The Fluid CFO: Adapting to the Evolution of Cybersecurity

Alan Levine, Security Advisor to Wombat Security, a division of Proofpoint 

While many may see the role of the Chief Financial Officer as relatively static, today this couldn’t be further from the truth. The role of the CFO has in fact been constantly developing over the last twenty years, with one of the catalysts for this change being digital transformation. This is partly because many of the tasks that have traditionally been attributed to the CFO, such as producing and analysing financial statements, have now largely been automated. Because of this, the CFO’s role is now more strategic. Naturally, CFOs must have complete control over the business’s finances, ensuring constant growth and minimising loss. Furthermore, they must also be adhering to an increasing number of stringent regulatory requirements and must protect against all manner of risks. 

The Modern, Multi-tasking CFO

Effectively, the CFO’s role has expanded to include a number of other important business facets aside from simply crunching numbers. In fact, Deloitte has commented on the changing nature of the CFO’s role and has argued that there are now ‘four faces’ that they are expected to reflect; the steward, the operator, the strategist and the catalyst. The steward, “…preserv[es] the assets of the organisation by minimising risk and getting the books right,” and the operator, “…run[s] a tight finance operation that is efficient and effective”.These encompass the CFOs traditional roles. Additional are the two more dynamic ‘faces’ which require the CFO to “…shape overall strategy and direction,” as a strategist and instil “…a financial approach and mindset throughout the organisation,” as a catalyst.

As strategists, the modern CFO therefore has a role to play across multiple business departments, including security. Cybersecurity needs to become a high priority for the CFO, particularly as cyberattacks have become much more costly due to the growth of ransomware. Furthermore, on a departmental level, the finance department holds a wealth of sensitive data that cybercriminals would love to get their hands on. It is therefore the CFO’s responsibility to advise other board members, as well as the entirety of the organisation, on the potential financial impact of cybercrime and ensure that funds are allocated for preventing and containing incidents. Frankly, it’s impossible to argue that cybercrime isn’t a financial concern. Verizon’s 2018 Data Breach Investigations Report(DBIR) found that 76% of the breaches were financially motivated and scams, such as business email compromise (BEC), strike directly at the heart of the balance sheet.

 Cybercrime: One Man’s Loss is Another Man’s Gain 

Cybercrime is a booming business. A recent independent research study commissioned by Bromium revealed that global cybercrime generates (conservatively)$1.5 trillion a year in revenue.

They noted that, “If cybercrime was a country it would have the 13th highest GDP in the world.” It has now been predicted that the cost of global cybercrime damage will reach $6 trillion annually by 2021.

Verizon’s DBIR also revealed that phishing attacks and pretexting(in which cybercriminals pose as trusted contacts in order to gather information and/or lay a trap for unsuspecting employees)represents 98% of social cyber-incidents and causes93% of data breaches. Importantly, the report identified that finance and HRare the departments most likelyto be targeted in pretexting attacks, which can often result in the execution of fraudulent wire transfers. With financial teams being a particular target, it is critical that CFOsare part of the team responsible foraddressing the real business risks ofcybercrime. They must also be given the appropriate training to be able to identify and mitigate risks; this training must also go out to their teams, with a particular focus on identifying threats pertinent to them, such as Business Email Compromise (BEC)

The Growing Threat of Business Email Compromise (BEC) 

BEC in particular is a growing threat targeting organisations of all sizes around the globe. Last year, the FBI identified BEC as a ‘hot topic’ that businesses needed to be made more aware of.  And, last year alone, they identified more than 15,690 BEC incidents, resulting in a loss of over $675million.

The Internet Crime Complaint Centre (IC3) has identified the five main BEC scenarios by which this scam is executed. A cybercriminal can spoof an invoice request from a foreign supplier and trick businesses into completing a fraudulent wire transfer; a hacked or spoofed email account of a business can initiate a request for a wire transfer(this is also referred to as ‘CEO fraud’); a business contact or customer can receive a fraudulent correspondence with requests for invoice payments from a compromised email;a cybercriminal can impersonate trusted individuals, such as lawyers, and request outstanding or time sensitive invoices to be paid; lastly, a criminal can make fraudulent requests for employees’ tax identifiers or other personally identifiable information (PII).

As can be noted from the above, these tailored attacks are often multi-faceted, mixing phone, fax and email communications. Cybercriminals are experts in social engineering and will also execute these scams over an extended time period in order to establish a basis of trust with the target, meaning their attacks are more likely to be a success. For example, criminal group Gold Galleontargetedglobal maritime businesses and related companies with a BEC campaign that utilised fraudulent invoices and financial documents. Gold Galleon attempted to steal $4million over a seven-month span using fraudulent invoice requests but were foiled just in time by security experts.

In order to combat this threat to the finance team, CFOs should regularly examine policies and procedures within their downlines and tighten up any potential weaknesses. Something as simple as requiring voice-to-voice confirmation with a known individual prior to executing a wire transfer can help to identify and stop a BEC attack. CFOsmust be willing to go through the formal steps to prove their identities as well, becauseit is often high-level executives that are being impersonated via email in order to secure these payments.

Lights, Camera, ACTION …What Steps Can a CFO Take? 

The growing cyber threatapplies to the entirety of the C-Suite, and the CFO should encourage fellow C-Level executives to also take an in-depth interest. A top-down cybersecurity culture that has senior management leading by example can play a significant role in mitigating against the risk ofsocial engineering–driven fraud. CFOs should have a detailed understanding of how the security budget is spent andshould proactively reach across the aisle and develop a good working relationship with the CISOs, CSOs, and other cybersecurity “spenders” in their organisations. Cybercrime is not just a concern for cybersecurity professionals – it most certainly affects the finance team, and the organisation in its entirety.

As the role of the CFO evolves so must their willingness to accept accountability for their roles in implementing a businesses’ security defences. As a prime target of attackers, the CFO needs to become a cybersecurity stakeholder, advocate and champion, as ultimately this will benefit the security and finances of the organisation a whole.

Alan Levine, Security Advisor to Wombat Security, a division of Proofpoint 

While many may see the role of the Chief Financial Officer as relatively static, today this couldn’t be further from the truth. The role of the CFO has in fact been constantly developing over the last twenty years, with one of the catalysts for this change being digital transformation. This is partly because many of the tasks that have traditionally been attributed to the CFO, such as producing and analysing financial statements, have now largely been automated. Because of this, the CFO’s role is now more strategic. Naturally, CFOs must have complete control over the business’s finances, ensuring constant growth and minimising loss. Furthermore, they must also be adhering to an increasing number of stringent regulatory requirements and must protect against all manner of risks. 

The Modern, Multi-tasking CFO

Effectively, the CFO’s role has expanded to include a number of other important business facets aside from simply crunching numbers. In fact, Deloitte has commented on the changing nature of the CFO’s role and has argued that there are now ‘four faces’ that they are expected to reflect; the steward, the operator, the strategist and the catalyst. The steward, “…preserv[es] the assets of the organisation by minimising risk and getting the books right,” and the operator, “…run[s] a tight finance operation that is efficient and effective”.These encompass the CFOs traditional roles. Additional are the two more dynamic ‘faces’ which require the CFO to “…shape overall strategy and direction,” as a strategist and instil “…a financial approach and mindset throughout the organisation,” as a catalyst.

As strategists, the modern CFO therefore has a role to play across multiple business departments, including security. Cybersecurity needs to become a high priority for the CFO, particularly as cyberattacks have become much more costly due to the growth of ransomware. Furthermore, on a departmental level, the finance department holds a wealth of sensitive data that cybercriminals would love to get their hands on. It is therefore the CFO’s responsibility to advise other board members, as well as the entirety of the organisation, on the potential financial impact of cybercrime and ensure that funds are allocated for preventing and containing incidents. Frankly, it’s impossible to argue that cybercrime isn’t a financial concern. Verizon’s 2018 Data Breach Investigations Report(DBIR) found that 76% of the breaches were financially motivated and scams, such as business email compromise (BEC), strike directly at the heart of the balance sheet.

 Cybercrime: One Man’s Loss is Another Man’s Gain 

Cybercrime is a booming business. A recent independent research study commissioned by Bromium revealed that global cybercrime generates (conservatively)$1.5 trillion a year in revenue.

They noted that, “If cybercrime was a country it would have the 13th highest GDP in the world.” It has now been predicted that the cost of global cybercrime damage will reach $6 trillion annually by 2021.

Verizon’s DBIR also revealed that phishing attacks and pretexting(in which cybercriminals pose as trusted contacts in order to gather information and/or lay a trap for unsuspecting employees)represents 98% of social cyber-incidents and causes93% of data breaches. Importantly, the report identified that finance and HRare the departments most likelyto be targeted in pretexting attacks, which can often result in the execution of fraudulent wire transfers. With financial teams being a particular target, it is critical that CFOsare part of the team responsible foraddressing the real business risks ofcybercrime. They must also be given the appropriate training to be able to identify and mitigate risks; this training must also go out to their teams, with a particular focus on identifying threats pertinent to them, such as Business Email Compromise (BEC)

The Growing Threat of Business Email Compromise (BEC) 

BEC in particular is a growing threat targeting organisations of all sizes around the globe. Last year, the FBI identified BEC as a ‘hot topic’ that businesses needed to be made more aware of.  And, last year alone, they identified more than 15,690 BEC incidents, resulting in a loss of over $675million.

The Internet Crime Complaint Centre (IC3) has identified the five main BEC scenarios by which this scam is executed. A cybercriminal can spoof an invoice request from a foreign supplier and trick businesses into completing a fraudulent wire transfer; a hacked or spoofed email account of a business can initiate a request for a wire transfer(this is also referred to as ‘CEO fraud’); a business contact or customer can receive a fraudulent correspondence with requests for invoice payments from a compromised email;a cybercriminal can impersonate trusted individuals, such as lawyers, and request outstanding or time sensitive invoices to be paid; lastly, a criminal can make fraudulent requests for employees’ tax identifiers or other personally identifiable information (PII).

As can be noted from the above, these tailored attacks are often multi-faceted, mixing phone, fax and email communications. Cybercriminals are experts in social engineering and will also execute these scams over an extended time period in order to establish a basis of trust with the target, meaning their attacks are more likely to be a success. For example, criminal group Gold Galleontargetedglobal maritime businesses and related companies with a BEC campaign that utilised fraudulent invoices and financial documents. Gold Galleon attempted to steal $4million over a seven-month span using fraudulent invoice requests but were foiled just in time by security experts.

In order to combat this threat to the finance team, CFOs should regularly examine policies and procedures within their downlines and tighten up any potential weaknesses. Something as simple as requiring voice-to-voice confirmation with a known individual prior to executing a wire transfer can help to identify and stop a BEC attack. CFOsmust be willing to go through the formal steps to prove their identities as well, becauseit is often high-level executives that are being impersonated via email in order to secure these payments.

Lights, Camera, ACTION …What Steps Can a CFO Take? 

The growing cyber threatapplies to the entirety of the C-Suite, and the CFO should encourage fellow C-Level executives to also take an in-depth interest. A top-down cybersecurity culture that has senior management leading by example can play a significant role in mitigating against the risk ofsocial engineering–driven fraud. CFOs should have a detailed understanding of how the security budget is spent andshould proactively reach across the aisle and develop a good working relationship with the CISOs, CSOs, and other cybersecurity “spenders” in their organisations. Cybercrime is not just a concern for cybersecurity professionals – it most certainly affects the finance team, and the organisation in its entirety.

As the role of the CFO evolves so must their willingness to accept accountability for their roles in implementing a businesses’ security defences. As a prime target of attackers, the CFO needs to become a cybersecurity stakeholder, advocate and champion, as ultimately this will benefit the security and finances of the organisation a whole.