A recent survey of top executives in the middle market has concluded that CFOs should not assume employees are educated about cybersecurity threats.

The survey – “Cyber and Data Security in the Middle Market” – was compiled using data from 316 online survey responses and 5 in-depth interviews. Focusing on companies with annual revenues of between $25 million and $500 million, the survey first asked what percentage of respondents had their business activities disrupted by cybersecurity issues within the past two years, and then what measures were being implemented to prevent future attacks. Phishing attacks are accelerating in 2017 and the problem will only get worse.

From the responses of the senior finance leaders, it was clear that virtual intrusions are commonplace. Although only 21% of respondents said their business activities were disrupted by hackers in the past two years, 60% admitted having lost time due to dealing with cybersecurity issues, 23% reported a loss of revenue due to a security breach and 19% acknowledged a loss of credibility with customers, suppliers or the public due to an adverse cybersecurity event.

Assumptions about Employee Education Can be Dangerous

One of the key findings of the survey was that more training on recognizing and acting upon cybersecurity threats is required further down the chain of command. CFOs clearly understand the threats from virtual intrusions – 82% agreeing cybersecurity was treated with “appropriate gravity” at the top level of their businesses. However only 24% of respondents felt employees approached cybersecurity with the same level of importance.

Considering that cyberattacks can be targeted at anyone within a business, the conclusion drawn by researchers was that finance leaders should be more pro-active in educating employees, and “set the tone at the top”. That conclusion was supported by findings that only 25% of CFOs feel their employees have access to adequate training and education, and that 46% of CFOs agreed there was room for improvement in their current training regimes.

But Are CFOs Responsible for Setting the Tone?

Most CFOs agree they should have some responsibility for managing cybersecurity. After all, it is often the finance department that suffers the most when a cyberattack is successful. However, only 12% of CFOs center their business´s cybersecurity on the finance function. Most (76%) rely on the IT function to organize strategies and manage risks – although acknowledging it is important for the two departments to collaborate.

One of the most important takeaways from the survey was not to solely trust cybersecurity defenses, but to verify them as well. This is where CFOs can take responsibility and set the tone at the top by testing their business´s own cybersecurity measures, improving access to employee awareness, and reducing the finance function´s vulnerability to cyberattacks by conducting regular audits.