The CFO’s role in cybersecurity is often overlooked. Yet, they can be a vital partner with a CISO in risk management to protect the financial security of an organization and maximize return on investments—including investments in cybersecurity. 

These two leaders should collaborate to create metrics that the C-suite can comprehend to evaluate which security investments are effective, not being utilized enough, or unnecessary. 

Cyber Risk Insurance: CFO and CISO Roles

As the ultimate financial controller, the chief financial officer (CFO) must understand the potential monetary impacts associated with any cyber threats or incidents and the various options for purchasing cyber risk insurance and their associated costs. For this, the CFO works closely with the CISO to identify areas of increased risk for cybercrime and determine which types of cyber insurance policies are needed.  

The CISO provides technical guidance on cybersecurity risk management, IT infrastructure analysis, policy recommendations, and best practices for protecting against cyber threats. They must also be aware of potential changes in business operations, technologies, or vendors that could increase the risk of a cyberattack and communicate these changes to the CFO.  

By working together, the CFO and CISO can develop a comprehensive strategy for purchasing cyber risk insurance and protecting their organization from potential cyberattacks. Understanding and managing the financial aspects of cybersecurity is a key component of any cybersecurity strategy and is essential for the successful protection of digital assets and data. 

Assessing the Security Stack

There are a lot similar looking layers in a company’s cyber security stack, and the email security layer can easily be missed or overlooked by a CFO or someone who isn’t intimate with all the solutions in the stack…“does that solution’s SPAM feature cover our anti-phishing needs?”. 

While most CFOs understand the importance of data security, they often overlook the critical value of email security—or the impact it can have on a business’s bottom line if they haven’t experienced a data breach. Partnering with a CISO and taking a "cyber CFO" approach can be beneficial in assessing the probability and cost of a breach. This involves quantifying the risks and probabilities of cyberattacks based on different scenarios. 

Determining the probability of a breach should always factor in phishing threats as they are a leading cause of breaches. One particularly dangerous and costly type of email threat is the Business Email Compromise (BEC) attack. 

BEC attacks involve cyber criminals that compromise or spoof a business email account to send fraudulent requests for payments or sensitive information. These attacks are highly sophisticated and often impersonate or target C-Suite and VIP employees, making them difficult to detect and prevent.  

Many organizations, from small businesses to major enterprises to entire governments, have experienced BEC attacks. For example, between 2013 and 2015, Facebook and Google lost a combined $121 million in a BEC attack, and in 2019, Toyota Boshoku Corporation lost $37 million in a similar attack. And in early 2020, the government of Puerto Rico lost $2.6 million in a BEC scam while dealing with the aftermath of a major earthquake. 

There are several steps that CFOs and other business leaders can take to safeguard their organizations against these types of threats. This post provides a few tips to help reduce the risk of BEC attacks and the financial burden they have on businesses. 

3 Tips to Reduce Advanced Phishing Attacks

Implement Multi-Factor Authentication

Business accounts and workflows should enable Multi-Factor Authentication (MFA) as a measure to reduce the risk of BEC attacks. By prioritizing MFA for high-risk employees such as C-level executives, employees with payment authority, HR departments, and admin accounts, businesses can enhance their informational security even further. Adding FIDO OTP security keys provides an additional layer of security that requires access to a registered physical device in order to authenticate a user. 

Security Awareness Training (SAT)

Train and test employees on cybersecurity regularly. Promote skepticism and measure cybersecurity knowledge in the organization. Do regular simulations of phishing and BEC attacks to help employees recognize and respond to suspicious emails. 

CFOs and those not familiar with a company's cyber security stack may miss or overlook the email security layer. This can lead to confusion about what solutions cover anti-phishing needs. There are a bunch of security awareness training options in the market, so to ensure focus, seek options featuring material that takes only a few minutes to review. 

Leverage Third-party Email Security Solutions

Don't rely solely on security controls that are included with Microsoft 365 or Google Workspace. While these email providers have significantly improved their built-in security (like O365 EOP), it should be considered a base layer of protection rather than the entirety of your email security. 

Consider adding additional security measures, such as a third-party email security solution. Traditional tools like Secure Email Gateways (SEGs) can detect simple phishing attempts, but they are generally not effective against more sophisticated BEC attacks. Therefore, it would be wise to consider solutions that incorporate Artificial Intelligence (AI) and Machine Learning (ML) technologies to detect and respond to advanced threats in real time.  

The IRONSCALES anti-phishing platform leverages a unique combination of Artificial Intelligence and human insights to provide powerful protection against advanced phishing threats like BEC to avoid costly remediation efforts, downtime, and revenue loss. 

Themis
Post by Themis
January 18, 2023
CYBERSECURITY ANALYST & INCIDENT RESPONSE EXPERT An intuitive senior-level cybersecurity analyst named after the Greek Lady of Good Counsel with the objective to help enterprises reduce email phishing risk. Although not a real person, I have a proven track record of expediting the time from unknown/zero-day phishing threat identification to enterprise-wide remediation.