Check the news. The consequences of a data breach can be devastating to a company’s finances and its brand reputation. And there’s no single way to block virtual intruders, whose schemes are constantly evolving.
A recent CFO Research study, Cyber and Data Security in the Middle Market, confirms that the need to thwart cyber-hackers unites U.S. finance leaders across industries. The study, conducted in collaboration with U.S. Bank and Visa, is based on 316 online survey responses and 5 in-depth interviews. The U.S. senior finance executives polled work at companies with annual revenues between $25 million and $500 million.
The survey finds that 21% of respondents have had business activities disrupted by hackers in the past two years — compared with 37% who report having had physical property swiped during that same period. Still, 6 in 10 (60%) report having lost time and resources as a result of managing a security breach (see Figure 1).
Serious Business
A clear majority (82%) of respondents “agree strongly” or “agree somewhat” that their company’s top executives treat cybersecurity with the appropriate gravity. Asked to identify the most important step a CFO can take to make the finance function less vulnerable to cyber-threats, one respondent writes, “Due diligence from the top and upper management.” What matters most, offers another finance executive, is setting a “tone at the top.”
However, just under one-quarter (24%) of respondents say they “agree strongly” that their rank-and-file employees treat cybersecurity with the seriousness that it warrants. By comparison, 45% of finance executives “agree strongly” that their top executives approach the issue with the attention it requires. Given that cyber attacks are targeted at all levels of an organization, it appears that top executives need to communicate some of that gravity and seriousness to the rest of the company.
Asked if they agree that their employees have access to training and education about recognizing and acting on cyber-threats, only one-quarter (25%) of respondents say they “agree strongly,” with almost half (46%) choosing to “agree somewhat.” Finance executives clearly see room for improvement, and additional training is a prudent path.
Who’s on Point?
When it comes to managing cybersecurity, middle-market companies tend not to rely on separate departments, or even specially assembled teams, to quarterback the effort. For the most part, the survey found, middle-market businesses look to the IT function. In describing their companies’ organizational strategies for managing cybersecurity, more than three-quarters (76%) report “cybersecurity is governed and managed by the information technology function.” “Having a strong IT department is paramount,” as one survey-taker states. By contrast, only 12% of respondents say that cybersecurity at their companies is centered in the finance function.
But in their responses to open-ended questions, finance executives stress the need for those departments to collaborate, agreeing on strict guidance and carefully orchestrated steps that the rest of the company can follow.
Aside from advising attentiveness, finance executives also encourage their peers to help IT in a more concrete way, i.e., by giving the function the resources it needs for cyber-related initiatives. “Support the IT function with their security policies and requests,” writes one respondent. “Make cybersecurity a big portion of the IT spending budget,” writes another.
Don’t Trust; Verify!
Explaining another effective step a CFO can take to reduce the finance function’s vulnerability to cyber-hacks, one respondent writes: “Ensure regular audits are performed on IT security and hold proper insurance in case of a loss.” Another advises fellow finance leaders to “perform an independent audit of the area.” Adds another survey-taker: “Periodic audits.”
Many respondents aren’t just paying lip service to the idea. In the survey, nearly half (48%) say they have conducted formal assessments of their cybersecurity efforts for all systems, locations, and business units in the last two years. An additional 22% report that they have done the same for some systems, locations, and business units; only 15% say they have conducted no formal evaluation of their company’s preparedness (see Figure 2).
Third-Party Risk
With businesses seeking to replace, or complement, in-house capabilities with third-party capabilities, they may be overlooking the cyber-risks they are acquiring in the process.
Whether as a result of cost-consciousness or lack of urgency, only about 1 in 5 finance executives (21%) who participated in the survey say they frequently evaluate the security efforts of their suppliers and customers. Combined with those who say that their companies occasionally review suppliers and customers (35%), the proportion reaches a simple majority (56%). But that total is a far cry from the 70% that have done at least some review of their own security situation. Meanwhile 3 in 10 (31%) conduct no formal evaluation of their external partners.
What about when the roles are reversed? Only 18% of survey respondents report that customers and vendors have frequently formally evaluated their company’s security policies and procedures. And just 28% say they have been reviewed occasionally. Given the value of data in the digital economy—where competitive advantage can be built on credit card numbers and social security information—the risk of increased vulnerability through third parties is only going to rise.
Payment Protection
For business-to-business payments, paper checks remain king—and an open invitation to fraud. In the survey, 72% of finance executives say their companies use paper hard-copy checks either “very frequently” or “frequently.” Direct payment services such as automated clearing house (ACH) and electronic funds transfer (EFT) weren’t far behind, attracting 64% of “frequent” or “very frequent” users. Corporate and purchasing cards were next at 52%.
The 13th Annual Payments Fraud and Control Survey by the Association for Financial Professionals found that 75% of organizations experienced check fraud in 2016 and 46% were targets of wire transfer fraud (based on the responses of 547 finance professionals). Automated clearinghouse payments fraud was experienced by less than one-third of respondents.
In the CFO Research survey, finance executives hinted at a need to tighten their payment processing systems. One respondent writes that the most important step a CFO can take to make the finance function less vulnerable to cyber-hackers is “moving to a paperless environment.”
As the number of transactions grows — along with confidence in the technology—finance executives are clearly being drawn to use ACH or purchasing cards to pay vendors and suppliers, primarily because they are faster and less costly. In addition, purchasing cards offer the advantage of rebates and rewards, cash float, and ubiquity of acceptance.
For receiving payments, finance executives say they consider cards roughly on par with electronic payments services (ACH and EFT) when it comes to promptness of payment and convenience. While 95% of respondents rank ACH/EFT performance as “excellent” in terms of security and protection from fraud, 83% grade cards on that level. However, respondents note that, with the introduction of EMV chip card technology, that gap appears to be closing.