Alan Levine | June 07, 2018

The modern CFO: financial gatekeeper, strategic adviser and … cybersecurity expert?

As seen on Financial Director...

When studying the evolution of the CFO role, it becomes clear that it has gone through a metamorphosis in the last twenty years. A lot of this has to do with digital transformation as traditional tasks attributed to the CFO, such as producing and analysing financial statements, have now been largely computerised.

CFOs can’t just narrow their focus on the bare financial bones, they need to enable wider strategies of the business to keep it profitable. This should include promoting cybersecurity in order to protect the organisation against attack, particularly as attacks become more costly and the value of data increases over time

It is the CFO’s responsibility to advise other board members on the potential financial impact of a breach and ensure that funds are allocated for preventing and containing incidents. Given that financially focused attacks like business email compromise (BEC) strike directly at the heart of the balance sheet, it should go without saying that CFOs be well-versed in the most efficient ways to counteract cyberattacks.

To put this all into perspective, a recent study commissioned by Bromium revealed that global cybercrime generates around $1.5tn a year in revenues — about the same as the GDP of Russia. As Bromium stated, “If cybercrime was a country it would have the 13th highest GDP in the world”.

According to Verizon’s most recent Data Breach Investigations Report (DBIR), phishing attacks and pretexting — in which cybercriminals pose as trusted contacts in order to gather information and/or lay a trap for unsuspecting end users — represent 98% of social cyber-incidents and 93% of data breaches.

Furthermore, 59% of cybercriminals who perpetrate social attacks are motivated by financial gain. It’s important for CFOs to note Verizon’s findings here because the DBIR identified that finance and HR are the two departments most likely to be targeted in pretexting attacks like BEC, which often lead to the execution of fraudulent wire transfers. Given that financial teams are especially targeted and successful attacks can cost businesses dearly, CFOs must be part of the team responsible for addressing the real business risks of cybercrime.

The threat is real and growing

BEC has become a serious threat to organisations of all sizes worldwide. Last year, the US Federal Bureau of Investigation (FBI) reported that between October 2013 and December 2016, there have been more than 40,000 incidents internationally that have cost organisations more than $5.3bn. These tailored attacks are often multi-faceted, mixing phone, fax, and email communications, and they are executed over time in order to establish a basis of trust with the target. This level of sophistication makes such attacks difficult to identify and avoid — possibly until it’s too late.

Following are the primary “flavours” of BEC, as identified by the FBI:

  • Submission of an invoice that appears to come from a trusted foreign supplier
  • A request for a wire transfer that appears to come from the CEO or CFO
  • Invoice payment requests submitted from a compromised vendor email account
  • Attorney impersonation in which sensitive information or a pressing fund transfer is requested
  • Fraudulent requests for employees’ tax identifiers or other personally identifiable information.

Recently, threat actor group Gold Galleon targeted businesses in the global maritime industry and related companies with a BEC campaign that utilised fraudulent invoices and financial documents, attempting to steal $4m over a seven-month span using fake payment requests.

According to security researchers, the maritime shipping industry was targeted because of a global disparity of its workforce and its heavy reliance on email make it uniquely vulnerable to cyberattacks of this nature. As an international industry, emails in this vertical often contain different time zones, poorly translated content, and strange website domains, meaning that anomalies are less likely to stand out for employees.

How can CFOs prevent this?

CFOs should take on the mantle of cybersecurity, even though their job functions don’t specifically involve it. As well, they should encourage the entirety of the C-suite to follow suit, as a top-down cybersecurity culture that has senior management leading by example can play a significant role in mitigating the risk of social engineering–driven fraud.

CFOs should proactively reach across the aisle and develop a good working relationship with the CISOs, CSOs, and other cybersecurity “spenders” in their organisations. It can be helpful for a CFO to understand the calculus behind cybersecurity spending, as well as the value-add that these investments can bring to an organisation.

It’s critical that every enterprise invests in appropriate cybersecurity defences, both in the form of technology and end-user education. If a CFO merely regards cybersecurity purchases as liabilities, that negative mindset can send the wrong message and undermine efforts to create a strong, resilient organisation (which is in everyone’s best interest). An engaged CFO, one who supports a strong cyber defence, is pivotal for the success of a cybersecurity program.

CFOs should also be open to participating in continuous cybersecurity training themselves not only because they are prime targets and subjects of BEC and other social engineering attacks, but also because this encourages participation within their departments and the organisation at large. The threat landscape continues to evolve, and training will help to ensure that basic and specific protections are well-understood by users at all organisational levels.

CFOs should also examine policies and procedures within their downlines and tighten up any potential weaknesses. BEC attacks can be avoided if CFOs speak frankly to their teams about this threat and put relevant steps and policies into place. Something as simple as requiring voice-to-voice confirmation — with a known individual — prior to executing a wire transfer can stop an attack like this in its tracks. CFOs must be willing to go through the formal steps to prove their identities as well because it is often the CFO and other high-level executives that are being impersonated via email in order to secure these payments.

It really comes down to a willingness to accept cybersecurity as part of the CFO accountability. Given the sensitive and business-critical role these executives play, they are a prime target for attackers. A CFO who is sensitised to cyber risk can be a crucial ally to an organisation’s overall cybersecurity posture.

Read this article on Financial Director