As part of our Security Takes a Village theme, ActZero Networks Finance Manager Sofia Nalband covers the role of finance in securing the SME. She addresses the reasons financial stakeholders should be concerned about cybersecurity threats to their business, the practices such stakeholders can implement to reduce the risk of financial consequences, and how they can influence broader decisions and policies within the organization while staying true to their core mandates.
As a finance professional, I am concerned about cybersecurity because breaches can have a significant impact on my business. In a global economy, these attacks can cost millions of dollars and result in loss of control over financial reporting. Financial damage and compromised internal controls are within the domain of the finance department, and we have evidence that cybercrime is on the rise, increasing my concern. These threats represent significant and unpredictable risk for the business, not unlike a hurricane or earthquake. Finance executives should ensure that investments are made to protect the company’s assets, reputation, and long-term growth.
I want to talk about the importance of implementing cybersecurity practices in SMEs specifically, since larger corporations are now requesting similar cyber-defense standards from their vendors. We have seen that SMEs are particularly vulnerable and that breaches can seriously harm a company’s financial standing, destroy the brand reputation and trustworthiness among customers, partners, and vendors.
Finance Risks Becoming an Access Point for Cybercriminals
The finance department plays a major role in daily business operations. Using AIS systems, it controls and works with some of the most sensitive and valuable information in the organization. It serves as a gatekeeper for such information and is closely interconnected with other departments to ensure smooth business operations. That’s why finance is particularly attractive for cybercriminals; when it becomes an access point for a hacker, access to valuable data is immediate, and lateral movement to other business units can happen very quickly. The security-minded finance professional must analyze digital assets, workflows, and processes used in the business in the context of cybersecurity: they should know where the data is stored, how attractive it could be for hackers, how it is secured, and the consequences if it was stolen, modified, or if access to it was blocked (by ransomware for example).
Confidentiality, Integrity, and Availability in the Finance Department
Cyber-attacks in the finance department may compromise these three ‘‘pillars of security.’’ Data breaches may result not only in the loss of organizational or employee data but more importantly, in clients’ data loss. This can impact customer loyalty and a company’s position in the market. Trustworthiness is considered by prospective customers before conducting business with a company, so breaches can impact our top line too.
Confidentiality – Breaches can involve unauthorized access and disclosure of private and sensitive information. Hackers may target payroll systems to gain access to employees' files and banking information. Using email, password phishing, and social engineering, the criminals may steal passwords and hack the clients’ files to access their data or credit card information. One click on the wrong email or attachment may open the door to threats invading the company’s network, which can paralyze the business.
Integrity – Finance is always concerned with information accuracy and completeness. Cybercriminals can change values in financial reports, or even payroll. This risks inaccuracy in financial statements, resulting in misinformed decisions by management, or inadvertently deceiving shareholders. Integrity includes accuracy and trustworthiness of the data, and if it is compromised trust is lost.
Availability – When authorized users cannot access information, or when unauthorized access is allowed, business operations can be impacted. Cybercriminals may attack servers and prevent their use, resulting in legitimate users without service. This can even lead to financial losses when critical assets such as email, invoicing, or POS systems are targeted.
Combining sound controls with security-conscious employees improves defense against cybercriminals attempting to gain access to the company’s digital assets. Diligence on the part of the finance department is mandatory. Accountants need to be security-conscious and strictly follow the organization’s cybersecurity policies and procedures to safeguard company assets, clients’ sensitive data, and employees’ personal information. Yet, finance can also influence a key element in the prioritization of securing the organization: allocation of resources.
How can Finance Help?
This is a company-wide effort. Finance executives are well-placed to take an active part in a cybersecurity-assets assessment given the analytical nature of the job. Guiding the budget preparation process, financial stakeholders should advocate and vote for the projects which mitigate the risk of reputational and financial damage and ensure fast recovery if a breach occurs. Finance professionals also work in close cooperation with the IT Department in the valuation and categorization of digital assets, which can impact financial reporting.
The first step is to define the digital assets which are vital for the business operation, assess their value, and rank them in order of their importance for the company. We need to think about the business impact if an asset is destroyed, compromised, or exfiltrated, how such assets contribute to generating revenue, and whether they can be replaced. The processes, systems, data, applications used for the creation of these assets should be valued and categorized in the same way. It’s a collaborative effort – IT can then define the asset’s threat profile, its attractiveness to hackers. Management can use this information to decide how much risk is appropriate for the company to take, and protect the assets accordingly. As a result, leadership understands what to protect, how much it worth, and how much to invest to protect it.
Cybersecurity risks to the business must be very tangible to financial stakeholders. As I described above, it is within our power to contribute to the protection of our business, by adhering to policies, proposing good controls for sensitive information, evaluating the risk to the business, assessing the value of digital assets, and being vocal about assigning budget for cybersecurity projects. We must take action to address these concerns, as we have seen that the impact is upon areas of the business that finance cares about the most – including our bottom line.