How to address the multi-faceted cybersecurity challenges CFOs face

Eftsure’s Ryan Mer explains that opportunity cost is greater than the risk of a cybersecurity attack.

Establishing cyber resilience has become one of the key outcomes for today’s CFO. Collectively, this is measured by the overall success of the organisation and it is here that business continuity, reputation and finance all play vital roles, while potential for injury and even loss are also considered.

For a business to consistently win business and retain a positive reputation, it needs to be seen as diligent and trustworthy and cybersecurity plays a significant role in achieving this.

It is no longer enough to use a tick-box mentality approach to cyber security. The CFO remit now includes operational technology and is thus best suited to review the business’s technology and systems, and advise what investment in cyber security technology is required.

Global losses from payment fraud have tripled from $9.84 billion in 2011 to $32.39 billion in 2020, according to Deutsche Bank’s 2021 report on the future of payments. And financial professionals are saying Covid-19 hasn’t helped matters, with 65 percent believing that the global pandemic is to blame for some of the accelerated rate in fraud activity, revealed by a 2021 survey by the Association for Financial Professionals (AFP).

While these cybercriminals can target many areas of an organisation, the dangers are ultimately measured in financial terms. This means that chief financial officers (CFOs) can no longer ignore cyber security simply because it is a complex issue outside their area of expertise. As custodians of the company’s monetary assets and financial data, CFOs are responsible for safeguarding the enterprise from threats to its financial health, especially those that can result from processes within the finance domain, such as accounts payable.

Ryan Mer, managing director, eftsure Africa, a Know Your Payee™ (KYP) platform provider, says that CFOs need to play a key role in their company’s cyber security, since the CFO is responsible for some of the most sensitive and valuable data the organisation possesses. “It is potentially disastrous for the finance team to be ignorant of cyber risk,” he says.

Below are six ways CFOs can combat the risk of payment fraud:

1. Know your vulnerabilities and understand risks
The first line of defence is to identify which information requires the most protection and research the many ways your organisation could be attacked. Hackers often target the finance department and team members directly in attempts to defraud. CFOs need to ensure that these vulnerabilities are both understood and addressed. This means testing current processes and systems to find weak spots, perhaps with the help of external experts.

Many organisations’ weak areas lie in their manual processes, which use human inputting methods and decision-making, often resulting in errors and gaps in security. Independent third-party platforms, such as eftsure, can help manage supplier data and automate payment checking and supplier verification, saving time on manual processes and reducing human error and manipulations.

2. Improve your basic security
Review your company practices in relation to password and security controls. Look at whether you can strengthen your company’s passwords and ensure that they are changed on a regular basis, if possible, adding an extra layer of security with two-factor authentication.

3. Move data to the cloud
Stay ahead of ever-changing security demands by moving sensitive data to the cloud, where it is kept in centralised storage that can only be accessed through sophisticated authentication methods. Cloud providers update their systems frequently based on the latest security best practices, providing new encryption techniques, improved login protocols and real-time identification of unauthorised users and suspicious activity.

4. Tighten your payments security
Look at your payments processes and identify potential weaknesses, possibly re-evaluating your financial procedures for approving payment releases. Ways to address weaknesses include ensuring there is clear separation of duties between staff and adding more verification steps.

While checking with senior executives, verifying by phone or relying on staff to perform other account verification procedures are options, they are manual, time-consuming and hold their own risks. A Software as a Service (SaaS) provider like eftsure can help limit the risks by providing an integrated payments system that cross-references the payments an organisation is about to release with a database of verified bank account details. The platform alerts you to any suspicious payments, at point of payment, allowing you to deal with the problem before the flow of funds has occurred.

5. Educate your staff
Employee email accounts are gateways to sensitive information and attacks, especially those in finance and accounts payable, making them targets of cybercrime. Equip staff with the skills and tools to spot threats and respond appropriately by introducing cyber safety awareness programmes, workshops and simulations. Enforce policies that restrict what information can be kept in email inboxes prior to secure archiving. eftsure’s secure, digitised payee onboarding platform can assist with the collection and management of payee information, thereby avoiding trying to manage this through email workflows and inboxes.

6. Keep your cyber security updated
As cyber risk grows and cybercriminals get better at what they do, it pays to be proactive about the controls, oversight and data management processes you have in place. Avoid waiting for a fraud incident or assuming your organisation is fully protected from fraud. Constantly remind staff at all levels about the risks of cybercrime to help build a strong security-conscious culture and continuously update controls to adapt to new fraud patterns. Collaborate with the chief information security officer (CISO), if your organisation has one, or enlist the help of an outsourced CISO-as-a-Service to address these risks and for assistance in deploying new defences.

In South Africa there is precedent for firms being held liable for payments that did not reach the intended recipient, a situation that demands every CFO’s attention. “It’s a war out there – and cybercriminals are bringing the battle to you. Don’t wait for them to succeed – be proactive and get on the front foot now so you stop them before they succeed,” advises Ryan.