What CFOs need to know about new security controls

Access controls, passwords, multifactor authentication, Okta Verify, Google Authenticator, and probably the best invention from Apple, that box that pops up on your screen when you get security codes texted to you—everyone is dealing with security controls every day. And for CFOs, good security controls are essential in order to reduce the ever-shifting risk profile for the entire organization.

Earlier this month, Anthropic announced that its AI chatbot, Claude, had been used to execute up to 90% of a Chinese-sponsored cyberattack on 30 organizations. And this is likely just the first of a wave of incidents, as fraudsters and hackers weaponize AI tools.

As CFOs face a future of AI-driven attacks, what should they watch for, and how must security controls evolve to meet this threat?

Borderless. The first critical risk is actually one that’s been creeping up on CFOs for years. The line between your company and the rest of the world is getting fuzzy. Due to the increase in cloud computing, companies are inviting more and more outside organizations into their internal systems.

Think about SaaS. In 2013, Microsoft pushed Microsoft 365 as its subscription cloud offering. In 2018, Gartner predicted that “by 2020…80% of historical vendors will offer subscription-based business models.” These days, organizations use an average of 371 applications powered by SaaS, according to DemandSage.

“Before [cloud computing], you had a clear edge, you knew where your company things were, and they were just in the data center,” Michael Isensee, US leader for cybersecurity and technology risk at KPMG, told CFO Brew. “Things are everywhere now.”

So the traditional way of protecting your perimeter with firewalls doesn’t work as well, according to Isensee.

Not to mention the introduction of AI tech into those SaaS platforms, which adds to security concerns for CFOs.

Isensee recommends a more layered approach to security to combat that blurred line. Traditionally, companies focused on the front door—making sure whoever was let in was supposed to be there, and then letting them roam free inside the “house.” But now there isn’t just one front door.

“You don’t even have this clear construct of a house anymore,” Isensee said. “There’s rooms everywhere. You’ve rented space all around the globe.”

There are many side doors, bedrooms, and cupboards that need to be secured. Isensee said employees should be required to authenticate themselves every single time they want access to part of an organization’s online system. (In the IT space, this is called zero trust.)

“You want to always verify if that person can actually access this,” he said. “And so it’s less dependent on one thing working as it is constantly checking and challenging if somebody should have access.”

AI attackers. According to Isensee, AI is better at recognizing patterns, probing for weak spots, and then exploiting them. And it can do it at a speed and sophistication that is unprecedented. New threats like deepfake videos or audio have made it difficult for even phone calls and video chats to seem trustworthy. Isensee believes these attacks will become more common.

“It is astonishing how little time, video time as an example, of a person’s voice you need to replicate for a deepfake,” he said. (IT Brew reporter Brianna Monsanto recently demonstrated just how little, with her own remarkably lifelike deepfake video.)

A study from the International Monetary Fund studies have predicted that cybercrime will cost $23 trillion globally in 2027. A 2023 cyberattack cost MGM Resorts $100 million. In 2024, Change Healthcare, part of UnitedHealth Group, had to shut down hospitals and pharmacies after a cyberattack that cost them $872 million. Last year, Ikea lost $17 million in sales after a Black Friday hack, according to Fourlis Group. The list of costly examples is enough to make CFOs tremble.

Fight fire with fire. So what’s a CFO to do? Use AI “to fight fire with fire,” as Isensee put it. AI can help detect deepfakes, find fraud more broadly by flagging anomalies and identifying suspicious behavior deviations, and help companies proactively find vulnerabilities and patch them.

“With more automation and AI capabilities, you can do that checking much more real time or continuously,” Isensee said. “And you can look at it on a much broader scale. So that ‘continuous controls monitoring’ is much more effective.”

Quantum security is coming. As if AI wasn’t enough, there’s another breakthrough on the horizon that has the power to transform everything. Isensee warns that while quantum computing is still a few years away, CFOs might need to start protecting themselves now. Because quantum computing can break encryption, he believes it’s going to take time for companies to patch the security holes.

“If you put new encryption into a place today, use encryption that’s going to be quantum safe. Don’t start with an old platform,” Isensee said.

Hackers are already gathering your data so that when quantum computing comes online, they can flip a switch and break in. Good thing there’s a new AI sheriff in town.