an effective form of cybercrime,” said Jenniges. “Cybercriminals create cleverly designed emails that appear from legitimate sources and contain believable messages. They exploit human psychology by creating a sense of urgency and fear to convince [the employee] to click on a malicious link or open an attachment that contains malware.”
Start With 'Cyber Hygiene'
Unlike inflation, talent issues, budget cuts, supply chain snarls, or other challenges executives face, hackers are the only threat to the business that continually try to sabotage it directly. The steps needed to prioritize data protection are more than just embracing cybersecurity from the top down but incorporating it as a fundamental part of the business. In what BlackBerry’s cyber security leader calls “cyber hygiene,” CFOs and their teams must embrace data protection as a core value.
“Cyberattacks are preventable, and the truth is that every organization needs better cyber hygiene,” said Jenniges. "Anyone can fall prey to simple phishing emails responsible for many cyberattacks. Humans are generally prone to error; it just happens.”
Cyberattacks are preventable, and the truth is that every organization needs better cyber hygiene. — Nathan Jenniges, BlackBerry
“You can educate people, but when they’re in a moment of inattention, they’re bound to make mistakes. It's up to businesses to implement robust security strategies and ensure it is not putting employees in a position where there’s an option to make compromising mistakes,” he continued. “Cyber criminals are waiting for organizations and the public to drop their guard."
Jenniges believes weak points are often created to enable some business need, like a user with administrative privileges and no multi-factor authentication or an executive's device with specific controls turned off to improve the [user's] personal experience.
“Review the business reason for giving employees access to data, Jenniges said. “Ask 'why' seven times, and if it truly is needed, then ensure you have the elevated visibility and rapid investigation to any anomalous events on those critical assets.”
Overlooked Cyber Risks
Alan Hartwell, chief technology officer at Iris Software Group, believes CFOs and their teams overlook a few elements of the cybersecurity approach and can take relatively simple steps to hedge against a potential data breach. “We should expect attacks against firms to become increasingly more frequent and sophisticated. Implementing mitigation solutions now will help prevent breaches and safeguard your clients' valuable data,” said Hartwell.
According to the CTO, companies working with third parties must also be aware of their partner's cybersecurity initiatives. “Firms rely on many vendors, especially with remote workers, such as video conferencing, outsourced payroll, and document management systems to deliver daily services," Hartwell said. "These vendors provide value [and promote] efficiency, but companies must ensure data integrity is top of mind through the entire vendor supply chain."
"All vendors must be vetted at the start of a relationship on cybersecurity protocols and data protection measures — and continue to be vetted throughout the entire working relationship.”
Hartwell believes incorporating cybersecurity into the company culture is essential when getting started. Keeping employees consistently aware of scammers by testing and baiting them provides a great learning opportunity for employees and organizations regarding where they are most exposed and how to improve.
All vendors must be vetted at the start of a relationship on cybersecurity protocols and data protection measures — and continue to be vetted throughout the entire working relationship. — Alan Hartwell, Iris Software Group
“A good first step for any company lacking cybersecurity is to begin fostering a culture that immediately prioritizes safe cybersecurity and data security habits,” said Hartwell. "Employees must receive cybersecurity best practice training at least two to three times yearly to consciously keep cybersecurity top of mind.”
“There is no one size fits all approach to cybersecurity training," Hartwell said, "but training should include document management best practices, phishing [awareness], personal data protection, and cybersecurity best practices.”
“Quarterly random phishing tests from IT personnel can test the habits of your teams,” he said.