This blog post is written based on an interview with Thomas Wong, Improsec, in the podcast Regnskabets Time, season 2 episode 4
The convenience store chain 7-eleven was hit by a possible hacker attack last week, which ended up closing all of its stores in Denmark. We feel that it must be appropriate that we bring an excerpt of our podcast with Thomas Wong from Improsec, where we got to talk about the current threat concerning having one’s data compromised by cybercriminals.
TL;DRAn interview with Thomas Wong from Improsec, recorded for the podcast Regnskabets Time, reveals that most Danish companies want to prioritize IT security but struggle to allocate resources to the basics, such as risk assessments and business continuity plans. The post argues that for cloud-based finance solutions, companies must clearly understand where the SaaS provider's security responsibility ends and their own begins.
Thomas: Yes. What I mean is that the vast majority of companies would like to focus on IT security. But when it comes to getting it incorporated into the company’s culture, it often turns out to be far more difficult to dedicate resources to it than first expected. It can, for example, be in relation to getting these basic things done, such as risk assessments or a business continuity plan, which tells you what to do if things go wrong. The day things go wrong, the snowball you have pushed in front of you has just gotten much bigger. Most businesses will be compromised at one point or another, so it’s a matter of making sure the amount of damage is as small as possible. So it is important to be well prepared for an attack.
Thomas: That is a very broad question. But one of the most important things to be clear about is who is responsible and when. The supplier has a responsibility. But only until their service “stops”. When a SaaS solution delivers data into a company’s operating system or the like, it is, therefore, the company’s responsibility that it is stored securely and that the system is sufficiently updated.
Thomas: Quite simply: Choose a good password. Do not reuse passwords. And this also applies in cases where you use different usernames, email accounts or the like – don’t reuse passwords. Here I also believe that you should not change your passwords according to a pattern that is easily recognisable. Last but not least, work-related and private things must also be kept separate. If everyone did that, and stopped checking their private email from their work computer, there would be fewer attacks.
Thomas: First it starts as an operational disruption – there are files that can no longer be accessed, programs that no longer work and then this is usually followed up with a message which states that you can get your things back if you pay for it. Usually worded in a very nice and polite way. After this, it is quite important to be open about things. An attack can last a long time, and it’s perfectly okay to be open about it. But what should happen next, is that the company should follow the aforementioned business continuity plans. Then you know what to do in all phases of the attack and the subsequent recovery phase. It will save an incredible amount of time and ultimately money.
Some of the companies that have been hit very hard are those that do not have plans ready in advance. In many cases, the public may not even hear that there has been an attack. Because the company has acted quickly, since there was a clear plan and strategy for what to do before, during and after the attack.
Thomas: I would not recommend that to my clients. I say that from an ethical aspect. But having said that, I can come up with examples of where it would make sense for a company to pay off the attack. It could, for example, be in a case where the company simply will not be able to continue and where bankruptcy will be the natural consequence of the attack. Here it can be difficult to say that you have a choice. But if you choose to go down that path, I would also recommend that you work with some professionals who have experience in negotiating with cybercriminals.
However, if you want to avoid being in a situation where you even have to consider paying off an attack, then risk assessment, training, preparation, penetration tests, etc. are the way forward. It sounds very sad, but it may end up being the most important investment the company has ever made.
Frequently Asked Questions
Who is responsible for security when a company uses cloud-based finance software?
Responsibility is shared. The SaaS provider is responsible for securing their own platform and service. But once data is delivered into the company's operating environment or integrated with internal systems, it becomes the company's responsibility to ensure that environment is properly secured and kept up to date. The handover point matters and should be clearly defined in the service agreement.
What are the most important IT security basics that Danish companies are neglecting?
According to Thomas Wong from Improsec, the most common gaps are foundational: risk assessments and business continuity planning. Most companies want to improve security but find it hard to dedicate resources to these preventive measures. The consequence is that when an incident does occur, the response is far more costly and disruptive than it needed to be.
Can a company completely prevent a cyber attack?
No. Thomas Wong is explicit that most businesses will be compromised at some point. The goal is not prevention alone but damage limitation. This means having a business continuity plan, knowing which systems are critical, and ensuring that a successful attack against one part of the infrastructure does not cascade into a full shutdown, as happened to 7-Eleven Denmark.
How should employees handle security risks when using company systems?
Employees are often the weakest link, not because of malice but because security awareness is low. Regular training on phishing, password hygiene, and how to report suspicious activity significantly reduces the human-factor risk. IT security culture must be built into daily habits, not treated as an annual compliance exercise.