We are living in a dangerous world when it comes to cybersecurity and CFOs feel vulnerable. Last year’s Black Hat Hacker Survey 20171 found CFOs pessimistic about cybersecurity risk. CFOs understand the sophistication of hackers and how exploitable their own organization’s technology can be. For instance, when asked what the easiest entry point was for getting sensitive data, nearly one-third (32%) of Black Hat respondents said “accessing privileged accounts” followed closely by 27% saying “accessing user email accounts.”
When security on individual accounts is so easily breached it is not surprising that company-wide security breaches are now growing in number. Equifax and Yahoo2 are just two of the more prominent ones in the last year. But the roster keeps growing and the costs can be steep.
According to Deloitte’s Global Risk Survey3 only 42% of CFOs considered their institution to be extremely or very effective in managing cybersecurity risk. The reasons for this are not as one would expect. Sixty-two percent of respondents say they are not challenged with securing funding or in communicating the need for spend on cybersecurity to the board or senior management (69%). The problem is “securing sufficient technical expertise to oversee the management of cybersecurity risk.”
Staffing cybersecurity roles has received a lot of attention lately. The Wall Street Journal in its article, “Where The Jobs Are: Cybersecurity,”4 interviewed a panel of experts on cybersecurity hiring. Theresa Payton, president and chief executive of Fortalice Solutions and former White House chief information officer, offered this response about how to fill these roles.
“You need different kinds of résumés, and in some cases, they’re not going to have college degrees. There’s classically trained and then there’s dynamic and scrappily trained. And both of those are a good mix to have on the team,” Payton said.
Another panelist, Jennifer Steffens, CEO of IOActive Inc., added: “We’re looking for the persona, the passion, the broad talent. We lovingly in our world call it the ‘evil bit.’ People need to think like an attacker. They need to be able to understand the threats that are coming, but then have that big heart, huge moral compass to want to be on the good side,” Steffens said.
Taking cues from people who have been on the other side of the line (e.g., hackers) can be instructive for companies. Some of the most effective best practices have been developed based on feedback from those who have successfully infiltrated organization’s IT systems.
That same Black Hat 2017 Hacker survey referenced earlier in this blog also contains information from hackers on the “toughest to beat” technologies. The technologies they considered the toughest to beat include Multi-Factor Authentication (38%) and Encryption (32%), with endpoint protection and intrusion prevention far behind at 8% and 5% respectively.
IMA® (Institute of Management Accountants), in partnership with Association of Chartered Certified Accountants (ACCA), has also conducted its own research on applying cybersecurity best practices to organizational risk management. “Cybersecurity – Fighting Crime’s Enfant Terrible” looks specifically at how accounting professionals are well-positioned to protect against cybersecurity threats.
For instance, in regards to cyber insurance which can mitigate some of these risks, accounting professionals can help their organization adopt this insurance (which has yet to be widely utilized) by making sure that the business fully understands the requirements of the policy and complies with them.
One of the hurdles in fighting cybercrimes is a lack of information about their motives, tactics, and technical means. As the IMA/ACCA report notes, there is no authoritative resource for companies to obtain up-to-date information about crimes when they are committed.
Information-sharing services exist to fill these gaps. In the U.S., InfraGard and the National Cyber Security Alliance (NCSA) are two such services. But as The New York Times5 reports, there are many factors to weigh before deciding whether or not to disclose an attack.
The evolving landscape of cybercrime is one of the most pressing problems CFOs face, but also the one where they have the greatest chance of saving the day. Michael Castelluccio, the technology editor for Strategic Finance and author of SF Technotes blog, recently wrote about the visual tools now available for CFOs to better communicate the impact of cyber risk. Indeed it is now the CFO who must step up to the plate in safeguarding their organizations from cybercrime. As Ramona Dzinkowski, Canadian economist and business journalist, wrote recently in Strategic Finance, “In a world where the ever-evolving global economy requires the CFO to wear a multitude of hats, there’s another one to add to the rack: ‘cyber CFO.’”
So I say to CFOs, “Keep your capes handy.”
- ”Black Hat Hacker Survey 2017,” downloaded from https://thycotic.com/resources/black-hat-2017-survey/
- ”The Hacks That Left Us Exposed in 2017,” CNN.com, December 20, 2017
- ” Risk Managers Less Confident About Newer Risks, Cybersecurity: Global Survey,” The Wall Street Journal, May 16, 2017
- ”Where The Jobs Are: Cybersecurity,” The Wall Street Journal, December 18, 2017
- ”When to Report a Cyberattack? For Companies, That’s Still a Dilemma,” The New York Times, March 5, 2018