5 Tips Corner - The New Role of the CFO's in Cybersecurity
Is cybersecurity a technical issue or a business issue?
Does protecting your organization against cyber-attacks fall under the domain of your chief technology officer … or your chief financial officer?
If you were a bit baffled by that answer, consider why threat actors target technology assets. Often, it’s to get to the big prize: your business assets.
If you want to protect your organization against the financial damage caused by viruses, ransomware, phishing, zero-day exploits and other cyber-attacks, you must include your CFO in your cybersecurity plans.
Read on to discover why – and how.
The silos between finance and IT are rapidly disappearing, and rightly so.
Your CFO plays a role in your cybersecurity because the goal (and end result) of most cyber-attacks is financial.
Yes, some threat actors attack networks to make a political point, and some hackers and hacking groups like to hack because they are bored, are looking for a challenge, or want to gain bragging rights. But these groups are in the minority.
The majority of hackers that want to penetrate your networks are motivated by money. In a global study of large organizations that were victims of cyberattacks, 41% of them were attacked because the cybercriminals wanted the organization to pay a ransom to get their data back.
Ransomware, however, isn’t the only way companies can lose plenty of their hard-earned coin to cyberattackers.
When plenty of businesspeople think of cybersecurity, they think of the front end of their business, not the back end. They think of emails with suspicious attachments, and SMS messages with dubious links. They think in terms of firewalls, phishing, social engineering and insecure wireless hot spots. They focus their attention on the cause, not the consequences.
But cyber-attacks are a problem precisely because they can have devastating financial consequences.
The most obvious damage that hackers cause is theft of funds. CFOs should naturally be concerned about anyone who threatens to steal money from their organization. Hackers steal money in a variety of ways, including:
These days, first comes the ransomware attack, then come the lawsuits. Companies that get locked out of their computer networks by ransomware attacks are now finding themselves getting sued by consumers, suppliers, and workers who claim they were hurt by lax cybersecurity.
Lawsuits are costly to defend against, and they are costly to settle if your company is found to have been negligent. Class-action settlements can run into the tens of millions of dollars. Retailer Target, for example, paid consumers $10 million and paid banks $39 million after hackers broke into company systems and stole the credit card details of its customers.
Your customers, employees and suppliers aren’t the only people who care when you get hacked. Regulators pay attention when hackers breach organizations and steal data, and they levy hefty penalties and fines for non-compliance.
Equifax, for example, was required to pay at least $575 million in penalties after 150 million of its customers had their personal data stolen. The company failed to fix critical vulnerabilities in the Apache Struts framework in one of its databases … and then neglected for weeks to tell the public about the breach.
CFOs play a role in protecting their organizations from the financial damage caused by cyber-attacks.
Their role, however, is not technical, but tactical.
What CFOs bring to the table is an understanding of risk management, best practices, and policies and procedures that improve their organization’s security posture.
What CFO’s also bring to the table is their considerable influence. If both the CTO and the CFO tell the C-suite (or board of directors) that stronger cybersecurity is needed, it’s much more likely to become a companywide priority.
Here are four priorities for CFOs and CTOs to champion:
1. Zero-Trust Security: Encourage your company to adopt a zero-trust model. Do not implicitly trust any user inside or outside your corporate perimeters. Instead, encourage your company to eliminate the concept of trust from your network architecture by verifying every user before granting access (and never more access than they truly need). Never trust. Always verify.
2. Remote-Worker Cybersecurity Best Practices: Ensure that your organization has adopted cybersecurity best practices for working remotely. All employees who work from home or on the road should use best practices related to multifactor authentication, virtual private networks, antivirus software, secure data storage and more.
3. Cybersecurity Awareness Training: The weakest part of your corporate network is your people. When hackers target an organization, they rarely rely on brute force attacks against firewalls anymore. Instead, they aim to trick employees into opening infected email attachments, clicking on malicious links, and visiting bogus websites. The best prevention against these attacks is thorough, ongoing cybersecurity training. CFOs should ensure that their organizations are delivering this training that protects financial assets.
4. Cybersecurity Risk Assessments: Cybersecurity is all about a concept that’s close to the heart of every CFO—risk. Cybersecurity is all about risk-management. And for the CFO, cybersecurity is all about financial risk management. As a CFO, you must understand your level of exposure to financial losses by participating in Cybersecurity Risk Assessments. Your goal is first, to work with IT to identify the hardware, software, data and intellectual property that are vulnerable to cyber-attack, and then, identify the various financial risks associated with those assets.
Cybersecurity is both a technical challenge and a business challenge because hackers use technical means for business purposes. They attack networks and systems to damage organizations financially.
This is why cybersecurity is not just the concern of your CTO, but your CFO as well. Protecting your organization against cyber-attack protects your financial position in the marketplace.
As a CFO, you should work to ensure that your organization is using a zero-trust model, employing best practices for remote works, conducting regular cybersecurity training, and performing regular assessments of your cybersecurity risk.
By Corey Shields , Ntiva