Company brass is stepping into the digital front line, tapping coffers to defend against cyberattacks.
Each year, chief financial officers find themselves facing an increasingly complex landscape of cybersecurity threats that jeopardize their organizations’ financial stability and reputation. From ransomware attacks targeting confidential data to sophisticated phishing schemes exploiting payment systems, the stakes have never been higher—or more expensive.
“They are spending a tremendous amount of money on back-office solutions,” says Chris Nekvinda, a senior VP at Cannon Financial Institute.
Research firm Gartner expects corporate spending on information security worldwide to reach $212 billion in 2025. That’s a solid 15% jump from 2024’s estimated $183.9 billion.
The upside is that many of the organizations Nekvinda meets with, as part of Cannon’s professional development and training segment, seem willing to open coffers and spend what’s necessary to offset digital threats. The downside? Bad actors are wielding advanced tech, such as artificial intelligence and quantum computing.
“These threats are going to come from the everyday individual, too,” he predicts. “It’s going to be a real challenge, because there’s going to be such a requirement and an investment of network upgrades to be able to deal with those types of innovations.”
Without those upgrades, one well-executed phishing scheme, for example, could be catastrophic to either a company’s bottom line or to a personal bank account, Nekvinda explains. And he knows from experience.
Not long ago, Nekvinda logged into his Wells Fargo account expecting to see his well-deserved paycheck, but it was missing. Naturally, he assumed it was a technical glitch and casually messaged the CFO for an update. That’s when things took a strange turn.
“Oh, I just switched your bank like you asked,” the CFO responded. Nekvinda was taken aback. “What?” he replied, a mix of shock and confusion setting in. It seems a fraudster had somehow convinced the CFO to reroute Nekvinda’s paycheck to a fraudulent account.
“Somebody was able to clone my internal ID, send off an email and then come back and delete their account, so it made it look like it was me,” he said. “What that meant was that our company then had to change our policies for those sorts of things—we had to go to additional validation.”
‘Always Top Of Mind’
In 2024, Tel Aviv-based Check Point Software Technologies tracked a record-breaking increase in corporate cyberattacks worldwide, with an unprecedented surge in both frequency and complexity compared with previous years.
By the third quarter, the average number of cyberattacks per organization each week was 1,876. That’s a massive 75% increase from 2023. The year also marked what observers considered to be the biggest breach in history.
National Public Data, a Florida-based data broker that specializes in background checks, suffered a cyberattack that proved so devastating that it was forced to file bankruptcy in October. The initial number of victims seemed to be roughly 1.3 million, but some reports suggest that data on 2.9 billion individuals—both alive and deceased—wound up being exposed.
Sensitive information—Social Security numbers, names, addresses, emails, and phone numbers—was stolen and subsequently placed for sale on the dark web.
In addition to filing for bankruptcy, the firm is now facing several class action lawsuits and potential civil penalties from at least 20 U.S. states. It is scenarios like these that can jolt a company into bolstering protection, especially if they operate in a sector where client information is highly sensitive.
In the travel management industry, for example, “cybersecurity and cyberattacks are a real threat and always on the top of our minds,” Christopher Clarke, CFO of World Travel, tells Global Finance.
Because World Travel handles an immense trove of payment card industry (PCI) data, the risk level is especially high. That’s especially the case considering the company is “dependent on airlines,” Clarke explains.
“Any type of cyberattack that affects them will ultimately affect our customers and travelers,” Clarke says. “Anytime I hear of an attack, I try to analyze what happened and what we need to do to make sure the same thing doesn’t happen to us.”
In 2023, the so-called MOVEit cyberattack targeted the file-transfer software used by various carriers, including British Airways, Aer Lingus and Allegiant Air. Since then, there has been no shortage of big-name companies in similar scenarios.
Microsoft encountered a breach in July that exposed sensitive information, with customer data reportedly accessible to unauthorized entities. This incident reinforced concerns about endpoint vulnerabilities and gaps in cloud data security, especially when handling enterprise and personal data in the cloud.
Meanwhile, Marriott Hotels faced yet another attack on its systems. Hackers infiltrated Marriott’s servers, accessing guest data that included contact information and reservation details, marking the company’s fourth major data breach in the past six years.
Aflac, a major insurance provider, also experienced a breach, highlighting the financial sector’s exposure to cyberthreats.
Perhaps the most surprising, and ironic, case involved cybersecurity leader CrowdStrike, although it was not a data breach in the traditional sense. The Austin, Texas-based company experienced a widespread IT outage due to a misconfigured update to its Falcon sensor software. This issue led to disruptions across various systems and affected millions of devices. And threat actors commonly use widespread IT outages for phishing and other malicious activity.
Old- And New-School Attacks
Steve Garrison, a senior VP and head of brand development strategies at Stellar Cyber, anticipates that cyberattacks are only going to become more innovative, especially as deepfake technology becomes more prevalent. “That’s one of our 2025 predictions,” Garrison says, citing hacking groups in North Korea, Iran, parts of China and Russia.
“It could be that the voice of the CFO is now being impersonated [on a call],” he adds. “But I would still challenge you to hang up and call the [real] CFO and say, ‘Did you just call me and ask me to transfer $100,000?’”
The silver lining to this growing threat is that 80% of cyberattacks are “old school,” Garrison says. They play on our propensity to click and react, akin to the incident that happened with Nekvinda’s CFO.
Hackers also tend to take their sweet time. “Most ransomware attacks are started six months before the event actually happens,” Garrison says. “They find a low-level device or person, they get inside the environment, and they poke around and look for where the real crown jewels are. Then they finally hit the goal.”
Regardless, today’s CFOs can no longer afford to view cybersecurity as a distant IT concern, Clarke says. “It is an issue for anyone in our organization who sits in front of a computer and can unknowingly provide access into our networks,” he says.
Financial leaders are making high-stakes decisions on budget allocations for cybersecurity initiatives, from real-time threat monitoring to advanced firewall protections.
As Clarke tells it, a CFO’s job is to provide the budget the company needs to deploy a suite of various tools and safeguard data. “The tools are expensive, and that then restricts funds that could have been used elsewhere in our organization,” he says.
“We also provide online training for our team to keep cybersecurity in the forefront so we can always strive to stay one step ahead,” Clarke adds.
Many CFOs are seeking to strike a balance between the spending needed for preventative technology with that needed for business development—a tricky game when the risks are existential.
For Clarke, it’s worth it.
“If we are shut down due to an attack, it will cost far more than any investment we make in protecting ourselves,” Clarke says. “The business risk in not investing in the tools. That would also make us uninsurable, which is a requirement for many of our clients.”