Digital Transformation » Cyber Security » CFOs must play a crucial role in the fight against cyberattacks

CFOs must play a crucial role in the fight against cyberattacks

Increased digitisation calls for a strong focus on security technology and employee education

CFOs must play a crucial role in the fight against cyberattacks

As digitisation grows, so does the incidence of digital crime. At the current rate of growth, damage from cyberattacks will amount to about US$10.5 trillion annually by 2025 – a 300% increase on 2015 levels, according to research by McKinsey & Co.

It argues that both data security and information protection must become core areas that companies address with greater investment in cybersecurity technology.

Meanwhile, in its annual Directors and Officers report, Allianz Global Corporate & Speciality warns that investors in companies increasingly view cybersecurity risk management as a critical component of a company’s board risk oversight responsibilities.

Board members must develop and maintain accountabilities for IT security before, during and after any cyber incident, it warns, pointing out that alleged failures can be seen as a breach of duty.

“Major breaches experienced by publicly traded firms have damaged investor confidence, causing share price drops, and thereby becoming ‘events’, which again can give rise to costly class action securities litigation,” says Rishi Baviskar, global cyber experts leader at AGCS’ risk consulting team in the report.

“Boards therefore need to initiate and implement a cyber risk management structure that covers the entire organisation.”

At IBM, UKI CFO Chris Cook points out that CFOs must prioritise tech security to ensure the protection of their company’s sensitive financial and customer data, whilst maintaining the integrity of their systems, and minimising the risk of security incidents.

“CFOs are naturally risk-sensitive and so are a key business partner at the senior leadership level to ensure that the organisation as a whole is addressing the threat systemically,” he says.

“Technology and digital systems now play a critical role in modern finance and accounting operations and any security breaches or disruptions can result in significant financial losses, reputational damage, and regulatory penalties.”

Cybersecurity measures

Cook points out that for all CFOs, digitalisation and the integration of technology are extremely important in today’s business environment, enabling them to increase operational efficiency, improve decision-making, and better manage financial risks.

The implementation of robust cybersecurity measures is, therefore, vital in the fight against cybercrime.

“This includes regular software updates, use of anti-virus and anti-malware software, strong password policies along with password vaults and biometric identification, and implementation of layers of defence for the infrastructure. Then, companies can conduct regular security audits to help identify and mitigate vulnerabilities in technology processes,” Cook says.

“Training employees on security best practices is also vital. Employees should be trained on how to identify and report potential security threats, as well as how to properly handle sensitive data.”

Cook notes that having a company culture which stresses the importance of security and reducing vulnerability to security risks is also important.

“Developing an appropriate culture can vitally communicate the importance of security measures and procedures and promote a shared responsibility for security across all employees. This can help reduce the likelihood of security incidents due to employee carelessness, such as lost or stolen devices, weak passwords, or falling for phishing scams,” he says.

He adds that “appropriate company culture” can also create an environment where employees feel comfortable reporting security incidents and further strengthen the organisation’s overall security posture.

“It’s important to have ongoing training in security threat identification and mitigation, and not consider it a “one and done”. It’s the regular repetition that helps ingrain the habit,” he says.

Cook concludes that it is important to leverage technologies which help people be secure such as password vaults, which secure systems with very strong, non-repeating passwords, and biometric identification which can make it both faster and easier to gain system access while also limiting the ability for credentials to be phished or stolen.

He also stresses the need for companies to partner with technology companies that have a strong track record in security and invest in solutions that prioritise security.

“CFOs should be considering the security features of any technology solutions they are looking to adopt and prioritise those that have a strong emphasis on security. This is the one place operationally where a serious misstep shoots right to the top and is a board of directors’ level of concern given what can be at issue.”

CFOs must ask questions

Meanwhile, at software company Varonis, CFO Guy Melamed also sees data security as vital – and stresses that CFOs must play a crucial role here.

“CFOs cannot be – and never will be – technical like their CISOs, but what they need to do – and have to do – is ask questions,” he says.

“By asking questions, they will understand how their organisation is positioned in terms of cybersecurity. They need to be involved in the whole debate as if something does go wrong, they will have to report on it.”

Melamed points out that the amount of data held by organisations has grown dramatically in the last 15 years and that this brings a need for digitisation and ever more complex platforms and applications.

“When data is growing so much, it is harder to protect it. Once a cyber attacker gets hold of company data such as names, addresses and account numbers, this data breach cannot be unbreached,” he says.

He believes that CFOs should, for example, always ask how many company files become open to new employees when they join the company and ask questions about whether this is necessary. “For companies that have tens of thousands of employees, you cannot just assume they are all ethical,” he says.

“This is also very relevant to the CFOs own finance team. The CFO has to know who has access to financial statements that could be passed on to a competitor.”

He adds that security risks can also emanate from increased homeworking and the possibility that an employee will click accidentally on a link, which turns out to be a phishing attempt. “The CFO must understand how the company can lock the vault when this happens,” he says.

Melamad agrees that there is a combination of actions CFOs should take in the fight against cyberattacks.

“One of the first priorities must be to ensure that all employees receive education in cybersecurity – and also to train them up in this on an ongoing basis,” he says, pointing out that the risk of phishing will be reduced if all employees are fully trained in what to look out for.

“Another priority is to have an understanding of the automated products used in the ongoing battle against cybercrime. CFOs – whether they like it or not – must have a seat at the table in all these discussions,” he concludes.

“They are not technical people, but CFOs have to have periodic conversations with the CISO on how the organisation is being protected against cyberattacks, what the perceived threats are and what is being done to manage this risk in terms of products and education.”

Was this article helpful?

Comments are closed.

Subscribe to get your daily business insights