Becoming a Cyber-Resilient CFO

Cyber security is top priority for Chief Financial Officers, given new research indicates the rate of ransomware attacks around the world in 2021 has grown by 102 per cent compared to the same time last year.

In the words of James Solomons, global CFO of Xref and host, in the age of rapid digital transformation, cybercrime is one of the biggest threats facing CFOs and finance teams, with the potential to cripple a firm financially and reputationally.

“Sophisticated hackers are opportunistic and will target businesses regardless of their size. So, what was once considered an IT issue does is now firmly in the CFO’s remit. As a result, finance chiefs need to be very aware of the risks and prepared for attacks.

“Even bank-grade security is no match for employees failing to follow processes. This includes sharing logins and passwords and acting on emails that look like they come from the CEO’s iPhone, when the CEO has only ever had a Samsung device.”

Cybercrime is big business and The Cyber Resilient CFO was the topic of the most recent CFO Magazine Lunchtime Live, sponsored by Microsoft.  

The audience of over 150 CFOs and finance leaders were fortunate to hear Microsoft New Zealand country CFO Helen He and Abbas Kudrati, Chief Cyber Security Adviser for Microsoft Asia, explore trends in this area and actions CFOs can take to mitigate cyber risks.

As Helen acknowledged, CFOs have a key role to play. “As finance professionals, we can use our skills to evaluate the case for investing in cyber security software and support the necessary prevention activities. We are also instrumental in effectively managing the consequences of a successful attack.”

Helen noted there are also many other steps CFOs can take to manage cyber threats. “We need to engage with the chief information officer to understand their view of key risks. We also need to examine, manage and implement employee training requirements. It’s also in the CFO’s remit to explore whether the business has the right skills to identify threats. Overseeing these dynamics can help the business effect appropriate changes to the collective mindset around mitigating cyber threats.”

While this sounds simple, cyber management is a complex area. Abbas observed there are three big challenges facing CFO. These are:

  • Ensuring they speak the same language as the CIO and chief security officer.
  • Properly using the organisation’s cyber security solution’s capabilities.
  • Rationalising software when multiple products perform identical tasks.

“It’s also essential to ensure cyber security is considered at the board level and to manage software vendors’ cyber risks and that of the supply chain more broadly,” he said.

A balancing act

The hybridisation of work widely adopted as a result of the pandemic, with staff working at home and also at the business’s premises, has produced new cyber threats. This is also an important factor for CFOs to manage.

“CFOs must address emerging vulnerabilities as a result of new ways of working and balance this with supporting employee productivity,” Solomons told the audience.

This is at the forefront of Microsoft’s approach to cyber internally and for its clients.

“At Microsoft, we foster a culture where security is everyone’s job. This means keeping your device healthy and managed and securing the home office. We also provide cyber security guidelines for part-time and full-time employees and ensure they understand and follow them,”

Helen He, Country CFO New Zealand | Microsoft

Key to this is ensuring staff maintain a healthy scepticism. “Don’t trust messages from anyone or anything inside or outside the organisation’s parameters until the identity of the user has been verified. This is vital to preventing hackers from breaching the firewall and accessing the system and its data,” she says.

Abbas explained trust can be developed through producing independent assurance reports on third parties’ cyber capabilities, exploring their compliance with payment card security standards and requesting the right to audit their systems.

Mandating annual training requirements around identify verification and data and device protection is also essential. It’s also crucial to ensure there are resources and tools available for the finance team and the organisation as a whole to manage cyber risks.

Says Abbas: “it’s about building a human firewall so staff are no longer the weakest link”.

Top tips for CFOs to manage modern cyber threats:

  • Take advantage of cloud service providers’ cyber systems.
  • Learn from recent attacks, for instance, a vast majority of attacks originated on premise are successful, while attacks that come via the cloud are largely unsuccessful.
  • Insist on multifactor authentication for 100 per cent of employees 100 per cent of the time. Invest in cloud-based monitoring software.
  • Ensure IT disaster recovery plans and cyber security incident management plans work in conjunction with each other.
  • Balance investment in cyber security with the value of the data being protected.