Though cyberattacks against large companies garner the headlines, smaller companies are at risk as well. Steve McNally, CFO, secretary, and treasurer at Plastic Technologies Inc. and the former global chair of the Institute of Management Accountants (IMA), spoke with CFO Brew at the IMA 24 Accounting & Finance Conference about the role CFOs of small companies play in bolstering their organizations’ cybersecurity efforts.
The following interview has been edited for clarity and length.
Why is it important that the CFO take charge of cybersecurity?
The CFO is in a unique position, whereby they and the finance and accounting team see the big picture of the organization. They are well positioned to see the risks. We have access to the data. We’re able to analyze the data and through that, identify the issues, where we should be focusing.
Secondly, we manage the purse strings. When it comes to making the investments that would help mitigate the risks, often those decisions are made by the CFO and their team, or at least the CFO is part of that decision-making process.
What are some steps CFOs can take to help make their companies more secure against cyber threats?
I think it starts with oneself…It’s building your own personal awareness and understanding: What are the types of cyber attacks?...What’s the regulatory environment?
Second, it’s all about educating your team…your team in finance and accounting, but also your team as an entire organization. And I say that because too often when it comes to cybersecurity, your employees are your weakest link.
One thing we do is conduct monthly phishing campaigns. The first couple of times we did it, we had a lot of failures. And when people failed, they then had to take individualized training to learn from it. And those individuals that have failed more than once, well, then it was also me having a pretty frank conversation [with them]: “Do you understand if you click that link or if you provide that information, you’re not just jeopardizing yourself, you’re jeopardizing our entire organization?” So making sure that awareness is crystal clear.
News built for finance pros
CFO Brew helps finance pros navigate their roles with insights into risk management, compliance, and strategy through our newsletter, virtual events, and digital guides.
How often would you recommend doing a cyber risk assessment?
One thing that we’ve done in the last couple of years, which as a small company we hadn’t done before, was select a cyber risk framework. We selected the NIST framework. And then working with my IT partner, we went through that framework. You go through those questions and it helps you identify where the gaps may be and then you prioritize which gaps should you fill in.
Many small companies, I’d venture to say, haven’t clearly documented their cyber-related policies. For example, do they have an acceptable use policy? Do they have a risk assessment policy? Do they have a data breach response policy, so if something does happen, it’s clear who’s told and what actions are taken? There are templates out there that help you get started, that probably get you 95% or more of the way there.
Are there other steps companies should be sure to follow?
Once you have the policies in place…another step would be around developing a contingency plan—so a crisis management plan, an IT disaster recovery plan, a business continuity plan. And once you have those plans, testing those plans.
The other thing is cyber insurance. As you’re completing the applications, you have to be honest and transparent. You’d better understand your policy and what’s expected of you, what actions you’re supposed to take, because if you’ve fallen short, or if you do have an incident, you might not be as covered as you thought.
And then the last thing is adopting a continuous improvement mindset, because the bad actors are becoming increasingly creative at their craft…We need to be just as creative in terms of our assessment and risk management.