The CFO’s Role in Cyber Security

Artificial Intelligence (AI), Blockchain, Robotics, 3D Printing, Cloud Computing, Internet of Things (IoT), Mobile, Advanced Analytics among others are some of the new technologies making waves in the technology space. The rate at which technology is evolving is alarming to such an extent that if you’re a player in this field you have to constantly be on top of your game otherwise if you sleep you snooze.

Love them or loathe them, technological breakthroughs have created a world that is always connected, continuously innovating and constantly challenging conventional wisdom. For example, new computing power in the form of customer analytics is enabling businesses across all sectors to interact 24/7 with their customers, understand consumer behavior like never before and deliver unique customer experiences that yield results.

Current digital capabilities are disrupting traditional business models and presenting valuable opportunities to streamline processes, improve efficiency, free up resources, sharpen data analysis and improve business performance. Taking these benefits into account and others, CFOs are leading their companies on exciting digital transformation journeys.

It is true that technology is empowering us to perform our jobs better and achieve more with less. However, I get concerned when all we talk about is only one side of technology – benefits.

In the midst of all the promises and excitement brought by these “new shiny” tools, we are forgetting the heightened risks that also come along, which if not closely monitored and addressed have increased potential to bring the business down to its knees overnight. As organizations continue to increase their reliance on new technologies to drive strategic performance, new risks to data security and confidentiality are sprouting.

This automatically elevates the need to protect customer and employee data, as well as confidential information from third parties and business partners. The consequences of failing to do so are not only financial but also intangible – lost customer confidence and reputation damage.

CFOs have a critical role to play in enhancing and strengthening their companies cyber security programs. In the past security responsibilities have fallen under the radar of the IT manager. However, an increase in data breaches and cyber attacks are elevating cyber security to the boardroom resulting in the CFO taking over the mandate.

The good thing though is that Finance owns majority of the data generated and used in the business. Secondly, Finance is responsible for performance reporting and analysis and CFOs have a bird’s eye view of the business and the market. Because of these two advantages, CFOs have better knowledge and understanding of where sensitive information is stored at all times, how it is secured, who has access to it, potential perpetrators and how they can get access to the information.

The problem in many companies is that cyber security becomes an imperative only after a breach has occurred. Just because you have not experienced a cyber breach or attack does not necessarily imply that you should give yourself a false sense of security. If you believe that your network is secure or you are a small company therefore immune to cyber breaches, think again.

These days cyber criminals are becoming more and more sophisticated and repeatedly aim to stay a couple of steps ahead of their victims. Most attacks are discovered a couple of months or years later from the date of initial breach. A case in point is the attack on the shipping company Svitzer, which is part of the Maersk Group. Sensitive personal information of around 500 employees in Australia where the attack happened was affected.

Perpetrators got access to email addresses of 3 employees and for 11 months (May 2017 – March 2018) they secretly auto-forwarded between 50 000 and 60 000 emails outside the company. Accounts in Finance, Payroll and Operations were affected. The perpetrators were smart enough to introduce supporting rules that deleted the forwarded emails to prevent the compromised account owners see that their emails were being forwarded.

With the speed and complexity of the threats changing on a daily basis, CFOs must take action and a play leading role in helping their organizations fight against cyber crime. As a CFO:

Acquire knowledge on cyber security. If the CFO is expected to take the lead in assessing and advising the board on cyber security issues, how best is (s)he going to do so if (s)he lacks an understanding of the risks and potential impacts of a breach. Lack of understanding leaves valuable information exposed. It is therefore critical that the CFO acquires knowledge on different types of attacks, impact on brand value, how to prevent the attacks, and also how to respond in the unfortunate event of an attack. Also, when the CFO has detailed knowledge of cyber security, (s)he is able to lead the discussion and provide training to the board so that they get working knowledge and understanding of cyber security to provide appropriate oversight.

Map and classify your organization’s data. In a world where companies are operating more than one financial and operations system, with each system containing sensitive stakeholders and financial performance information, risks abound. You need to understand how your organization’s data supply chain functions as well as how the information flows across your entire network of systems. Developing this understanding will help you take a digital inventory of your data and locate critical information in need of most protection since it is impossible to protect everything.

Carry out regular vulnerability assessments. It is common practice to install antivirus or any other form of software to protect ourselves from an attack. Unfortunately, this is not enough. Cyber security goes beyond installing software hence the need to assess any weaknesses and risks attached to your systems. One way of doing so is employing the services of ethical hackers who will actively try to intrude or penetrate into your systems and recommend effective internal controls. It’s important to be proactive and continuously evaluate current detection tools.

Build cyber security into the culture. One way cyber criminals make their way into company systems is via employees by sending them click bait emails. In the event that an employee lacks knowledge of cyber attacks, by clicking on the link he or she is exposing the entire group to a destructive attack. Educating and training employees on cyber matters helps build awareness. Additionally, employees should be encouraged to share information about a breach, this improves the organization’s ability to detect and respond to attacks of a similar nature. Although the CFO carries the overall responsibility of reporting to the board on cyber security issues and initiatives, it is still everyone’s job to detect and report possible attacks. Thus, cross-functional collaboration is necessary.

Don’t ignore third party risk. Business partners, vendors and other third parties hold important data on behalf of the company. An example would be where your company has outsourced specific Finance functions to a low-cost service provider, or you have engaged a marketing agency to handle your product marketing strategy. If this data is to fall into a wrong pair of hands, your company will have to answer for that. Why? Because the company is accountable not just for data stored in-house but also data held by third parties. CFOs must therefore regularly conduct an assessment of third party risks and evaluate third party’s data management processes. This will shed light on whether the third parties are protecting data with same rigour as their own company.

Develop an incident response plan. Data breaches occur even to the highly secured organizations. What is required is having a response plan developed before the breach takes place to avoid making panicky and bad decisions. The plan should define what is considered a cyber security incident, and provide a clear guide map or process steps to follow when an incident happens. Also, the plan should have clear decision-making guidelines including a robust communication framework. You don’t want to find yourself scrambling to assign roles and responsibilities in the heat of the moment. Regular practice and testing of your response plan is a must. This will inform you in advance if your plan is usable or overly complex.

In conclusion, the mere fact that your organization has not been subjected to an attack doesn’t mean that you should shelve all efforts to secure your systems. As long as you use devices, mobile, social and back-office technologies that are connected to the Internet, you are a perfect candidate for a data breach. Don’t let ignorance act as a catalyst for your downfall.