Written by Heather Cole on April 8th, 2021

As the world continues to change, and more people are working from home, the CFO’s office needs to get more active and increase their knowledge of cybersecurity.  Cybersecurity is the protection of internet-connected systems such as hardware, software and data from cyberthreats.  There are many aspects of cybersecurity including password usage, data encryption, use of public wi-fis, and ransomware attacks.  Heck even having your AC connected to your internet so you can monitor it, can leave you exposed.  Today we will discuss what CFOs need to know about cybersecurity.

Why CFO’s Need to be More Cybersecurity Vigilant

“Cybersecurity breaches have become the top financial threat facing companies, making it essential for CFOs to play a pivotal role in managing the risk,” according to FM- Magazine.  

IBM estimates the average cost of a breach is $3.86 million.  A recent IBM study found that a majority of organizations (76%) predicted that remote work would make responding to a potential data breach a much more difficult ordeal.  52% of breaches were caused by a malicious attack and 80% of breaches included customer’s personal identifiable information.  To receive a copy of the IBM Cost of Data Breach Report 2020 go to IBM.com.

The Challenge

The challenge is that most CFOs are unaware of their risk and surprised when they learn they have exposed data vulnerable to cyberattacks.  CFOs must keep cyber risk top of mind, making it part of their regular dialogue with the C-suite and other operating leaders as they assess their risk and potential business disruption.  But the first step is to understand the types of Cybersecurity threats.

Types of Cybersecurity Threats Include:

• Malware is a form of malicious software in which any file or program can be used to harm a computer user.  Malware can be installed by clicking a link from an unknown source. Malware includes worms, viruses, Trojans, and spyware.
• Ransomware is another type of malware where the creators hold your systems ransom and demand payment to decrypt and unlock it.
• Social engineering is an attack that relies on human interaction to trick users into breaking security procedures to gain sensitive information that is typically protected.
• Phishing is a form of social engineering that is often targeted at the office of finance where the offender sends a fraudulent email that resemble those from reputable or known sources asking for banking details, logins, or other sensitive data.
• Insider threats are security breaches or losses caused by humans -- for example, employees, contractors, or customers.  Insider threats can be malicious or negligent in nature.
• Advanced Persistent Threats (APTs) are prolonged targeted attacks in which an attacker infiltrates a network and remains undetected for long periods of time with the aim to steal data.

For more information on understanding the basics of cyberthreats check out this interesting Cybersecurity blog.

Since I am not a security expert, I decided as part of my research for this blog to sit down with Reshma Moorthy of Frontier Technologies and Raj Soni of Adaptive Systems, two security experts and friends of mine.  I asked them to share their ideas on What Every CFO Needs to Know About Cybersecurity.  We created a video to help educate CFOs.  After you watch our discussion then it is time to take action! 

Steps CFOs Should Take Immediately

Now that you have a basic understanding of the everchanging Cybersecurity threats, you need to act!  Lodestar Solutions recommends that you take the following steps immediately.

1. Cybersecurity Risk Assessment Meeting - Set up a meeting with your CSO and CIO to do an initial cybersecurity risk assessment.  The goal of this meeting is not to solve all the challenges. The goal of the meeting is to discuss and listen to the risks, then try to rank them based on the potential business disruption and cost.  You may want to engage an outside firm to help you with your risk assessment.  If you need names of firms to help, email us at Services@lodestarsolutions.com and we will connect you with people we know.
   
   
2. Review Your Insurance Levels - Are you insured against a cyber threat and if so to what level?  Cybersecurity insurance policies are constantly changing so you should have an insurance review checkup.  Prevention is a better answer than insurance, but it could help when you experience a breach.  (Yes, I said when not if.)

I realize as I write this that understanding cyber insurance can be a big topic in and of itself.  Therefore, I will share more information about the two types of insurance you need to review in next week’s blog. 

In Summary

I hope you learned a little bit about what CFOs need to know about cybersecurity today.  But knowledge is not power.  ACTION is Power.  So, make sure you take the first step and set up a risk assessment meeting.  If you have questions, I am happy to connect you with security experts.  Just email me at Services@lodestarsolutions.com.