CFOs often perceive cybersecurity to be the responsibility of IT, but as more finance processes run remotely, CFOs need to develop security measures specifically for the finance function and not rely solely on the organization’s blanket security protocols to safeguard financial data.
Develop policies and guidelines that identify the areas in finance processes most vulnerable to attack
A recent Gartner CFO Survey found that nearly 3 out of 4 CFOs intended to shift at least 5% of their previously on-site staff to permanently remote roles post-COVID-19. Many finance processes are already running remotely, and they incorporate some of the most sensitive data within an organization, including customer and supplier financial data.
“CFOs should neither ignore these fresh vulnerabilities nor go it alone,” says Alexander Bant, Practice Vice President, Gartner. “CFOs especially need to collaborate with both IT and risk managers to make sure new cybersecurity risks stemming from the adoption of remote work don’t outpace the policies designed to protect vulnerable data.”
Common cybersecurity risks for finance
When collaborating with IT security and risk teams, CFOs should prioritize the financial data and systems that are most critical to the business to ensure that those processes are protected. The most common threats to guard against include:
- Phishing attacks: Methods to trick employees into giving up sensitive financial information, typically by email, but variations also include voice phone calls and SMS messages.
- Malware: The general term used to describe any malicious software, file or program that is intended to harm/disrupt a computer.
- Data leakage: This threat arises from the use of multiple devices and internet connections such as laptops, mobiles, tablets, PCs (personal computers) or home WiFi to access databases.
A cross-functional approach will also help CFOs with accurate scenario planning, as they can discuss all possible cybersecurity risks with these expert teams.
Cybersecurity checklist for CFOs
Gartner recommends a simple three-step framework to prioritize the key objectives of a comprehensive cybersecurity strategy to safeguard finance processes and data.
Step 1: Realize
Develop policies and guidelines that identify the areas in finance processes most vulnerable to attack or the areas most likely to be intriguing to criminals. The main objective is to minimize the possibility of a successful cyberattack.
A sample mitigation tactic would be to identify key financial data assets and software applications (e.g., cloud finance solutions) and their relative vulnerability.
Step 2: Respond
Clarify the plan of action by highlighting roles and responsibilities in the case of a successful breach of financial data. Highlight the quickest possible resolution(s) when the organization faces a cyberattack.
A plan objective might be to designate a point of contact to whom all finance employees can report any cyberattack instances and a “first responder” in finance, e.g., the chief accounting officer, to analyze the exact financial impact of the attack.
Step 3: Review
Set governance policies that encourage regular check-ins on the health of the cybersecurity measures in place for finance processes to make sure the organization remains prepared for evolving threats to its financial data and for new workplace realities.
One plan objective might be to create a cross-functional team from finance, IT and risk/audit that submits regular reports on the state of financial data security.