An employee recently received an email from me, letting him know that I was in an important meeting and asking if he could text me. The only problem was that it wasn’t me. “Fake Perry,” as we call the would-be scammer, had been messaging our employees in an attempt to gain access to the company’s accounts.
If Fake Perry had gotten the employee’s number, the next step would have been to call the phone company and have the employee’s number forwarded to his phone, which would have made it much easier to hack into our accounts. Thanks to our employees’ vigilance and the cybersecurity training we gave them, no one fell for it.
We enjoy making fun of Fake Perry, but we take cybersecurity seriously, and you should, too. Hackers have successfully extracted millions of dollars in ransoms from organizations like schools and hospitals. More recently, the Colonial Pipeline hack left much of the southeastern U.S. reeling from gas shortages and surging gas prices. Cyber-criminals will come for your organization eventually if they haven’t already. What are you doing to identify and assess your cyber risks?
Our recent enterprise risk management survey asked respondents to identify the percentage of their top risks that fall into categories, including strategic risk, operational risk, financial risk, and cyber risk. We found that 1 out of every 10 top risks assessed by respondents fell into the cyber risk category, both at the 25th percentile and at the median. Organizations in the 75th percentile said that one-fifth of their top risks were cyber risks.
Organizations in the median and 25th percentiles aren’t necessarily falling behind — it’s good that cyber risk is at least on their radar. At the same time, it would make sense for organizations to assess more cyber risks among their top risks, given the financial and operational damage these attacks can threaten.
Taking steps to address cyber risk is in every organization’s interest because it’s not a question of whether, but when, these attacks will occur. And there’s no question that a successful breach of your systems will take a financial toll. For that reason, CFOs and other finance leaders cannot afford to shrug off preparation for cyber risk as just another item on IT’s checklist. Below, we discuss three recommendations based on the moves we see top companies making.
Committing resources to protect your organization against cyber risk is always a smart investment. It’s better to commit these resources upfront to prevent or mitigate attack damage. Otherwise, you’ll pay on the back end once the ransom is due or customers’ data has been compromised. If you have the resources, now is also a good time to invest in tools that help verify whether vendor payment requests are valid and flag suspicious transactions.
Preparation for cyberattacks also means training employees, so they are familiar with the typical approaches hackers take. Assuming that all employees are savvy enough to read the signs of an attempted attack could be an expensive mistake. Basic security features like two-factor authentication are very effective if employees learn how to use them.
At a high level, assessing cyber risk looks much the same as any other enterprise risk assessment. You’ll need to identify the areas most prone to risk and assess whether the existing controls and safeguards keep the risk below the organization’s level of risk appetite. Cyber-risk assessment should also include IT penetration testing and implementing filtering systems for suspicious or external emails. Along with these steps, make sure you have action plans so that you’re not left scrambling when an attack has already happened.
One common form of cyberattack involves seemingly legitimate payment requests from vendors that ask an organization to change the accounts to which payments are made. To ensure that requests from bad actors don’t get processed, it’s critical to establish clear treasury policies that every employee follows to the letter.
Unfortunately, we found through our recent treasury research that many organizations struggle in this area. Fewer than half of the respondents to our treasury survey reported that their organization extensively communicates treasury policy. That means more than half of respondents probably don’t do a great job making sure treasury policies are clear.
Nearly half of those surveyed said that employees don’t adhere to the established policy very closely either. With cyberattacks on the rise, it’s simply not worth taking unnecessary risks; even a single employee who plays fast and loose with the policy could cause financial damage.
Given the growth of cyberattacks and the guarantee that they will continue, it’s time to redouble the organization’s efforts to assess, prioritize, and mitigate cyber risks. Investments in this area will pay off down the road, either by preventing cyberattacks or lessening the damage they do. We might not all be responsible for ensuring that gasoline is flowing to a large region of the U.S. Still, these attacks threaten significant damage to a business and its customers.
Perry D. Wiggins, CPA, is CFO, secretary, and treasurer for APQC, a nonprofit benchmarking and best practices research organization based in Houston, Texas.