cyber and data security in the middle...

CYBER AND DATA SECURITY IN THE MIDDLE MARKET

TABLE OF CONTENTS

Introduction: As Digital Ecosystem Grows,

So Do Cyber-Threats ...........................................1

Chapter 1: Cyber-Hackers: Waging War

Against an Invisible Enemy ..............................2

Chapter 2: Enlisting Employees

to Fight Hackers ..................................................6

Chapter 3: Finance and IT:

Partners in Cyber-Crime Fighting................. 11

Chapter 4: Cyber-Insecurity:

Are Finance Executives Overlooking

Third-Party Risk? ................................................ 15

Chapter 5: As Security Becomes a

Priority, Will Checks Be Written Off ........... 19

Chapter 6: Cards in a Cyber-Secure

Company: Receiving Payments ................... 23

Conclusion: With Improved

Security Posture, Companies

Gain Better Standing ....................................... 26

1 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET

INTRODUCTION: AS DIGITAL ECOSYSTEM GROWS, SO DO CYBER-THREATSThe language of cyber-hacking may seem clumsy and amateurish—with

makeshift words like “phishing” and “ransomware” used to describe

specific techniques—but the consequences of a data breach can be

devastating to a company’s finances and its brand reputation.

And there’s no single way to block virtual intruders, whose schemes are

constantly evolving. For finance executives and their C-Suite peers, the

ongoing challenge is to remain informed and mobilized to respond should

an outsider break into the company’s network.

A recent survey found that the need to confront cyber-hackers, and thwart

them, unites U.S. finance leaders across industries. The survey, titled Cyber

and Data Security in the Middle Market, was conducted by CFO Research,

in collaboration with Visa and U.S. Bank. The online questionnaire drew 316

responses from U.S. finance executives, a plurality of whom hold the title of

CFO, with controllers also amply represented. All respondents work at com-

panies with annual revenue of more than $25 million and up to $500 million.

As digital ecosystems continue to expand—reshaped by fast-spreading

technologies like the Internet of Things and Artificial Intelligence—finance

executives can expect that cyber-hackers will grow proportionally more

sophisticated. That means cybersecurity must become a top-most

priority throughout the organization. How will that collective mindset

shift reorganize the business? In the eBook ahead, you’ll learn how an

organization is transformed by focusing on cybersecurity, ranging from

changes in how employees work, to which functions must collaborate

more closely, to what processes, such as payments, will undergo

technological makeovers.

Hindering hackers means more than keeping up to date by installing the

latest automated threat-protection tools. For safety’s sake, it requires

building an organizational culture centered on accountability and

awareness.


CYBER-HACKERS: WAGING WAR AGAINST AN INVISIBLE ENEMYWhen it comes to cybersecurity, the advice CFO

Rick Mills gives to fellow finance executives is

straightforward—and chilling. “Until your company

has been hit by an attack,” says the finance chief of

online retailer Headsets.com, “you probably think

you’re more protected than you are.”


“ALWAYS ASSUME THAT SOMEONE IS TRYING TO GET ACCESS TO EVERY PROCESS AND BIT OF INFORMATION POSSIBLE, AND BE VIGILANT IN FOLLOWING THE PROPER PROCEDURES TO HELP ENSURE NOTHING IS COMPROMISED.”

Mills isn’t trying to amplify the anxiousness finance executives already feel

about the cyber-crooks that are constantly circling, testing different tools

for cracking open a company’s network. “As an individual, it’s discouraging

to know that there are people out there who are focusing on hacking your

data and taking your site down,” says Mills. “But I’ve gotten numb to that.

We’re doing the best we can, but I’ve learned that it’s pretty impossible to

become immune to them.”

It’s a lesson Mills absorbed the hard way. But the CFO Research survey

found that most CFOs are hyper-alert to and ultra-concerned about

coming under attack by cyber-hackers—even if they haven’t been

drawn into hand-to-hand combat with their invisible foes. As one survey

respondent instructs, “Always assume that someone is trying to get

access to every process and bit of information possible, and be vigilant in

following the proper procedures to help ensure nothing is compromised.”

Among survey-takers, only 21% have had business activities disrupted by

hackers in the past two years—compared with the 37% who report having

had physical property swiped during that same time frame. In terms of

damage, the proportion of respondents whose companies have suffered

the loss of customer data, financial assets, or intellectual property reaches

no higher than 15% (see Figure 1).

FIGURE 1 BREACH FRONT Has your company been the victim of any of the following security breaches in the past two years? (percentage answering “Yes”)

37% 21% 15% 15% 11%Theft of customer

informationDisruption of

business activities due to hackers

Physical property Theft of financial assets

Intellectual property


“SAVE THE DATA BY A VERY SECURE WAY, WHATEVER IT COSTS.”

Not that finance executives of middle-market companies consider their

businesses, by virtue of their scale, to be less appealing targets to cyber-

criminals. Only a quarter (25%) of respondents see their companies as “too

small to be the target of cybersecurity breaches and data theft.” In their

written answers to survey questions, respondents frequently express the

exhausting persistence required to safeguard their proprietary data. They

advise “ongoing vigilance” and “constant checking,” as well as “keeping

your eyes on every detail” and “being proactive, not reactive.”

For finance executives, they sound almost helpless when it comes to

concretely capping the budget for cyber-defense. “Save the data by a

very secure way, whatever it costs,” writes one respondent. Another, in

a slightly less freewheeling mode, suggests “making cybersecurity a big

portion of the IT spending budget.” What’s most important, as collectively

communicated by the finance executives surveyed, is developing a realistic

grasp of the risk, prioritizing the assets that most need protecting, and

equipping the business to bounce back from any hacking-related event.

FIGURE 2 IT’S ABOUT TIME Has a cybersecurity breach caused any of the following types of damage to your company in the last two years? (Respondents could choose multiple responses)

60% 23% 20% 19% 19% 15%Loss of

valuable information

Loss of revenue

Lost time and other resources due to manag-ing a security

breach

Loss of credibility with

customers, suppliers, or

the public

Damage to the

reputation and authority of the finance or IT function

Loss of financial

assets


“WHEN THESE KINDS OF ATTACKS HIT YOUR COMPANY IS WHEN YOU FIND OUT HOW COMMON THEY ARE.”

Such events may include unsuccessful cyber-attacks, which can expose

vulnerabilities that require immediate securing. Among survey-takers, six in

ten (60%) report having lost time and resources as a result of managing a

security breach (see Figure 2).

What fuels the ever-escalating challenge facing finance executives is not

just the relentlessness of cyber-hackers. Freshly emerging technology

such as the Internet of Things (IoT) brings with it additional risks, requiring

companies to make sure their web-connected devices, from factory

machines to surveillance cameras, are fully secured.

The dynamic nature of the cyber-hackers makes them an especially

stealthy opponent. Not long ago, cyber-criminals would infect desktop

machines by enticing users to download fake tool bars. Then came

malware—banking Trojans and the like—that was designed to burrow

inside a machine and steal sensitive data such as log-in credentials. More

recently, cyber-thieves have been unleashing “ransomware” on corporate

networks.

As the name suggests, this category of malware, which is often spread via

phishing emails, encrypts user files then demands that users pay ransom

to regain access. The first time it happened at Headsets.com, the thieves

demanded just under $1,000—but were caught by the FBI. Last year, an

attacker barraged the company’s site with fake traffic, shutting it down.

The attackers demanded $200,000. As a result of having its site shut

down intermittently for a day and a half, Headsets.com lost about $15,000

off its net margin. The company also ended up hiring a service that screens

its web traffic for about $35,000 a year.

“You don’t think you need something like that until you find out that you

really need it,” says Mills. “In fact, we were probably getting off cheaply

by not having that service for a long time. When these kinds of attacks hit

your company is when you find out how common they are.” The answer, by

his calculation: too common.


ENLISTING EMPLOYEES TO FIGHT HACKERSBy now, finance executives know that cyber-thieves

are constantly looking for ways to climb over, or

tunnel under, their firewalls. What they may not

realize, however, is that the gate is frequently left

unlatched—by their own employees. They’re doing so

inadvertently. It’s not as if most employees are secret

cyber-hackers, waiting for the day (their last one,

retroactively) when they can set loose an email


“MAINTAIN AN UP-TO-DATE SECURITY SYSTEM AND MONITOR THE SAME ON REGULAR BASIS IN REAL TIME.”

worm capable of compromising the company’s proprietary data. In the

survey, in fact, the majority of finance executives, 56%, confirm that they

view current or former employees as little or no threat. By comparison,

67% of respondents consider hackers or cyber-criminals to be a moderate

or severe threat.

Survey-takers assessed several different aspects of their companies’

awareness—and preparedness—in terms of successfully guarding against

cyber-intruders. In their answers to questions, finance executives offered

evaluations of their companies’ technological tools and skills when it

comes to repelling hackers as well as how much of a priority it is for the

management team and for employees.

Most respondents say they believe that their company’s technology is up

to the task of deterring hackers. More than three-quarters of respondents

agree that their company has deployed the appropriate technology for

effectively managing cybersecurity (see Figure 3). As one respondent

urges, “Maintain an up-to-date security system and monitor the same on

regular basis in real time.”

FIGURE 3 SECURITY GUARD Our company has deployed the right technology to manage cybersecurity effectively.

25% 53% 11% 4% 7%Disagree somewhatAgree somewhatAgree strongly Disagree strongly Don’t know


45% OF FINANCE EXECUTIVES AGREE STRONGLY THAT THEIR TOP EXECUTIVES APPROACH THE ISSUE WITH THE ATTENTION REQUIRED.

A nearly identical proportion agrees that their company possesses the

expertise to effectively manage the cyber-threat (see Figure 4).

Furthermore, the clear majority of respondents, 82%, agree that their

company’s top executives treat cybersecurity with the appropriate gravity

and seriousness. Asked to identify the most important step a CFO can

take to make the finance function less vulnerable to cyber-threats, one

respondent writes: “Due diligence from the top and upper management.”

What matters most, offers another finance executive, is the “tone at the

top.... take security practices seriously.”

That admonition doesn’t just apply to senior management. One survey-

taker stresses the “need to be aware” and to “convey the importance [of

cybersecurity] to management as well as employees.” Guarding against

hackers needs to become an organizational priority, with every company

member accepting accountability for deterring, detecting, and reacting to

cyber-risks as they come up.

In the survey, just under one-quarter (24%) of respondents say they agree

strongly that their “rank-and-file employees treat cybersecurity with the

gravity and seriousness that it warrants.” By comparison, 45% of finance

executives agree strongly that their top executives approach the issue with

the attention required.

FIGURE 4 KNOW HOW Our company has the technical expertise required to manage cybersecurity effectively.

24% 55% 12% 5% 5%

Disagree somewhatAgree somewhatAgree strongly Disagree strongly Don’t know


HACKERS CAN NOW TARGET EMPLOYEES WITH EMAILS THAT ARE CLOSE TO DEAD RINGERS FOR THOSE SENT BY COLLEAGUES OR BUSINESS PARTNERS

In their written comments, as well as during follow-up interviews, finance

executives drew a connection between employee awareness and outsider

access. A critical tool for keeping the cyber-pirates from sneaking aboard

is, as one respondent writes, to “make employees aware of the potential

threats so that they can recognize and prevent them.” One respondent’s

advice summarizes the issue simply: “Ensure that all systems are password

protected and that staff is appropriately trained to look for these issues.”

What can go wrong? As they become ever-more skilled at taking

advantage of cracks in corporate systems, hackers can now target

employees with emails that are close to dead ringers for those sent by

colleagues or business partners—the phenomenon known as “phishing.”

At Temkin International, a manufacturer of plastic packaging products, an

email from a vendor included instructions for wiring payment to them. “We

wired the money,” says Controller Dalan Andersen, “and we’re still trying

to figure out what happened. That’s a fishy one.” In any case, it’s become

clear that the vendor had nothing to do with it.

Andersen himself has received emails that “look exactly like they are coming

straight from our owner. He keeps asking me to send him money by wire.”

Despite the persistence of these emails, Andersen knows better. “I know he’s

FIGURE 5 WORKING KNOWLEDGE Our company/employees have access to training/education on recognizing cyber-threats and acting on them.

25% 46% 15% 10% 5%

Disagree somewhatAgree somewhatAgree strongly Disagree strongly Don’t know


IN THE ABSENCE OF SEEING AN EASY WAY IN, CYBER-HACKERS WILL OFTEN CHOOSE TO STAY AWAY.

not the type to ask me to do that over email,” he says. He also knows that

neither he, nor the company’s 400 employees, can depend on his instincts

to fend off cyber-hackers. “The hackers are coming up with new stuff all the

time, and I should know about it before it shows up in my inbox,” he says. “I

read as much as I can. But I probably need to get better training.”

He’s hardly alone. Asked whether their employees have access to training/

education about recognizing and acting on cyber-threats, only one-quarter

of respondents say they agree “strongly” with almost half choosing to

agree “somewhat.” Finance executives clearly see room for improvement

(see Figure 5).

In their responses to open-text questions, respondents often suggest

that employees must be made more aware of the policies and procedures

they need to follow, from how they choose passwords (seven characters,

combining alpha and numeric characters) to when they change them

(every 60 days). One respondent’s checklist: “Change passwords regularly,

make sure you don’t open spam or spoof emails, and help support

investments in cybersecurity.”

In the absence of seeing an easy way in, cyber-hackers will often choose to

stay away.


FINANCE AND IT: PARTNERS IN CYBER-CRIME FIGHTINGIt sounds like the cyber-secure workplace of the

future: where to gain entrance employees present

an ID card and a fingerprint, where using a printer

means swiping it with a key fob, and where it costs

hundreds of thousands of dollars a year to maintain a

high level of data security certification.


“THERE ARE ALWAYS ROGUE HACKERS TRYING TO HACK ANYTHING. WE’VE GOT TO BE DILIGENT AND HAVE THE PROTECTIVE LAYERS SO THAT EVERYTHING GETS STOPPED OUTSIDE THE BUBBLE.”

That begins to describe The Judge Group, an organization focused on

sealing the kind of gaps in its security systems that cyber-hackers try to

exploit. Based in suburban Philadelphia, the company isn’t some updated

version of the Biosphere2 (the giant, closed-system hothouse used for

ecological experimentation in the 1990s), nor is the business mired in the

intrigue of international espionage. With over $400 million in revenue,

The Judge Group places roughly 5000 people a year in IT and healthcare

positions. “We have a lot of pieces of private information, and we take that

risk very seriously,” says CFO Robert Alessandrini. “There are always rogue

hackers trying to hack anything. We’ve got to be diligent and have the

protective layers so that everything gets stopped outside the bubble.”

Inside the bubble, the task of defending against cyber-hackers is

coordinated by the company’s director of cybersecurity, who combs

through logs and records every day and coordinates with security-related

vendors. When it comes to managing cybersecurity, middle-market

companies tend not to rely on separate departments, or even specially

assembled teams, to quarterback the effort. In a recent survey, one finance

executive explained that, “the Cyber Risk Committee drives our cyber

risk mitigation efforts—a committee comprising the CIO, CFO, CHRO, and

Security VP.”

For the most part, the survey found, middle-market businesses look to

the IT function. In describing their company’s organizational strategy for

managing cybersecurity, about three-quarters report that “cybersecurity

is governed and managed by the information technology function.” (See

Figure 6.) “Having a strong IT department is paramount,” as one survey-

taker puts it.

By contrast, only 12% of respondents say that cybersecurity at their

companies is centered in the finance function. But in their responses

to open-text questions, finance executives stressed the need for the

departments to collaborate, agreeing on strict guidance and carefully

orchestrated steps that the rest of the company can follow.

As technological transformation changes the nature of emerging cyber-

threats, it’s up to the two functions to implement upgrades on security-

related processes and policies, ensure the performance of regular audits,

and zero in on defending against future challenges. In their advice to other

CFOs regarding their role in cybersecurity, respondents frequently bring

up the imperative for finance to interact with IT. Finance executives need

to have “ongoing communication with the head of IT to stay up-to-date on


“MAKE CYBERSECURITY A BIG PORTION OF THE IT SPENDING BUDGET.”

cybersecurity issues,” writes one finance executive. Another urges fellow

finance leaders to “stay informed and up-to-date with a strong cyber IT

team.” Others advise “working closely with IT,” “keep a close relationship

with the IT department,” and “communicating with the IT team…to ensure

that we are all constantly apprised of potential threats.” Writes one

respondent: “Coordinate with IT staff to assure that all new systems are

vetted by our IT group to make sure they are secure.”

Aside from being attentive, finance executives also encourage their peers

to help IT in a more concrete way: by giving the function the resources

it needs for cyber-related initiatives. “Support the IT function with their

security policies and requests,” writes one respondent. More specifically,

writes another: “Make cybersecurity a big portion of the IT spending

budget.”

How big should that line item be? Perhaps reflecting the sense of urgency

CFOs feel as technological tools like the cloud, mobile, and social seem to

increase their exposure, the “whatever it costs” position is not uncommon.

This view, rare for the CFO, no doubt makes allies of the folks in IT.

FIGURE 6 CYBER-CZARS Which of the following statements best describes your company’s organizational strategy for managing cybersecurity?

76% 12% 9% 3%

Cybersecurity is governed and managed by a

dedicated cybersecurity team

Cybersecurity is governed and

managed by the corporate finance

function

Cybersecurity is governed and

managed by the information

technology function

Cybersecurity is governed and managed by

something else


“YOU HAVE TO TRAIN THEM ENOUGH TIMES TO WHERE THEY ARE ROLLING THEIR EYES AND SAYING, ‘I GET IT. DON’T OPEN UP THOSE EMAILS.’”

Of course, keeping the cyber-hackers at bay requires more than dollars.

Like a Neighborhood Watch program, employees need to supplement

firewalls and encryption software with their own efforts. They need to

draw attention to any deficiencies they detect. They need to follow

security-related policies regarding, say, collaboration with internal or

external partners. One survey respondent writes that it’s important to

“ensure all employees in applicable positions are aware of security issues.”

How much training is enough? Rick Mills, CFO of Headsets.com, has

calculated his own metric. “You have to train them enough times to where

they are rolling their eyes and saying, ‘I get it. Don’t open up those emails.’

We bring it up a lot.”

Although it’s impractical to monitor employees’ every move, companies

like Headsets.com do check up on how careful their employees are when

it comes to evaluating email. The company uses a service that generates

fake phishing-like messages and sends them to the company’s employees

on a periodic basis. “We’re at the point where we don’t get too many

who click on it,” says Mills—and when they do, the link takes them to a

site that provides education about such malicious emails. At Lazydays, a

$600-million RV dealership near Tampa, employees also receive what CFO

Randy Lay refers to as “synthetic phishing campaigns” with subject lines

like “Here’s the spreadsheet you asked about yesterday.” Lay says, “If you

don’t know who it’s from and you didn’t ask for a spreadsheet yesterday,

do not open it, that’s what we tell them. That’s how you get folks trained

not to open malicious emails and download dangerous links.”

Even so “the cyber-attacks are ubiquitous. We get hit every single day,”

says Lay. Last year, when a new CEO took over, it took the hackers time to

adjust—a month, to be exact. Then Lay started receiving phishing emails

with the appropriate CEO’s name on them. “Given how savvy these people

have gotten,” he says, “I consider that to be a small victory.”


CYBER-INSECURITY: ARE FINANCE EXECUTIVES OVERLOOKING THIRD-PARTY RISK?In a fierce and fast-moving economy, companies are

only as competitive as their partnerships enable them

to be. But as common as it has become for businesses

to replace, or complement, in-house capabilities with

third-party agreements, they may be overlooking the

cyber-risks they are acquiring in the process.


“ENSURE REGULAR AUDITS ARE PERFORMED ON IT SECURITY AND HOLD PROPER INSURANCE IN CASE OF A LOSS.”

Such alliances allow companies to stay focused on their essential

competencies, assigning other activities to organizations with the ability to

perform them more efficiently. The web of agreements, which may include

strategic suppliers, as well as providers of network security and data

management, offers the tangible benefit of enabling companies to reduce

costs. But the arrangements also expose companies to additional risks,

offering a “side-door” through which cyber-hackers try to slip undetected,

sneaking their way to a treasure trove of valuable data.

There’s not much companies can do to minimize that risk. At least that’s

how many finance executives act, according to study. Respondents express

a keen awareness of the need to review their own company’s security

systems, assessing controls in light of evolving cyber-risks. By doing so,

they can gain an understanding not only of their existing capabilities but

also of the investments they need to protect their information from future

hacking incidents. For the finance function, the challenge has become

figuring out how to protect the company’s data without stifling innovation.

As companies shift technological tools to accommodate growth, they

open up new security risks.

Explaining the most effective step a CFO can take to reduce the finance

function’s vulnerability to cyber-hacks, one respondent writes: “Ensure

regular audits are performed on IT security and hold proper insurance

in case of a loss.” Another advises fellow finance leaders to “perform an

independent audit of the area.” Adds a survey-taker: “Periodic audits.”

Many respondents aren’t just paying lip service to the idea, apparently. In

the survey, nearly half—48%—say they have conducted formal assessments

of their cybersecurity efforts for all systems, locations, and business units

in the last two years. An additional 22% report that they do the same for

some systems, locations, and business units. (See Figure 7.)

However, cyber-criminals have pulled off some of the highest-profile

data breaches—including Target, which had its network hacked through

a subcontractor—by stealing credentials from a third-party vendor. By

targeting outsourced providers of payroll services, for example, cyber-

thieves have pilfered identities and filed fraudulent tax returns

Even if the employees at your company are following proper procedures—

in terms of handling company data—that’s no guarantee that outsourced

workers have been trained to follow those procedures. Finance executives

at middle-market companies find themselves in a bind; their need to

turn to partners also opens up more data-access points. “To be honest,”


“INTERNALLY, WE DO NOT HAVE THE MANPOWER OR EXPERIENCE.”

one survey respondent writes, “outside, third-party expertise is required

to be as safe as possible. Internally, we do not have the manpower or

experience.” (Paradoxically, more companies will need to outsource

cybersecurity in coming years as a result of a growing shortage of workers

with the requisite skills.)

Whether as a result of cost-consciousness—which is typically the catalyst

for outsourcing functions—or lack of urgency, only about one in five

finance executives who participated in the survey say they frequently

evaluate the security efforts of their suppliers and customers. (See Figure

8.) Combined with those who say that their companies occasionally review

suppliers and customers, the proportion reached 56%, a far cry from the

70% that have done at least some review of their own security situation.

And while only 15% say they conduct no formal evaluation of their own

preparedness, 31% echo that sentiment about evaluating their external

partners.

The absence of consistent audit procedures coincides with a time when

cyber-attackers are growing more sophisticated. “Keep measures up

to date always,” one respondent offers by way of advice to peers in the

FIGURE 7 ASSESSING CAPABILITIES Has your company conducted a formal assessment of its cybersecurity policies and systems in the last two years?

48% 22% 15% 16%NoYes, for some

systems, locations, and business units

Yes, for all systems, locations, and business units

Don’t Know


THE RISKS OF INCREASED VULNERABILITY THROUGH THIRD PARTIES IS ONLY GOING TO GET HIGHER.

finance function. Another describes the greatest security challenge as

“keeping ahead of hackers.”

Clearly, conducting formal reviews has a role in that battle. Yet only 18%

of survey respondents report that customers and vendors have frequently

formally evaluated their company’s security policies and procedures. And

just 28% have been reviewed occasionally. Given the value of data in the

digital economy—where competitive advantage can be built on credit

card numbers and social security information—the risks of increased

vulnerability through third parties is only going to get higher.

21% 35% 31% 13%

NoYes, occasionallyYes, frequently Don’t Know

FIGURE 8 UNDER REVIEWED Does your company formally evaluate the security policies and practices of its suppliers and customers?


AS SECURITY BECOMES A PRIORITY, WILL CHECKS BE WRITTEN OFF?In the realm of business-to-business payments, checks

remain king—but their reign may soon be overthrown.

For growth-minded finance executives, the need to

optimize their payments processes is becoming a

priority, and not simply because they want to reduce

transactional costs or gain better control over the

timing of their payments. The momentum to switch to

electronic payment systems is partly fueled by the


“CHECKS ARE VULNERABLE. I WOULD GET RID OF THEM ENTIRELY, IF IT WERE UP TO ME. ”

the security issues surrounding paper checks. “Checks are vulnerable,”

says Robert Alessandrini, CFO of The Judge Group, a staffing firm. “I

would get rid of them entirely, if it were up to me. But we’re a few years

from that.”

What’s the hold-up? In some cases, vendors aren’t ready to make the

switch. “We’re pretty much still using paper checks,” says Tim Marquardt,

CFO of Max Credit Union in Montgomery, Ala. “To make the transition, you

have to coordinate with vendors. More and more, they are ready to do it.”

In the survey, 72% of finance executives say that they use paper hard-copy

checks either “very frequently” or “frequently.” Direct payment services

such as automated clearing house (ACH) and electronic funds transfer

(EFT) weren’t far behind, attracting 64% of “frequent” or “very frequent”

users. Corporate cards/purchasing cards were next at 52% (see Figure 9).

In their written answers to survey questions, finance executives reflect on

the need to tighten their payment processing systems. One respondent

writes that the most important move that CFOs could take to make

72% 64% 52% 14%Corporate credit

cards/procurement/purchasing cards

Direct payment through automated

clearing house (ACH) or electronic funds transfer (EFT)

transactions

Physical hard-copy checks

Cash/currency

FIGURE 9 MAKING CHANGE How often does your company use each of the following methods to pay its vendors and suppliers? (percentage selecting “very frequently” or “frequently”)


SWITCHING TO ELECTRONIC PAYMENT PROCESSES PRESENTS ITS OWN CHALLENGES FOR FINANCE EXECUTIVES.

the finance function less vulnerable to cyber-hackers was “moving to a

paperless environment.” Another survey-taker writes of “use of significant

controls over cash transactions,” reflecting an awareness of the company’s

vulnerability.

Then again, switching to electronic payment processes presents its own

challenges for finance executives. One finance executive writes that the

company’s biggest challenge is “moving more to ACH/Electronic methods,

but maintaining the security and integrity of confidential company and

customer information.” Another says “security with online payments” is a

top concern.

As the number of transactions grows—along with their confidence in

the technology—finance executives may be drawn to start using cards

to pay vendors and suppliers primarily because they are faster and less

FIGURE 10 COMPARISON – PAYING VENDORS AND SUPPLIERS How well do these payment mechanisms serve the following requirements when paying vendors and suppliers? (normalized percentage of respondents indicating that a payment mechanism does an “excellent” job)

96% 95% 96% 89% 95% 81% 98% 94%

Security and protection from fraud, theft, hacking, or cyber

intrusion

Availability of accurate and

transparent audit trail of transactions

Prompt payment of accounts receivable

Convenience for transaction partners

n ACH/EFT n CARDS


THE SOONER THEY START MAKING THE TRANSITION TO CARDS, THE SOONER THEIR COMPANIES WILL SEE THE PAYOFF.

costly. While ACH is a big improvement over checks, in terms of providing

security, purchasing cards offer yet another distinct advantage: While

payments made via ACH are disbursed immediately, cards give the finance

function time between when the purchase is made and when the money

is disbursed. That gap can become the key to reducing working capital

requirements.

The closer finance executives look at cards, however, the more benefits

they may appreciate, such as cash rebates for all purchases as well

as robust reporting. And when respondents graded both ACH and

cards on four crucial qualities, the two were nearly tied in terms of the

percentage of survey-takers who ranked them as “excellent” in terms of

providing “prompt payment of accounts receivable” and “convenience for

transaction partners.” (See Figure 10.)

The pace at which middle-market finance executives seem to be moving

toward corporate and purchasing cards may be a by-product of their

current mindset. Having managed several technological transformations—

whether exchanging on-premises technology for the cloud or expanding

mobile platforms—finance chiefs may be suffering from undiagnosed

transformation fatigue.

If that’s the case, they are likely to receive the motivation they need from

their suppliers and vendors. As suppliers become more comfortable

with cards—and more knowledgeable of the benefits they provide—they

become supporters. By getting paid faster, they may be able to stay away

from using more costly financing options. For both suppliers and vendors,

the transition to cards can help in making their own operations more

efficient—by providing better data for forecasting, for example.

Such benefits take time to fully materialize. But forward-looking CFOs

know that the laborious system of processing checks is also making

their companies more vulnerable to cyber-hackers. The sooner they start

making the transition to cards, the sooner their companies will see the

payoff.


CARDS IN A CYBER-SECURE COMPANY: RECEIVING PAYMENTSMike Steele knows better than to expect that any weapon

he deploys against cyber-hackers will defeat them

completely. “We anticipate what will help us reduce any

losses,” says Steele, VP of accounting and controller of the

Lake Michigan Credit Union. “We look for any technology

that will give us significant advantages.”

Lately, for card issuers this has meant shifting from

issuing magnetic striped cards to chip-equipped EMV

cards (the initials refer to standard-setters Europay,


“FROM WHAT I UNDERSTAND, THEY GET BETTER AND SMARTER ALL THE TIME.”

MasterCard, and Visa), which are far more secure. Even with merchants

upgrading their payment terminals to accept the new cards, the change

“won’t stop the hacking,” says Steele. With over 460,000 members,

Michigan’s largest credit union, like every financial institution, will have

charge-offs for fraud as a result.

Steele ranks ACH, the electronic payment service, as “reasonably secure.”

He adds: “We haven’t had any significant problems with those transactions

that are done via ACH. But that’s not to say there couldn’t be an issue.”

As for corporate and procurement cards, Steele observes that the card

processors “have fairly good fraud detection nowadays. And from what I

understand, they get better and smarter all the time.”

In the survey, finance executives say they consider cards roughly on

par with electronic payments services ACH and EFT in areas such as

promptness of payment and convenience. While 95% of respondents

ranked ACH/EFT performance as “excellent” in terms of security and

protection from fraud, 83% graded cards on that level (see Figure 11).

FIGURE 11 COMPARISON – RECEIVING PAYMENTS FROM CUSTOMERS How well do these payment mechanisms serve the following requirements when receiving payments from customers? (normalized percentage of respondents indicating that a payment mechanism does an “excellent” job)

98% 96% 96% 91% 95% 83% 99% 92%

Security and protection from fraud, theft, hacking, or cyber

intrusion

Availability of accurate and

transparent audit trail of transactions

Prompt payment of accounts receivable

Convenience for transaction partners


“WE HAVE INFORMATION WE NEED TO PROTECT, AND A BRAND REPUTATION WE DON’T WANT TO LOSE. WE’RE OUT THERE FIGHTING THE ATTACKS EVERY SINGLE DAY.”

However, with the introduction of chip/EMV technology, that gap is closing

fast, and corporate cards offer the advantage of rebates and/or rewards

along with the benefit of cash float. In fact, cards stack up very favorably

in all the requirements tested in the survey. In addition, survey respondents

also cited the ubiquity of card acceptance as a strong driver to receive

payments more efficiently and securely.

As part of the survey, finance executives were asked to identify the

biggest challenge their organization’s payments function would face in the

next year. Writes one: “Converting to corporate card payment.” Another

respondent identifies “integrating the new EMV chip card machines” as the

highest hurdle in the near-future.

Steele says that the credit union has “never had major losses” from the

three dozen corporate cards it issues. While corporate cards may carry

some risk, Steele points out that they also offer “some pretty robust

reporting and visibility into transactions.” With that in hand, the credit

union can analyze the data for particular retail outlets where it ought to

encourage its customers to shop, based on the amount of interchange

income it receives. “The data can also be helpful for budget forecasting,”

says Steele. “We are always trying to look three-to-five years from where

we are now.”

Aside from access to data on spending, as well as savings from improved

control, corporate cards offer benefits such as convenience. And there

are secondary gains as well. With better control over the payments

process, finance executives can maximize discounts, minimize late-

payment charges, and consolidate supplier relationships. CFOs can use

the improved visibility to identify and mitigate practices that increase the

risk of cyber-hacks. With a clearer assessment of the risks—both internal

and external—the finance function can promote and implement the tools

necessary to thwart the cyber-thieves. For now, anyway.

Cyber-hacking “comes in all sorts of flavors,” says Randy Lay, CFO of

Lazydays RV. “We have information we need to protect, and a brand

reputation we don’t want to lose. We’re out there fighting the attacks

every single day.” For astute finance executives, that means always having

a new—and effective—battle plan.


CONCLUSION: WITH IMPROVED SECURITY POSTURE, COMPANIES GAIN BETTER STANDING Once companies devote more resources to battling cyber-crime, they may

even discover some welcome, if unexpected, payoffs.

As training and technology combine to prevent breaches, companies

will find that their improved security posture makes them much more

appealing to customers who share their concern. As a source of

differentiation—setting them apart from their more vulnerable peers—a

corporate cybersecurity strategy can serve as a potent competitive

advantage.

Communicating that cybersecurity is a top priority, and not just another

aspect of risk management, tells customers, prospective and existing, how

much the organization values the critical information that its users share.

It’s a message that will be well-received by other stakeholders as well, such

as investors, employees, and vendors.

Of course, it also sends a strong missive to any would-be cyber-hackers:

There are less-defended places where they could be plying their

misdirected skills. As much as they may love a challenge, they aren’t likely

to linger if they can find more vulnerable targets—moving on to other

targets is the only aspect of their mission you should actively seek to make

easier.

cyber and data security in the middle...

Documents