Cybersecurity for CFOs
Protecting Financial Data: Cybersecurity Considerations for 2024
Far from being just a niche concern for your IT department, cybersecurity is everyone’s business. This is especially true of finance leaders; not least because the operational, financial, and reputational consequences of a major data breach will inevitably land in your lap.
Is your business doing enough to safeguard financial data? What cyber considerations need to be front of mind when you introduce new workflows and technologies to aid finance transformation? As we move into 2024, here are the areas you need to get on top of…
Risks and repercussions: cybersecurity and financial data
Recent statistics suggest that the volume of cyber-attacks is increasing. The consequences of a breach are also becoming more severe. To illustrate this, here’s a snapshot of the current data protection and cybersecurity landscape:
Cyber-attacks are becoming more prevalent. According to SonicWall, there were 6.3 trillion intrusion attempts globally in 2022 alone. CPR indicates that last year there was a 38% year-on-year increase in the global volume of attacks.
This broad trend is expected to continue, as demonstrated by the stats linked to ransomware attacks (whereby threat actors block access to data or systems to extort money from their victims). In 2021, it was estimated that someone somewhere falls victim to a ransomware attack every 11 seconds. By the next decade, it is predicted that every two seconds an individual, business or device will be attacked.
Financial data is particularly prone to exploitation. The vast majority (95%) of security breaches are driven by financial motivations, with around 65% of threat actors thought to be linked to organised crime. According to IBM, customer personal identifying information (including personal financial data) was the most breached data record type in 2023. This category of data compromise made up 52% of all breaches.
Data breaches are increasingly costly for your business. In 2023, the global average cost of a data breach was USD 4.45 million – 15% higher than in 2021. Of all data categories, customer personally identifiable information costs businesses the most when breached: USD 183 per record on average. 84% of businesses hit by ransomware experience lost revenue. Around 40% of companies will lay off employees as a result.
Building a culture of security in finance
More than a third of all data breaches involve phishing, whereby criminals use fake messages (usually emails) to dupe users into downloading malware, giving away information, or executing fraudulent transactions.
This fact helps explain why even the world’s largest and best-resourced enterprises still get hit with catastrophic security events. Your business may already have firewalls, intrusion detection, anti-malware software, and a host of other cybersecurity measures in place. But if an unsuspecting employee clicks on a malicious link or downloads something they shouldn’t, those basic breach-prevention measures count for little.
The finance function is not only seen as the financial gatekeeper but also the place where lots of sensitive, exploitable data resides. As such, your finance team presents a particularly attractive target to phishing scammers. This includes so-called ‘spear phishing’ and ‘whale hunting’ exploits, whereby criminals deliberately identify and target key business insiders with heavily personalised (and often, very convincing) fake messages.
Action Points for Finance Leaders
It can be easy to regard cybersecurity as “not my domain”, or “something that the IT people take care of”. It’s almost certainly the case that your team members have been provided with the company’s safe usage policies. But to what extent is there a culture of compliance – and how much oversight do you provide?
Individuals tend to be the weak point in the cybersecurity chain. You can mitigate this with effective, relevant security training – including, for instance, simulations replicating real-world attacks. You can only build a culture of security compliance if your team members are fully aware of what’s expected of them – and why it’s important.
Hardwiring security into your finance transformation strategy
One current and ongoing area of focus for Millennium Consulting is helping its Unit4 Financials by Coda customers to transition from an on-premise to Cloud-based software instance . Already, these customers are leveraging the benefits of Cloud deployment, including quicker access to new functionality, ease of maintenance, and lower cost of ownership.
For many finance departments, a shift to the Cloud is just one element of a wider transformation strategy. Initiatives such as automating core processes, and adoption of advanced analytics have obvious benefits in terms of boosting your decision-making capabilities and staying ahead of the competition.
However, it is also worth bearing in mind that your finance transformation will have inevitable consequences for both cybersecurity and data protection. For instance, if you are shifting sensitive financial data to the Cloud, can you still ensure that your compliance obligations governing data storage and transfer are being met? To what extent will new tools and changes to your data architecture (particularly around data integration) alter your vulnerability to cyber-attacks?
Action Points for Finance Leaders
Let’s say you are weighing up a range of software vendors and deployment options as part of a process optimisation initiative. You’re focused on the essentials (e.g. functionality, ease of integration – and not to mention cost). But where does cybersecurity fit in the decision-making process?
Security considerations need to be part of your deliberations right from the outset – rather than it being something your IT team thinks about after procurement decisions have been made.
Some initiatives – e.g. increased data integration and the shift to the cloud – may require your technical team to touch on areas of cybersecurity knowledge that they are unfamiliar with. What will be required in designing and implementing a robust security architecture for your new cloud environment? What additional skills will you need to bring onboard, and what will be the likely costs involved?
External expertise can be highly valuable, both for making ‘secure-by-design’ procurement decisions, and for implementing the changes necessary to secure your new environment.
Maintaining visibility across a complex IT ecosystem
Both in finance and across the wider business, one of the longer-term consequences of the pandemic is that many employees have much greater leeway in when and where work gets done.
Following on from this, Gartner has recently picked up on a trend of what it calls “radical flexibility.” In other words, employees in 2024 often crave much greater flexibility in deciding how work gets done – including their choice of tools for the task at hand.
So, what might this mean for keeping financial data secure?
Well let’s say one of the finance teams needs a better way to visualise and present some data, or a tool to manage a new regulatory requirement. A decade or so ago, this would probably have meant contacting their manager. A solution would be sourced; IT would then check that it’s safe before installing and configuring it.
Fast forward to the present, and an employee can bypass these steps altogether. They have an issue; they find something suitable on the app store, sign up using the company’s details – and the problem is solved.
This gives rise to the issue of shadow IT; whereby software or other assets are added to an enterprise network, without IT knowledge, approval, or proper oversight.
This can be wasteful, with multiple employees potentially signing up for the same or very similar tools (one estimate suggests that the average enterprise wastes over £105,000 annually on duplicate/unnecessary license spending). It can also give rise to multiple security and governance risks. Assets from untrusted – or even malicious – sources can easily find their way into your network, and sensitive data could end up being processed, stored, or exposed in a way that significantly increases the chance of a serious data breach.
Action Points for Finance Leaders
In part, the potential risks associated with shadow IT can be mitigated (once again) with comprehensive employee training, including clear policies to prevent the use of unauthorised apps across your network. This should be accompanied by IT asset management processes and licensing management tools so that IT can maintain a clear and complete view of the applications in play across your IT environment.
Alongside this, if you want to prevent employees using unsanctioned workarounds for business-related problems, finance leaders need to ensure that employees have the right tools for the job. For instance, are you still relying on unwieldy legacy technologies for close & consolidation and other time-consuming tasks? Are there better ways to handle new IFRS requirements? Is there a user-friendly solution out there for visualising data?
If you can address these types of problems, the need for employees resorting to shadow applications is effectively removed.
What next? Making the right choices for safeguarding your data
There is no quick fix for eliminating cybersecurity risks. The right mindset to adopt is often described as the “assumed breach” stance. In essence, this involves acknowledging that breaches will happen and putting the right range of measures in place to protect your data and your business accordingly.
So what measures are appropriate for your business? This is where Millennium Consulting can help. Combining expertise in both cybersecurity and finance transformation, our consultants can review your existing processes, identify your weak points, fill in any skills gaps you may have, and ensure the implementation of a cybersecurity framework that’s tailored to your specific needs.