CFOs and cybersecurity: The profession's big blindspot
Finance leaders remain unaware of the cybersecurity threat and have not taken effective leadership on protecting their organisations, according to a new report by the ACCA.
Barely a day goes by now, it seems, without news of a hack or a leak. In general, the cyber risk to businesses in the UK remains enormous. Two in five businesses have been subject to some kind of cybercrime, according to the government’s Cyber Security Breaches Survey.
Business email compromise scams, in particular, have caused havoc, with cybercriminals hacking a company’s network and masquerading as a senior figure at an organisation with the aim of stealing money or sensitive information. Recently, criminals ripped off an American Catholic diocese to the tune of $1.75m.
Indeed, the ACCA’s new report Cyber and the CFO indicates the cybersecurity threat has hit home among finance leaders. Almost 60% of the 1500 CFOs and finance leaders surveyed by the ACCA ranked the cyber threat as the most important or a top five business risk.
But awareness and anxiety did not translate into a proactive approach. The report found that a third of respondents did not know whether their organisations had been the subject of a cyber attack. Few survey responses exhibited a recovery plan that included much beyond the hardware.
More worrying to the report’s author, Clive Webb, the ACCA’s head of business management, over 20% of finance professionals admitted they had no involvement whatsoever in cybersecurity within their company.
Leaving cybersecurity to your IT department is no longer enough, Webb told AccountingWEB. “In the traditional view, if you stuck a virus protector on a computer and you had a disaster recovery programme, you were fine, but that’s not the case anymore,” he said.
“The nature of the risk is multifaceted now. It’s operational, it’s financial, it’s reputational -- it can have a real impact and you’re talking about taking down devices that deliver the services that the organisation provides.
“As a leader, you need to be attuned to what business risks are. You’ve got to be sufficiently literate on what the nature of the risk is. You can’t just leave it to someone else and hope it goes away.
In the report, Webb points to the myriad devices now used to connect to the business. Employees often use personal devices not designed with security in mind, sometimes on unsecured networks.
It’s wider than just employees, however. Modern businesses work with a whole chain of organisations, and the weakest point is where the organisation interacts with someone else.
“But when we asked people to what degree people audited their supply chains, very few actually took a proactive approach,” Webb said. “The range of weak points is far greater than most organisations think.”
“There seems to be a lack of awareness of the connected world in which business is undertaken now. It’s a broader risk. It’s the organisations you work with, it’s a range of devices you attach to your network. It’s a risk that’s evolving and changing. People aren’t aware of the connectivity and the nature of the threat is fundamental to the weakness.”
What’s new, as well, is the speed at which an attack develops once a breach occurs. “The response time is now measurable in minutes, not days. That requires you to have plans to help mitigate those effects. Yes, invest in things like cyber insurance but they are not a panacea. Lead from the front when it comes to business risk.”
“The weakest point is always the human part. Finance leaders if you take it seriously, if you talk about it in a serious manner, others will follow you. If you don’t pay attention to it, if you don’t understand it, others will follow suit, too.”