Company leaders are entering the digital front lines, dipping into their coffers to defend against cyberattacks.
Each year, CFOs find themselves faced with an increasingly complex landscape of cybersecurity threats that jeopardize the financial stability and reputation of their organization. From ransomware attacks targeting confidential data to sophisticated phishing schemes exploiting payment systems, the stakes have never been higher or more expensive.
“They’re spending a lot of money on back-office solutions,” says Chris Nekvinda, senior vice president at the Cannon Financial Institute.
Research firm Gartner expects global business spending on information security to reach $212 billion in 2025. That’s a solid 15% increase from $183.9 billion. dollars estimated in 2024.
The upside is that many of the organizations Nekvinda encounters, through Cannon’s professional development and training segment, seem willing to open their coffers and spend what’s necessary to counter digital threats. The downside? Bad actors use advanced technologies, such as artificial intelligence and quantum computing.
“These threats will also come from ordinary individuals,” he predicts. “It’s going to be a real challenge because there’s going to be such a requirement and investment in upgrading the network to be able to deal with these kinds of innovations.”
Without these upgrades, a well-executed phishing scheme, for example, could have catastrophic consequences on a company’s bottom line or personal bank account, Nekvinda says. And he knows it from experience.
Not long ago, Nekvinda logged into his Wells Fargo account hoping to see his well-deserved paycheck, but he was missing. Naturally, he assumed it was a technical problem and sent a message to the CFO asking for an update. That’s when things took a strange turn.
“Oh, I just changed banks like you asked,” the CFO replied. Nekvinda was taken aback. “What?” he replied, a mixture of shock and confusion setting in. It appears a fraudster convinced the CFO to redirect Nekvinda’s paycheck to a fraudulent account.
“Someone was able to clone my internal ID, send an email, then come back and delete their account, making it look like it was me,” he said. “That meant that our company then had to change its policies for these kinds of things: we had to do additional validation. »
“Always at the top of the list”
In 2024, Tel Aviv-based Check Point Software Technologies saw a record increase in business cyberattacks worldwide, with an unprecedented increase in frequency and complexity compared to previous years.
In the third quarter, the average number of cyberattacks per organization each week was 1,876. This represents a massive 75% increase from 2023. The year also marked what observers consider the biggest disruption in history.
National Public Data, a Florida-based data broker specializing in background checks, suffered a cyberattack so devastating that it was forced to declare bankruptcy in October. The initial number of victims appeared to be around 1.3 million, but some reports suggest that data on 2.9 billion individuals, living and dead, was eventually revealed.
Sensitive information (social security numbers, names, addresses, emails and phone numbers) was stolen and then put up for sale on the dark web.
In addition to filing for bankruptcy, the company now faces several class action lawsuits and possible civil penalties from at least 20 U.S. states. It’s scenarios like these that may prompt a business to step up its protection, especially if it operates in an industry where customer information is very sensitive.
In the travel management industry, for example, “cybersecurity and cyberattacks pose a real threat and are always at the forefront of our minds,” says Christopher Clarke, chief financial officer of World Travel. Global Finance.
Given that World Travel manages an immense amount of payment card industry (PCI) data, the level of risk is particularly high. This is especially true since the company is “airline dependent,” explains Clarke.
“Any type of cyber attack that affects them will ultimately affect our customers and our travelers,” Clarke says. “Every time I hear about an attack, I try to analyze what happened and what we need to do to make sure the same thing doesn’t happen to us. »
In 2023, the so-called MOVEit cyberattack targeted file transfer software used by various carriers, including British Airways, Aer Lingus and Allegiant Air. Since then, there has been no shortage of large companies in similar scenarios.
Microsoft encountered a breach in July that exposed sensitive information, with customer data apparently accessible to unauthorized entities. This incident has heightened concerns about endpoint vulnerabilities and gaps in cloud data security, particularly when managing corporate and personal data in the cloud.
Meanwhile, Marriott Hotels faced a new attack on its systems. Hackers infiltrated Marriott’s servers, accessing customer data including contact details and reservation details, marking the company’s fourth major data breach in the last six years.
Aflac, a major insurer, was also the victim of a breach, highlighting the financial sector’s exposure to cyberthreats.
Perhaps the most surprising and ironic case involved cybersecurity leader CrowdStrike, although it was not a data breach in the traditional sense. The Austin, Texas-based company experienced a widespread IT outage due to a misconfigured update to its Falcon sensor software. This issue caused disruptions to various systems and affected millions of devices. And threat actors typically use widespread computer outages for phishing and other malicious activities.
Attacks from the old and new schools
Steve Garrison, senior vice president and head of brand development strategies at Stellar Cyber, predicts that cyberattacks will only become more innovative, especially as deepfake technology becomes more prevalent. “That’s one of our predictions for 2025,” Garrison says, citing hacker groups in North Korea, Iran, parts of China and Russia.
“It could be that the voice of the CFO is now usurped [on a call]», he adds. “But I still challenge you to hang up and call [real] CFO and say, “Did you just call me and ask me to transfer $100,000? »
The positive side of this growing threat is that 80% of cyberattacks are “old school,” says Garrison. They play on our propensity to click and react, like the incident with the financial director of Nekvinda.
Hackers also tend to take their time. “Most ransomware attacks are launched six months before the event actually happens,” says Garrison. “They find a low-level device or person, enter the environment, search and look for where the real crown jewels are. Then they finally reached the goal.
Regardless, today’s CFOs can no longer afford to view cybersecurity as a distant IT concern, Clarke says. “It’s a problem for anyone in our organization who sits at a computer and can unknowingly give access to our networks,” he says.
Financial executives make high-stakes decisions about budget allocations for cybersecurity initiatives, from real-time threat monitoring to advanced firewall protections.
As Clarke says, a CFO’s job is to provide the budget the company needs to deploy a suite of various tools and protect data. “The tools are expensive, which limits funds that could have been used elsewhere in our organization,” he says.
“We also provide online training for our team to keep cybersecurity at the forefront so we can always strive to stay one step ahead,” adds Clarke.
Many CFOs seek to balance spending on preventative technology with spending on business development – a tricky game when the risks are existential.
For Clarke, it’s worth it.
“If we are shut down because of an attack, it will cost far more than any investment we make to protect ourselves,” Clarke says. “The business risk of not investing in tools. This would also make us uninsurable, which is a requirement for many of our customers.