CFOs play a big role in helping to ensure their organizations are prepared to defend against cyberattacks. That includes being up to speed on the latest and most significant threats and risks and the solutions to mitigate them.
“The role of CFOs in cybersecurity governance is becoming increasingly prominent, both in public and private companies,” said Sameer Ansari, global security and privacy lead at global consulting firm Protiviti.
“This shift is driven in part, for the public companies, by new SEC rules requiring prompt information disclosure about material cybersecurity incidents and cyber risk management approaches,” Ansari said. “CFOs need to understand how specific cyber threats could lead to financial losses, damage customer trust and the organization’s brand, and impact investors.”
Here are five of the most prominent and potentially damaging threats businesses are facing.
1. Supply chain attacks
Companies are making supply chain cybersecurity a priority as threats increase. The supply chain security market was valued at $2.1 billion in 2023 and is estimated to expand at a compound annual growth rate of about 10% between 2024 and 2032, according to market research and management consulting company Global Market Insights.
Rising cyber threats and increasing regulatory pressures are driving investment in advanced security solutions, according to the firm. The growing complexity of global supply chains necessitates enhanced visibility and risk management, it said.
“Supply chain attacks target less secure elements in an organization’s supply chain to gain access to more secure environments,” Ansari said. Companies need to conduct regular security reviews of their key suppliers and third-party vendors, he said.
“Identify alternatives to key supply chain partners and evaluate the feasibility of in-sourcing processes if a key supplier is compromised, Ansari said. “Implement appropriate access controls and monitoring for third-party access to your systems.”
2. Business email compromise (BEC)
BEC remains one of the most common means of social engineering exploitation, according to Joe Shusko, principal in the cybersecurity practice at advisory, tax and assurance firm Baker Tilly.
“We’re seeing a significant increase in the sophistication of these attacks,” thanks largely to artificial intelligence capabilities, Shusko said.
To counter BEC, “organizations must adopt a skeptical-first approach and focus on continuously educating their workforce, not just through yearly training but with ongoing micro-training sessions,” Shusko said. “Implementing a sophisticated fake phishing email campaign can help identify training gaps.”
In addition, areas with high fraud risk, such as payables and payroll, should have strict controls such as call-back procedures to authenticate transactions before processing, Shusko said.
3. Ransomware attacks
Costly ransomware attacks continue to plague organizations, as cyber criminals create more sophisticated, malicious software to encrypt victims’ files until a ransom is paid.
“These attacks can disrupt operations, lead to loss of sensitive data and incur heavy ransom payments,” Ansari said.
With most cybercrime being financially motivated, ransomware remains a prevalent and common means of attacking organizations, Shusko said.
“It’s not a question of if you will be attacked, but when,” Shusko said. “On the dark web, criminals are offering their services in a business-like approach, leading to the rise of creative attack methods such as ransomware-as-a-service. This gives attackers, even novices, access to sophisticated tools and schemes, increasing their chances of success.”
A possible mitigation strategy for ransomware is to implement resiliency programs that identify critical data processes and systems, ensuring operations can quickly resume if key systems are down, Ansari said. “Utilize advanced threat detection tools to identify and isolate threats before they can cause damage.”
4. Insider threats
Insider threats from current or former employees, contractors, vendors or other supply chain partners can result in significant damage, given these users’ knowledge of and access to internal systems and data.
To help mitigate these types of threats, companies should implement role-based or attribute-based access controls and user privilege policies to limit access to critical data and systems, Ansari said.
“Regularly review and update these permissions,” Ansari said. “Use user behavior analytics tools to detect unusual activity that may signal a threat. Continue to educate employees, contractors and vendors on cybersecurity awareness and prevention to minimize the threat of the well-intended but uninformed insider.”
5. Deepfakes
Deepfakes involve the use of AI and machine learning algorithms to create convincing audio, images, videos and other content that are hoaxes. These activities can be used to mislead users by spreading false information.
“They could be used for fraud, misinformation or to damage reputation,” Ansari said.
One particularly concerning incident from this year, Shusko said, involved British engineering firm Arup, which was manipulated into making a $25 million payment because of a video deepfake.
“A Hong Kong-based finance employee initially received a suspicious email, but after joining a video call attended by the CFO and other finance colleagues whom he recognized, he felt confident in processing the transaction,” Shusko said. “But all the faces and voices he recognized turned out to be deepfake-generated.”
To help combat deepfakes, companies need to invest in detection technologies that can identify deepfake content, Ansari said. “Implement strong verification processes, especially for communications involving sensitive information or financial transactions,” he said.
