First Midwest BankFirst Midwest Bank logoArrow DownIcon of an arrow pointing downwardsArrow LeftIcon of an arrow pointing to the leftArrow RightIcon of an arrow pointing to the rightArrow UpIcon of an arrow pointing upwardsBank IconIcon of a bank buildingCheck IconIcon of a bank checkCheckmark IconIcon of a checkmarkCredit-Card IconIcon of a credit-cardFunds IconIcon of hands holding a bag of moneyAlert IconIcon of an exclaimation markIdea IconIcon of a bright light bulbKey IconIcon of a keyLock IconIcon of a padlockMail IconIcon of an envelopeMobile Banking IconIcon of a mobile phone with a dollar sign in a speech bubbleMoney in Home IconIcon of a dollar sign inside of a housePhone IconIcon of a phone handsetPlanning IconIcon of a compassReload IconIcon of two arrows pointing head to tail in a circleSearch IconIcon of a magnifying glassFacebook IconIcon of the Facebook logoLinkedIn IconIcon of the LinkedIn LogoXX Symbol, typically used to close a menu
Skip to nav Skip to content
FDIC-Insured - Backed by the full faith and credit of the U.S. Government

Cybersecurity Action Plan: 7 Tips for Small Business CFOs

A data security breach is one of the CFO’s biggest nightmares. The bad actors are getting creative at their trade, causing our nightmares to become increasingly vivid and scary. Your nightmares may entail viruses, worms, trojans, spyware, bricking, and/or other malware. Or maybe they are triggered by phishing, crypto-jacking, man-in-the-middle attacks or zero-day exploits. 

These nightmares can be especially intense for the small business CFO who lacks a knight (e.g., a chief information security officer) to come sleigh the cyber-dragon. Here are seven practical actions CFOs can take to sleep better at night. 

1. Build Personal Awareness

CFOs — especially small business CFOs — must take a leading role in protecting their organizations’ systems, networks, and programs from digital attacks.

First, though, you must build your awareness. Familiarize yourself with the types of cyber-attacks, cyber attackers, and defensive measures in your arsenal. Understand relevant laws and regulations regarding electronic transactions, consumer protections, cybercrimes, and privacy and data protection requirements (which can be quite complex for a global organization). And polish your risk management skills, gaining comfort with cybersecurity-related risk management tools and best practices.

2. Educate Your Finance Team

Employees often represent your weakest cyber link — potentially even members of your own team. While you would expect finance professionals to be attuned to the significant and growing risk of cyberattacks, it's possible that even a seasoned professional could be tricked into sending vendor payments to a bad actor’s account. It has happened before and will undoubtedly happen again.

For some employees, it’s a lack of awareness; for others, carelessness. Either way, if an employee clicks on a malicious link or provides sensitive information to a bad actor, the entire organization is at risk.

Require new employees to certify they understand your cyber policies and existing employees to renew their certifications annually. Provide company-wide training, including stories of cyber victims and tips on how to avoid being one of them. Conduct phishing campaigns, requiring anyone who “falls victim” to complete personalized training. And meet one-on-one with “victims” as necessary.   

3. Adopt Cyber Policies

Before employees can certify they understand and will follow your cyber policies, these policies need to be clearly defined. For many smaller organizations, however, they are not.

Consider implementing an acceptable use policy (to set expectations of employees when using computers), a communications equipment policy (to outline how equipment communicates data and acceptable ways to use this data), a risk assessment policy (to define who is accountable for assessing, classifying, and managing cyber risks), and a data breach response policy (to clarify who has accountability for what in case of a data breach).

4. Invest in Cyber Insurance

The question is more likely “when” than “if” your organization will face a cybersecurity incident, so consider investing in a standalone cyber policy to mitigate the risk of financial loss due to data breaches, ransomware attacks, and other incidents. The cost of this coverage has been steadily rising, though, especially for organizations with poorly designed and/or implemented cybersecurity programs.

Carefully review all attestations in the application, which must be complete and accurate. Make sure you fully understand your policy, including controls that must be in place (e.g., dual authentication, check pre-approvals, etc.), reporting turnaround time, and other requirements. And maintain a hard copy of the policy (just in case).       

5. Know and Mitigate Your Risks

You can more effectively assess your risks by designing and implementing a comprehensive cybersecurity program:

  • Select a framework, such as the National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework, The Center for Internet Security (CIS) Control Framework, or the Information Systems Audit and Control Association’s (ISACA’s) Control Objectives for Information and related Technology (COBIT) Framework.
  • Conduct a baseline assessment. Leveraging NIST CSF 1.1, which is organized into five key functions (i.e., identify, protect, detect, respond, and recover) and multiple activities (e.g., the protect function includes activities like protecting sensitive data, conducting regular backups, and training users). We worked through a comprehensive series of questions aligned with these functions and activities to identify strengths and potential gaps in our program.
  • Develop action plans and prioritize those action plans that address the most concerning gaps identified during your baseline assessment.

6. Develop Business Continuity and Related Plans

How will you respond amid an unfolding cyberattack? Will you be able to make good decisions during the stress and chaos of a live event?

Your ability to manage cyberattacks and other crises significantly improves if you have already documented actionable crisis management, IT disaster recovery, and business continuity plans, even if they are only loosely linked to the actual crisis at hand.

7. Adopt a Continuous Improvement Mindset

As the bad actors become increasingly creative, companies must become increasingly vigilant in assessing their threats and proactive in enhancing our cybersecurity programs. Conduct a new baseline assessment and compare it against your original, reassessing gaps and re-prioritizing your action plans. Stay attuned to new cyberattack schemes and best practices to prevent them from impacting your organization. Invest in automation and artificial intelligence to combat modern fraudster sophistication. And consider engaging an incident response firm or cybersecurity partner. In short, adopt a continuous improvement mindset.  

For more information on how Old National Bank protects against financial fraud, visit our fraud prevention center.



This article was written by Steve McNally from CFO.com and was legally licensed through the DiveMarketplace by Industry Dive. Please direct all licensing questions to legal@industrydive.com.

Subscribe for Insights

Subscribe