It’s time the CFO got involved in cybersecurity. Remote working has opened vast possibilities for cyber-attackers to access financial data and processes, spreading risk factors well beyond the borders of the IT department.
Everything can be done, and is, on the internet these days, thanks to the global pandemic.
The previously held perception that working from home was a favour by your employer, switched in the blink of an eye. Employees’ willingness to turn home into office, sometimes under suboptimal conditions (while home-schooling small children, for example), kept businesses open.
But remote working brought a host of other consequences to the fore, some less appetising. According to the NFIB Fraud and Cyber Crime Dashboard, there were over 400,000 reports of fraud and cyber attacks incidents in the UK in 2021. This upsurge in cybercrime was blamed on coronavirus and the increase in remote working.
Most business processes can – and are – run remotely now. The most vulnerable, by a significant margin, are obviously financial activities, accessed via the cloud. Immense pressure is placed on IT departments to ensure that a company’s cyber assets are kept safe and healthy.
But this is not enough.
Analysts like Gartner, are pushing for the entire C-suite, and in fact, the entire staff body, to be involved in cybersecurity as more and more processes are run remotely.
It really is everyone’s responsibility to help.
By the same token, damage to a company when a cyberthreat becomes reality, will affect all staff.
Trend towards even more remote workers means greater threats
Risk-aware CFOs should develop policies and guidelines that identify and prioritise the areas in financial processes most vulnerable to attack.
This recommendation comes as a result of a Gartner CFO survey that found that nearly 3 out of 4 CFOs are planning to move at least 5% of previously onsite staff to permanently remote roles, since Covid.
And bearing in mind that organisations’ financial data tends to incorporate the most sensitive information, like customer and supplier financial data, the threat to this data is exponentially high.
“CFOs should neither ignore these fresh vulnerabilities nor go it alone,” says Alexander Bant, Practice Vice President, Gartner. “CFOs especially need to collaborate with both IT and risk managers to make sure new cybersecurity risks stemming from the adoption of remote work don’t outpace the policies designed to protect vulnerable data.”
The most common cyberthreats
CFOs need to develop strategies against the risk of malicious attacks on cybersecurity in collaboration with their teams, alongside IT security and risk/audit teams. It’s important to prioritise business processes to ensure the most business critical are best protected, with solid mitigation plans.
The three most common threats to an organisation are:
1. Phishing attacks, where employees are tricked into providing sensitive data, mostly via email, but not necessarily. Phone and text are also avenues for swindlers.
2. Malware, which describes malicious software designed to damage a computer or gain unauthorised access to a system.
3. Data leakages, which happen when multiple devices and internet connections access databases with sensitive information.
There are three approaches to cybersecurity a CFO needs to take into account, highlighted by Gartner’s report:
1. Realise. It’s important to identify the areas of financial processes that are most vulnerable to attack. Once the financial assets and relevant software applications are pinpointed, they can be prioritised in order of business critical importance.
2. Respond. Here it’s important to delineate roles, responsibilities, and accountabilities, as well as contacts in the case of a breach, along with the quickest possible solutions. Expectations need to be managed, as well as ensuring resources are properly allocated and correct focus is given to this issue. An example might be that the chief accounting officer is designated as the ‘first responder’ to analyse the potential financial damage of an attack to then decide how best to approach it.
3. Review. This process should act as a constant thread throughout the running of financial processes. Cybersecurity risk reviews should be held periodically with an understanding and overseeing of the regulatory compliance landscape. Policies should be set up to run regular health checks on the measures in place, as well as reviews of possible weaknesses and threats. These reviews should incorporate members of the finance, as well as IT and risk/audit teams and an output should be a report on the health of the financial data security.
Other key considerations according to Deloitte, is to promote a culture of awareness and responsibility across the organisation, starting at the top. Cybersecurity needs to be a corporate priority and the responsibility of each and every employee in the organisation. Risks are evolving faster than organisations are able to react, leading to a greater need for transformational thinking in an ever changing IT and regulatory environment.
Any organisation doing nothing will soon find that is all they do as they’re hacked to bits and their reputation is irreparably damaged.
David Steele is the MD of SecuriCentrix and a Cyber Security Analyst. Founded in 2010, SecuriCentrix has grown to become a global Security and Compliance service provider to organisations.
As a Service Focused Cyber Security company, SecuriCentrix’s priority is to deliver the best client experience with minimal disruption while enabling highly effective operational cyber programs.
The firm has forged strong relationships with organisations across Africa, Australia, Europe, India, and the UK.