The following is a contributed article from Anup Singh, CFO of Illumio. Opinions expressed are author's own.
Damage costs from global ransomware attacks will hit a staggering $11.5 billion this year, according to Cybersecurity Ventures, a research company. The cost to organizations just for the downtime an attack causes is $55,000 on average, InCare Technologies reports.
These costs make it imperative that you, as CFO, assume a lead role in managing technologies that ensure the integrity of your organization’s data — all of it, not just financial data.
Cybersecurity is not just a CIO concern. The onus is on you to understand the security implications of disruptive technology trends like big data, digital transformation, and hybrid cloud environments and how to comply with data security and privacy regulations like the EU’s General Data Protection Regulation.
The fact is, in many instances regulatory compliance ultimately falls on you, because you oversee duties related to optimizing shareholder value and meeting earnings expectations. What’s more, the Sarbanes-Oxley Act of 2002 increased audit report standards, putting compliance with securities laws directly in your hands.
This escalation of cybersecurity in scope and costs has made it a board level issue, too. Depending on how your organization is structured, that can mean you’re the person to report on how the risks are being managed.
At the same time, it often falls to the CFO to lead the organization-wide cultural transformation that true cybersecurity requires. Employees have to be the first line of defense against ransomware and other types of attacks, because firewalls and other protective measures can only do so much. Each employee is an entry point by ransomware if they can’t recognize phishing and other ways your systems can be breached.
Security is now part of the job
I have personally experienced an evolution in my role as a CFO, and today it’s part of my job to bridge the gap between business and technology, including cybersecurity. Although the role of the CFO isn’t traditionally rooted in knowing the ins and outs of technology, you should be asking yourself about your role in thwarting attacks to your system. Where do you even start?
Here are three steps I’ve taken and I think they provide a starting point for you if you’re just beginning to consider your role in this new environment.
1. Envisioning the worst is actually the best
Several organizations have started adopting an assume breach mentality, which is about defending your network's defenses while simultaneously having a plan in place for once a malicious actor gets inside your network. When you assume a breach, it’s a matter of when, not if.
This is a significant shift in the approaches of the past to protecting your organization’s crown jewels — its high value assets. Depending on your industry, you’ll have different types of data that are considered your most valuable. It could be research if you’re a biotech company, patients’ health information if you’re a hospital, or customers’ financial information if you’re a bank.
2. Spending is only as good as the spender
Whether you’re directly responsible for the IT reins or not, you must understand the ins and outs of cybersecurity technology. If you have a CISO that’s not communicating effectively with you, for example, you could be underspending on critical security measures, potentially leading to a breach. There needs to be complete, open communication among all players, especially in the c-suite, so you’re informed about what cybersecurity technologies are out there, which are best for your organization, and how your finances can be affected.
You can’t rely on your colleagues to do this. Put it front and center in discussions around business strategy. Whether it’s opening a new data center, implementing a cloud migration project, or making an acquisition, you have to elevate the cybersecurity element.
3. Investing in education is crucial
Awareness can make all the difference when it comes to cybersecurity and mitigating the risk of a ransomware attack. It’s two-fold: on the one hand, CFOs must have a solid understanding of potential security strategies, how the latest technology will protect a company’s high value assets, and what to do if a ransom is demanded. On the other, there’s an obligation to ensure that all employees are educated on red flags and risky behavior. That means you should make cybersecurity a topic through regular meetings, workshops, tutorials, seminars, and the like. And since ransomware is often spread through phishing emails, awareness means sharing with employees tools that are already out there, like this 8-part quiz from Jigsaw. Take it yourself; you might be surprised with the results.
There are claims that ransomware is on the decline. Don’t be complacent. Recent high-profile reports, especially involving cities and towns as well as healthcare organizations, tell a different story.
To all of my fellow CFOs out there, understanding cybersecurity technologies, solutions, and strategies couldn’t be more vital to your role in the C-suite and across your entire organization. You must communicate, educate, and plan now to mitigate risk for tomorrow. Failure to do so can be costly.