3 Ways CFOs can Prevent Phishing Attacks

Whatever the size of your organization may be, cybersecurity should be at the forefront of your mind. Those who perform any operations online — which is likely most businesses — are targets for data breaches and attacks. Unfortunately, as technology and security develop, so too do the criminals looking to obtain sensitive information. There is evidence of this in a particular kind of scam — phishing.

It may once have been easy to scan an email for spelling errors or odd links and dismiss it as phishing. However, cybercriminals have learned from the past and are developing new techniques that cost companies greatly. Thus, corporate leaders need to act with prevention in mind. How can CFOs prevent phishing attacks with cybersecurity? Here’s what they should watch for and how they play a role.

Phishing was successful when it first appeared in the ‘90s. However, people eventually learned the telltale signs — misspelled words, links that asked for sensitive data, nonsensical emails, or anything claiming they won a prize. Those kinds of scams still exist, but cybercriminals have adapted to the times with improved techniques.

Targeted attacks such as spear phishing and whaling have bloomed in prevalence. Whaling attacks specifically target executives within a team — CEOs, CTOs, CISOs, and CFOs — to either steal money or obtain credentials. Hackers may also use spear phishing, which means they personalize their scam to one or a group of staff members.

How are trained individuals still falling for phishing scams? Criminals have upped their strategies. They now know to come up with an official-sounding email, but it goes deeper than that. Some attacks use cloned web portals, so those who click on a link in a phishing scam believe they’re on the right website. Certain hackers have also generated fake QR codes that simulate two-factor authentication. Threats are getting harder to detect and can create a lot of damage.

The worldwide average data breach cost is $4.35 million — in the United States alone, that number jumps to nearly $9.5 million. The price of phishing was the highest of several threats at $4.91 million. Compromised or stolen credentials were the most frequent cause of an attack at 19%, but cybercriminals can obtain that information through phishing. Business email compromise was the second-most-expensive attack vector, which can also originate from phishing.

These scams also grew in frequency during the COVID-19 pandemic. About 70% of companiessaid they noticed more phishing attacks once shutdowns began. Interpol also found that 59% of polled countries experienced phishing scams, as well as noting one significant development. Cybercriminals have largely adjusted their focus from individuals and small businesses to large corporations.

Because phishing is such a critical problem for businesses, CFOs must find ways to aid their organization in the fight. Luckily, you have several options for doing so. Here are a few techniques CFOs can utilize to make a difference in preventing phishing attacks.

Your first step is to identify how much your organization is spending on cybersecurity. For example, Deloitte data shows companies with over $30 billion in revenue will spend over $100 million on threat prevention. Is your business over or under the same percentage in your budget? Could you hire more individuals with specialized training for the IT team or spend more on security software?

Determine how much of your budget currently goes toward cybersecurity and if there are ways to make that number more efficient. Your needs may require more focus on identity management or data governance. Also, identify what others in your sector are spending on cybersecurity, compare it to your budget and see if you can afford to match them.

CFOs likely want to cut costs as much as CEOs — they’re dealing with finances, after all. However, cybersecurity is not an area to skimp on. Some CEOs may be less keen to spend more on threat prevention if they’ve never experienced an attack. While this is understandable, it’s a massive misunderstanding of the threat phishing scams pose. Therefore, you have to quantify the significant financial risks.

There are expenses from downtime, recovery, and potential theft, and your reputation is now at stake. In the U.S., 83% of consumers will stop buying from a company for a few months after a security breach. Australia and the United Kingdom are more severe — over 40% say they will never spend money with such a business again. Calculating the potential profit losses from a cybersecurity incident might get even the stingiest of CEOs to reevaluate their stance.

One of the most valuable things an organization can do is train its employees on identifying phishing scams. Including training as part of your annual cybersecurity budget may seem like a waste to some, so you must advocate for how vital it is. You could run announced classes and send out unannounced phishing tests to see which staff members need additional help.

Part of that spending may also come from running an incident response plan. These are a layout of what a company will do if a hack occurs. About 74% of businesses say they have a plan, but only 23% test it more than once a year. Setting aside time to run these responses may cost money, but they train workers on what to do and help find expensive inefficiencies.

Phishing scams are rising in occurrence and severity. It’s not enough for CFOs to know about these threats — they must actively participate in their prevention. Utilize these tips to prepare your organization to identify and manage phishing attacks.