TIPS #19: Shift Left for Finance

Issue: While company-wide cybersecurity measures are essential, the unique security needs for each business unit can vary significantly. This disparity frequently leads to a disconnect between security teams and departments like Finance, leaving organizations vulnerable to targeted attacks. 

A house can’t withstand a hurricane, earthquake, or blizzard without a solid foundation and strong walls and windows. The foundation is a horizontal plane which supports everything above it. The walls and windows are vertical pillars which keep the house upright, protect against the elements, and hold up the roof.  

Cybersecurity is a part of the foundation, walls, and windows that protect companies and business processes from cyber threats. Just as a business needs both passive and active defenses, so does it require both horizontal security- foundational defenses such as company-wide identity, endpoint, data, and network security- and vertical security- defenses against threats targeting distinct business processes.  

Many security teams do not recognize the extent to which vertical security measures vary depending on the business unit. As a result, they often don’t support, approve, or integrate targeted vertical measures, leaving their organizations at risk.  

Case Study: Finance  

This is particularly evident in finance, a business unit with a unique set of people, processes, and technologies which facilitate cash and treasury management- a high value target for threat actors.  

Finance manages transactions including payments to vendors and suppliers, product rebates and refunds, payroll processing for employees, insurance claims, and customer payments. These transactions might be made by check, push to debit, automated clearing house (ACH), real-time payments (RTP), wire, or other payment types.  

The CFO supervises the department and is responsible for the company’s overall financial strategy. A treasurer typically owns cash, payables, and receivable management processes while a department controller oversees accounting activities. Finance teams may need to comply with reporting requirements from regulations like the Sarbanes-Oxley Act in the US. 

Payment systems, transactions, and user accounts must be monitored for payment errors, incorrect payment and account data, duplicate payments, check delivery issues, fraud, and money laundering. Finance functions face specific threats from internal and external parties, including social engineering attacks, fake helpdesk calls, Business Email Compromises (BEC), deepfakes, and account takeover attacks (ATO).  

Targeted Attacks on Finance Require Vertical and Horizontal Security  

A threat actor who wants to steal funds from finance can use various attack methods. They might steal legitimate user credentials, perpetrate an account takeover with a SIM swapping scam to access texted Multi-Factor Authentication (MFA) codes, and modify the target user’s bank account details. They could also create a deepfake identity to bypass Identity Verification (IDV) during account onboarding and create an entirely new user account. They might even leverage BEC methods to manipulate an employee into sending a payment to their account.  

Only a calibrated blend of horizontal and vertical security measures can prevent these highly targeted attack methods.  

Horizontal identity security is needed to enable authentication, access control, and authorization. This should include Identity Governance and Administration (IGA- security policies which manage access controls) and Identity Access Management (IDAM- such as MFA, which requires multiple forms of identification).  

Vertical identity security is needed to verify identities, payment accounts, and transactions. This should include Identity Verification (confirming someone is who they claim to be during onboarding) and relationship verification (continuously verifying payee-payer relationships and the payee-account relationship to prevent errors and fraud).  

The horizontal measures (IGA and IDAM) must coordinate with vertical measures (IDV and relationship verification) to effectively defend finance from targeted threats while also preventing payment errors. Unfortunately, most organizations don’t holistically integrate these defenses.  

Finance teams are typically responsible for vetting vertical solutions to secure transactions. Security teams (who might not even see the solutions as “security”) get involved far too late in the tool acquisition process, if at all. This can prevent necessary security investments, resulting in piecemeal capabilities and a weak security posture. 

Impact: Misalignment between horizontal and vertical security measures introduces organizational risk and greater impacts from financial crimes and payment errors.

Finance is at a greater risk of embezzlement, fraud, and theft when essential vertical tools aren’t acquired or are improperly selected, supported, or integrated. Payment errors are also more likely. These outcomes cause financial losses, negatively affect regulatory compliance, and diminish customer and stakeholder experiences.  

Here are some real-world examples:  

$123 million BEC Scam 

Between 2013 and 2015, Lithuanian cybercriminal Evaldas Rimasauskas and his associates orchestrated a successful BEC scheme targeting Facebook and Google. The group impersonated data center hardware supplier Quanta Computer, a legitimate manufacturer both Facebook and Google did business with, by creating a fake company with the same name in Lithuania. Rimasauskas also opened a number of business bank accounts in the fake company’s name. The group then sent fraudulent invoices, letters, and contracts to both companies via fake Quanta Computer email addresses, ultimately convincing Google employees to pay around $23 million and Facebook employees to pay around $100 million.  

In this case, fraud was enabled by insufficient employee awareness around BEC scams and inadequate vendor relationship and payment verification. 

$25 Million Deepfake Scam 

In early 2024, reporting emerged about a novel deepfake scam which cost British multinational engineering firm Arup $25 million. A Hong Kong-based Finance employee at Arup received a phishing message that was supposedly from the company’s CFO. Initially suspicious, the employee was convinced to join a video call where deepfakes of the CFO and other employees convinced them to make 15 transfers totaling over $25 million to several Hong Kong bank accounts.  

In this case, fraud was enabled by insufficient relationship and payment verification.  

Action: Shift left to enable coordinated horizonal and vertical security measures for Finance. 

1) Shift Left isn’t Just for Developers 

The concept of “shift left” has revolutionized the security-development relationship, bringing security teams into development processes earlier, facilitating DevSecOps and continuous collaboration, and ultimately strengthening software security.  

The same principle should be applied to the security-finance relationship. Security must collaborate with finance early and often to understand the department’s unique people, processes, technologies, risks, and security needs. This enables more effective vertical tooling acquisitions, a stronger alignment between horizontal and vertical security measures, and a more secure organization.  

2) Horizontal Security for Finance: IDAM and IGA 

IDAM and IGA are foundational identity security measures which should be at the core of every company, with important implications for the finance business unit (as discussed above).  

IDAM controls should be customizable and must limit insecure system and data usage. 1Kosmos offers passwordless authentication, advanced biometric MFA, and secure onboarding to enforce secure access to your networks, systems, and accounts. 

IGA capabilities should grant the minimum access necessary to enable a secure permissions environment. SPHERE identifies and eliminates over-privileged access to clean up your company’s identity hygiene, enable secure Active Directory management, and protect data at scale. 

3) Vertical Security for Finance: IDV and Relationship Verification 

IDV and relationship verification are critical to combat insider fraud, payee fraud, and payment errors. Ultimately, the right payment needs to be sent to the right payee with the right payment method- on time, every time.  

Verituity’s Zero Trust Verification orchestrates the verification of each transaction specific to the payer and payee’s identity, modality, and chosen payment methods. With intelligent and verified disbursements reactive to the payout context, Verituity helps your company engage payees with the payer’s brand to establish trust and verify the payee-payer relationship.