The power of partnership in mitigating cyber risk: A CFO’s perspective
Business leaders are charged with creating economic value. Escalating cybercrimes, however, pose critical threats to growth. Indeed, bad actors are increasingly creative and sophisticated with their craft. Viruses, worms, trojans, spyware, bricking, other malware, whaling, other forms of phishing, crypto-jacking, man-in-the-middle attacks, zero-day exploits or a good old fashioned brute force attack are just a few ways these bad actors can impinge on our ability to effectively run a business. And for unsuspecting companies, especially for smaller organizations (mistakenly) believing they fall under the radar, a cyberattack could prove to be a paralyzing risk. As a CFO, I can confirm cybersecurity risk is one of those proverbial nightmares keeping executives up at night.
Too close to home
About a month ago, our general accountant noted a new customer’s payment was past due. Upon follow up, the customer informed us they had already made the payment via wire transfer (even though we expected a check). Somewhat confused, we contacted our bank and re-confirmed that we had not received this payment. The customer then forwarded an email trail showing “we” had requested them to make a wire transfer and in which “we” had provided “our” banking information. They said they even called the contact “we” provided to verbally confirm banking details.
You guessed it! A bad actor had gained access to their server, blocked our original email, then delivered an altered invoice with fraudulent banking information to them. Although we were ultimately paid in full, this incident was definitely “too close to home” for my comfort.
The power of partnership
Security magazine’s May 2024 cover story, entitled “The Power of Partnerships,” caught my attention. The author, Editor-in-Chief Rachelle Blaire-Frasier, concludes that “by fostering effective communication and working together, these relationships (between security teams and other units within an organization) can fortify resilience in an ever-evolving threat landscape.” I wholeheartedly agree! And I would suggest the most important of these relationships is the one between the chief security executive and the CFO.
CFOs, uniquely positioned to see their organization’s “big picture,” are increasingly challenged by their Boards of Directors and CEOs to identify, assess, and manage enterprise risks. CFOs, likewise, manage their company’s purse strings, significantly influencing what investments (in technology or otherwise) are made. CIOs and other security leaders, by closely partnering with CFOs, can ensure cybersecurity risks are appropriately considered and investments to mitigate such risks are appropriately prioritized. By partnering together, security officers and CFOs will ensure their organizations are making informed decisions in the deployment of technology, optimizing such investments to benefit employees and customers alike.
Partnering on best practices
Based on my journey, the following are practical ways the CFO and CIO can partner to mitigate cybersecurity risks:
Educate your team
When it comes to cyber risk, employees are often your weakest link, even members of your own team. Whether due to lack of awareness or pure carelessness, an employee who clicks a malicious link or provides sensitive information to a bad actor puts their entire company at risk. To address this risk, you should invest in educating everyone in your company. Share stories of cyber victims and tips on how to avoid becoming one of them. Require employees, new and existing ones alike, to annually certify they understand your company’s cyber policies. And conduct periodic phishing campaigns, requiring anyone who “falls victim” to complete personalized training.
Adopt cyber policies
Before holding your employees accountable, you must clearly define your cyber-related policies, such as an “Acceptable Use” policy (to set expectations of employees when using computers), a “Communications Equipment” policy (to outline how equipment communicates data and acceptable ways to use this data), a “Risk Assessment” policy (to define who is accountable for assessing, classifying, and managing cyber risks) and a “Data Breach Response” policy (to clarify who has accountability for what in case of a data breach).
Know and mitigate your risks
To effectively assess your risks, design and implement a comprehensive cybersecurity program. Specifically, select a framework, such as the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, leverage this framework to conduct a baseline assessment, and then develop action plans, prioritizing those which address the most concerning gaps (aka, potential risks) identified during your baseline assessment.
Develop BCPs and related plans
How will you respond to a cyberattack? Will you make good decisions despite the stress and chaos of a live event? To significantly improve your ability to manage a cyberattack, invest in developing and documenting actionable crisis management, IT disaster recovery and business continuity plans.
Invest in cyber insurance
Knowing the question is more likely “when” rather than “if” your company will face a cyberattack, consider investing in cyber liability insurance to mitigate the risk of financial loss due to data breaches, ransomware attacks, and other cyber incidents. That said, the cost of cyber coverage has been steadily rising, especially for companies with poorly designed and/or implemented cybersecurity programs.
Adopt a continuous improvement mindset
CFOs and CIOs must become increasingly vigilant in assessing threats and proactively enhancing their cybersecurity programs. In addition to periodically conducting a new baseline assessment, reassessing gaps and reprioritizing your action plans, stay attuned to new cyberattack schemes and best practices to prevent them from impacting your organization, invest in automation and AI to combat modern fraudster sophistication, and consider engaging an incident response (IR) firm or cybersecurity partner.