Cyber-security is more important than ever before, as Serie A football club, Lazio, found out the hard way in March. After signing Dutch centre back Stefan de Vrij in 2014 from Feyenoord, Lazio agreed to pay his £6.8m fee in installments. Nothing seemed out of the ordinary when they received an email, including bank details, appearing to be from Feyenoord requesting the final payment of £1.75m, so they dutifully sent over the money. It wasn’t until later when Feyenoord hadn’t received the payment and, in fact, claimed to have no knowledge whatsoever of the email being sent, that alarm bells began to ring.
The money has since been traced to a Dutch bank account with no connection to Feyenoord at all. Somebody posing as the club with an official email signature had taken the money and run. Clearly this cyber attack, like most, was driven by the goal of monetary gain and so we can assume that it’s financial teams in organisations that are most at risk of being targeted. The most successful of these infiltration attempts are made by individuals hiding in plain sight, posing as legitimate and well established contacts and targeting more junior employees.
This is why it’s so important for organisations to be aware of these risks and to encourage a culture of education and communication that brings different teams together. An update in company culture and structure such as this needs to be instigated from the top. The Lazio case highlights the fact that financial directors and CFOs need to advocate a proactive discussion about cyber-security across finance and IT departments.
New technologies should also be embraced to help where possible. User and entity behaviour analytics (UEBA) is one example which captures user and login data to build up a profile of usual behaviour. This makes it much easier to recognise an irregularity or data breach, such as an external party getting hold of an employee’s login details.
Ultimately, human error will continue to be a factor so employees need to be made aware of just how easily simple mistakes can be made and what those errors can lead to. Some incidents will remain inevitable but the focus should be on learning and development rather than blame and punishment if companies and individuals are to move forward to a more protected and efficient environment.