CFOs typically deal with the finances in a company, but in our technologically advanced world, there are multiple reasons to be concerned about cyber security. Keeping your business safe from a cyber attack must be at the very top of the budget priority list, making it an important role for CFOs. For the most part, the Chief Financial Officer’s main goal is to save the company money. A good CFO can find cost savings in everything from office supplies to personnel. There is, however, one area in which a CFO must be able to see the value in spending that extra dime: cyber security. Keeping sensitive information safe from attack must be a top priority for everyone within the company, but the person with the purse strings must give this vitally important budget item some precedence.
CFO’s Role in Preventing a Cyber Attack
Cyber security, poorly managed, is a material financial risk, affecting a company’s ability to succeed or survive. A data breach can negatively impact corporate results, corporate reputation, customer relationships, and the growth trajectory of even the most successful company. The cyber-risk landscape is ever expanding, with a growing volume and variety of attacks coming from outside the enterprise, as well as increasing sophistication of malicious employees on the inside. Unfortunately, all businesses connected to the digital world are under threat, whether they have discovered it or not.
The CFO’s Role
To gain a much deeper understanding of CFOs’ thinking about cyber security, and the roles they play in managing it, a recent Research surveyed 128 senior finance executives. The survey findings show that
most CFOs understand that they need to play an active role in cyber security management, but many lack a complete understanding of the threats they face and the tools they might use to manage those
threats. The CFO’s role is to protect the bottom line and ensure the viability of the enterprise. The survey found that, because of the risk to corporate performance that data breaches represent, CFOs and senior finance executives are taking an increasingly active role in managing cyber security. Four in ten (42%) finance chiefs surveyed say they are the owner or a co-owner of cyber security at their companies.
A recent Grant Thornton study echoes this data point, finding that 38% of CFOs are responsible for their firms’ cybersecurity. And two-thirds (66%) of survey respondents say they are comfortable understanding/discussing information security (e.g., risks, technology) and translating this information for their Board. The CFO has a seat at the cybersecurity table, but do these cyber-savvy finance stakeholders have the insight needed to significantly and positively impact their organization’s cyber-risk program? Enterprises that focus primarily on prevention (rather than detection or response) increase the risk of missing unknown threats, such as attacks using weak or stolen login credentials and advanced attacks that do not involve malware. To illustrate how common those “hard-to-see” threats are, almost 80% of network intrusions involve weak or stolen login credentials. For these reasons, focusing on prevention is not the most effective way to spend your time or money.
Disconnect: Response Planning Experts also cite the critical importance of having an incident response plan with clearly defined roles and processes. Such a plan should involve more than just the basics of detection, containment, investigation, remediation and recovery. It should also include steps aimed at minimizing legal liability, reputational impact, and employee morale. Unfortunately, the Grant Thornton study showed that a small percentage are focused on incident readiness, with only 4% reporting that they have created an incident response plan. Despite the lack of uptake, a defensible and well-defined incident response process is the single most important component of an information security program. As we noted at the beginning, no matter how good your preventative technologies are, a sophisticated (or lucky) attacker is going to get in sooner or later. Still, only 53% of senior finance executives we surveyed say their company has a formal incident response process. And only 23% of finance chiefs have a formal role in incident response. With so much at stake, the CFO should play a formal role in the process.
Once someone has wormed their way into your system, they’ve got access to everything. It is as if someone you don’t know now knows all your deepest, darkest secrets and can do whatever they want with them. A cyber attack is potentially the worst kind because it hits them where it hurts the most: their money and security, and it can ruin lives. Take it to the business level, and you’re not only looking at an attack of one person, but now you’re looking at taking a hit to your company’s bottom line as well as risking the security of every person who works there, as well as your customer’s, and any company’s you work closely with, including your suppliers.
The CFO’s role in preventing a cyber attack is an important one. You must have a plan in place to keep all sensitive information under lock and key. Keeping your company’s information safe is keeping the company safe overall. The loss of that information could mean the end of your business. As CFO, you must understand the importance of finding ways to prevent cyber attacks and know which cyber security questions to ask to do so.
It’s everyone’s role to keep the company safe from cyber attacks, but the two most important people in this equation are the CIO and the CFO. There should be someone in charge of IT and cyber security, and there must be the funds to keep a network security plan in place.
The worst thing you can do is nothing. As the CFO of your company, you know the value of the almighty dollar.