The company’s top brass are stepping into the digital front line, tapping their coffers to defend against cyberattacks.
Every year, chief financial officers find themselves facing an increasingly complex landscape of cybersecurity threats that put their organizations’ financial stability and reputations at risk. From ransomware attacks targeting confidential data to sophisticated phishing schemes exploiting payment systems, the risks have never been higher – or more expensive.
“They’re spending huge amounts of money on back-office solutions,” says Chris Nykvenda, senior vice president at the Cannon Financial Institute.
Research firm Gartner predicts that corporate spending on information security worldwide will reach $212 billion in 2025. This represents a solid 15% jump from $183.9 billion in 2024.
The upside is that many of the organizations that Nikvenda meets, as part of Canon’s vocational development and training sector, appear prepared to open their coffers and spend what is necessary to counter digital threats. Downside? Bad actors use advanced technology, such as artificial intelligence and quantum computing.
“These threats will come from ordinary individuals as well,” he predicts. “This will be a real challenge, because there will be such a requirement and investment in network upgrades to be able to handle these types of innovations.”
Without these upgrades, a well-executed phishing scheme, for example, could be disastrous to either a company’s bottom line or a personal bank account, Nikvinda explains. He knows from experience.
Not long ago, Nikvinda logged into his Wells Fargo account expecting to see his paycheck, but it wasn’t there. Naturally, he assumed it was a technical glitch and sent an occasional message to the CFO for an update. That’s when things took a strange turn.
“Oh, I just changed your bank as you requested,” the CFO replied. Nikvinda was surprised. “What?” He answered, a mixture of shock and confusion. It appears that the fraudster had somehow convinced the CFO to redirect Nikvinda’s salary to a fraudulent account.
“Someone was able to clone my internal identity, send an email and then come back and delete their account, making it look like it was me,” he said. “What that meant is that our company then had to change our policies regarding this type of thing, and we had to go through additional verification.”
“Always on top of mind”
In 2024, Tel Aviv-based Check Point Software Technologies tracked a record increase in corporate cyberattacks around the world, with an unprecedented increase in both frequency and sophistication compared to previous years.
By Q3, the average number of cyberattacks per organization each week reached 1,876. This is a massive increase of 75% from 2023. The year also witnessed what observers considered the largest violation in history.
National Public Data, a Florida-based data brokerage that specializes in background checks, was hit by a cyberattack that proved so devastating that it was forced to declare bankruptcy in October. The initial number of victims appears to have been around 1.3 million, but some reports indicate that data on 2.9 billion individuals – both living and dead – was eventually revealed.
Sensitive information — Social Security numbers, names, addresses, emails, and phone numbers — was stolen and later offered for sale on the dark web.
In addition to declaring bankruptcy, the company now faces several class-action lawsuits and potential civil penalties from at least 20 US states. It is scenarios like these that can prompt a company to step up protection, especially if it operates in a sector where customer information is highly sensitive.
In the travel management industry, for example, “cybersecurity and cyberattacks are a real threat and always top of mind,” says Christopher Clark, CFO of World Travel. Global Finance.
Because World Travel handles a massive pool of Payment Card Industry (PCI) data, the level of risk is particularly high. This is especially the case given that the company is “airline dependent,” Clark explains.
“Any type of cyber attack that impacts them will ultimately impact our customers and travelers,” Clark says. “Every time I hear about an attack, I try to analyze what happened and what we need to do to make sure the same thing doesn’t happen to us.”
In 2023, a so-called MOVEit cyberattack targeted file transfer software used by various airlines, including British Airways, Aer Lingus, and Allegiant Air. Since then, there has been no shortage of big-name companies in similar scenarios.
Microsoft faced a breach in July that exposed sensitive information, with customer data reportedly being accessed by unauthorized entities. This incident has reinforced concerns about vulnerabilities and gaps in cloud data security, especially when handling enterprise and personal data in the cloud.
Meanwhile, Marriott hotels faced another attack on their systems. Hackers infiltrated Marriott’s servers and accessed guest data that included contact information and reservation details, marking the company’s fourth major data breach in the past six years.
Aflac, a major insurance company, was also hacked, highlighting the financial sector’s vulnerability to cyber threats.
Perhaps the most surprising and ironic case involved cybersecurity leader CrowdStrike, although it was not a data breach in the traditional sense. The Austin, Texas-based company experienced widespread IT outages due to a faulty update to its Falcon sensor software. This issue caused disruptions to various systems and affected millions of devices. Threat actors typically use large-scale IT outages for phishing and other malicious activities.
Old and new school attacks
Steve Garrison, senior vice president and head of brand development strategies at Stellar Cyber, expects cyberattacks to become more innovative, especially with the spread of deepfakes. “This is one of our predictions for 2025,” Garrison says, citing hacker groups in North Korea, Iran, parts of China and Russia.
“It is now possible to impersonate the CFO’s voice (in a call),” he adds. “But I will still challenge you to hang up and call the (real) CFO and say, ‘Did you just call me and ask me to transfer $100,000?’
The upside to this growing threat is that 80% of cyberattacks are “old school,” Garrison says. They exploit our tendency to click and interact, similar to the incident with Nekvinda’s CFO.
Hackers also tend to take their sweet time. “Most ransomware attacks start six months before the event actually occurs,” Garrison says. “They find a low-level device or person, get into the environment, look for where the real Crown Jewels are. Then they finally hit the target.”
Regardless, today’s CFOs can no longer view cybersecurity as a distant IT concern, Clark says. “It’s a problem faced by anyone in our organization who sits in front of a computer and can inadvertently provide access to our networks,” he says.
Finance leaders are making high-stakes decisions about budget allocations for cybersecurity initiatives, from real-time threat monitoring to advanced firewall protection.
As Clark says, the CFO’s job is to provide the budget the company needs to deploy a variety of tools and protect data. “The tools are expensive, and this limits funds that could be used elsewhere in our organization,” he says.
“We also provide online training to our team to keep cybersecurity at the forefront so we can always strive to stay one step ahead,” Clark adds.
Many CFOs strive to balance spending needed for preventative technology with spending needed to grow the business — a difficult game when the risks are existential.
For Clark, it’s worth it.
“If our services were shut down due to an attack, that would cost far more than any investment we make to protect ourselves,” says Clark. “Business risk in not investing in tools. This would also make us uninsurable, which is a requirement of many of our clients.
