Too often we're hearing about cities and organizations falling prey to ransomware attacks with the average cost of ransomware related downtime hovering around $55K – note that’s just the cost of downtime , which excludes any ransom that might be paid. It’s also estimated that the total damage costs from global ransomware incidents are predicted to hit $11.5B this year, which is staggering to say the least. From my perspective, paying any amount of ransom is obviously troublesome for a couple of reasons: the wide range of data CFOs use to manage the business is always at risk AND paying a ransom of any size could cripple an organization indefinitely.
This is notable because, at a much higher level, it underscores a shift in the traditional role of the CFO as someone who holds the purse strings to someone who needs to understand and support the use of technologies that ensure the integrity and protection of an organization’s data - all of it, not just financial data. So, while we usually hear about CIOs managing data and security needs, the onus is also on CFOs to better understand how disruptive technology trends (e.g. big data, digital transformation, and hybrid cloud environments) impact their role as well as the resulting business – and security – implications.
CFOs need to make well-informed decisions based on these understandings to ensure the best security investments are made and that the company is also adhering to compliance and industry regulations such as HIPAA, GDPR, PCI, and so on. And with compliance in particular, responsibility and accountability falls primarily to CFOs – especially with publicly traded companies – as they oversee duties related to optimizing shareholder value and meeting earnings expectations. The Sarbanes-Oxley Act of 2002 also increased audit report standards, enforcing compliance, and adherence to securities laws front-and-center for CFOs, which has paved the way for their role to change dramatically and assume more responsibilities.
It's also important to note that cybersecurity is a Board level issue and CFOs are frequently required to report to them on the level of risk being monitored and managed. Overall, finance chiefs are finding themselves accountable for promoting cybersecurity awareness within their organization so their influence on the company’s culture, understanding, and approach to (cyber)security is more important than ever. In fact, employees are considered the first line of defense against ransomware but there is a dire need to increase this awareness and an overall understanding of potentially risky behavior.
Security is now part of the job I have personally experienced an evolution in my role as a CFO over the years: to bridge the gap between business and technology, with cybersecurity becoming paramount. While the role of the CFO isn’t traditionally rooted in knowing the ins/outs of technology, all CFOs should now be asking themselves what exactly is my role in thwarting ransomware and other cyber attacks? Where do I even start?
Without a starting point these can be challenging questions to answer so below are three steps CFOs should take to get involved in conversations around ransomware (and cybersecurity in general). They’re meant to provide guidance, so you have a better understanding of things to look out for, keep in mind, and move your organization forward on its cybersecurity journey...
1. Envisioning the worst is actually the best Several organizations have started adopting an assume breach mentality, which allows you to not only defend your network’s outer defenses, but also have a detailed plan in place once a malicious actor gets inside your network - because when you assume breach, it’s a matter of when , not if . This is a significant shift in the mindset and approaches of the past to protecting your organization’s high value assets, which I like to call your ‘crown jewels’. Depending on your industry, you’ll have different types of data that are considered your most valuable -
that could be research if you’re a biotech company, patients’ health information if you’re a hospital, or customers’ financial info if you’re a bank.
2. Spending is only as good as the spender Whether CFOs are directly responsible for the IT reins or not, they must truly understand the ins and outs of cybersecurity technology and implications. If you have a CISO that’s not communicating effectively with you, for example, that could result in underspending on critical security policies and measures, which could potentially lead to a breach. There needs to be complete, open communication within and amongst all players (especially the C-Suite) so you’re informed and can fully understand how/what cybersecurity technologies are out there, which are the best for your organization, and all of the financial implications. And don’t rely on your colleagues to do this - put it front and center in discussions around business strategy – whether it’s in the opening up of a new data center, a cloud migration project, or an upcoming acquisition.
3. Investing in education is crucial Awareness and education can make all the difference when it comes to cybersecurity and mitigating the risk of a ransomware attack. It’s two-fold: on the one hand, CFOs must have a solid understanding of potential security strategies, how the latest technology will protect a company’s high value assets, and what to do if a ransom is demanded. On the other hand, there’s also an obligation to ensure that all employees are educated on potential red flags and risky behavior through regular meetings, open communication, workshops, tutorials, seminars, and the like. And since ransomware is often spread through phishing emails, there are already tools out there to test your ability to spot them. Consider this short, 8-part quiz from Jigsaw just to see how everyone does as a gauge - you might be surprised with the results.
Despite claims that ransomware is on the decline, recent high-profile reports - especially of cities and towns as well as healthcare organizations - seem to tell a different story. So, to all of my fellow CFOs out there, understanding cybersecurity technologies, solutions, and strategies couldn’t be more vital to your role in the C-suite (and across your entire organization). You must communicate, educate, and plan now to mitigate risk for tomorrow. Failure to do so can be very costly.
By Anup Singh, Chief Financial Officer at Illumio