Cybersecurity part of the CFO’s remits

Experts hash out the extent of the CFO’s responsibility for cyber security at Finance Indaba Network.

Protecting your business from a cyber-attack takes vigilance from everyone in your company according to experts on a cybersecurity panel at the 2020 Finance Indaba Network.

Cybersecurity expert Nathan Desfontaines, founder of Cybersec, pointed to the uptick in the number and scope of cyber-attacks in the last few months to illustrate the pervasiveness of the challenge. High profiles cases include the City of Joburg’s ransomware attack, and the targeting of large banks, ISPs. and large insurance and healthcare companies. “These are just the ones we know about; some don’t make it to front page,” he said.

Megan Pydigadu, group FD at EOH said that during Covid-19 lockdown, as part of the migration to work-from-home, the company had to ramp up security measures. “You have to approach it holistically,” she said. “Gone are the days when people are all connecting in one place. Now people in your company use multiple devices and networks to login. Zero trust networks requiring authentication have been critical for us.”

Nathan notes that newer risks have emerged in the last four years. Both cryptocurrency and ransomware have been adopted by cyber-criminals. Eighty percent of breaches are due to human error, with criminals looking at the common employee as a weak entry point. He points out that preventing social engineering attacks requires creating a cyber-savvy mind-set through rigorous awareness programmes.

Alastair Petticrew, FD of Bidvest Insurance, said that they employ ethical hackers to try and breach systems to find weak spots. These attacks target the company internally with staff, but also target customers and suppliers looking for gaps externally. “We run simulations and trainings to test staff’s ability to spot spam and pick up red flags. We try to keep our staff up to date on the latest trends and invest in awareness, while continuously strengthening other measures to fend off attacks.”

Megan shared that they had formed an IT council to oversee EOH’s frameworks. The council has a security sub-committee, which brings together the best minds to look at how we approach security, our policies, standards, and protocols. “Keeping cyber top of mind is constant, so we have user awareness interventions and have deployed a Learning Management System where we are training staff on security and POPI.”

Trends
Alastair said that while company risk is high, individuals increasingly also want to protect themselves at a personal level, and as a result, cyber insurance protection is expanding to personal cover as well.

Nathan pointed to an industry joke that says there are two types of companies: those that have been hacked and those that have been hacked and did not know. His advice to CFOs is to take the view that a breach is inevitable, and you want to get yourself in a position to know when it has happened. “In the event of an attack you want to be able to assure stakeholders and investors that you were able to detect it, stop it and respond decisively.”

He advised against assuming that compliance means you are immune. “Compliance is great, but it is the first step,” he said. He suggested more targeted actions such as getting a white hacker, but also Red Teaming, which is a simulation designed to measure how rigorous your controls are. It tests your company’s ability to withstand a spontaneous attack and gives feedback on your crisis response and how prepared you would be in an actual breach.

Simplifying cybersecurity so people can adopt and understand
Megan said that in the past, technology related issues were owned by IT alone but now they are being shared across the organisation, because everyone is on an accelerated digital journey. As a CFO you play an important role in making it real for your teams, so you should centre the conversation on the potential impact of an attack on their work, the data they deal with and the company as a whole.

Alastair said getting people to engage starts from the top. In the executive team he is part of, they have instilled a culture of speaking in practical terms, relating each discussion to things people can apply in their everyday environment. You need to build risk into all the streams, from reception to finance, and communicate what steps should be taken within business processes. He emphasised that securing a company cannot be done alone; you need to share information with everyone and best practices with others.

Nathan said that to effectively address cyber security you need to strengthen your technology, people and processes and have a strategy for each area. He shared that as a service provider to companies, he has learned that to get projects approved, you need to understand the language that CFOs speak in addressing risk management issues they have.

“You need to understand their concerns and address them in a language they already understand, not talk that’s heavy with jargon. That approach makes It easy for the risk element to crystallise in people’s minds and budgets, so you get the right support for your efforts.”