Sourcing work-from-home-related technologies
Yes, your CIO is responsible for ensuring the folks at your company can work from home. However, it’s still you who is responsible for all the costs, especially since your CIO has probably spent their budget by now.
Time pressure shouldn’t stop you from asking the very basic questions of “do we really need to buy this?” and “Is this the best sourcing option available?”
Despite the current urgency, challenge simple answers and keep asking additional questions, most importantly about future costs. Your CIO might not care while under such pressure, but some sourcing options bear the risk of so-called vendor (or technology) lock-in. Put simply, via an existing provision it might be easy to get out of a contract with a vendor, but it could prove surprisingly costly. Ask your CIO what it would really take to change vendors or even the technology chosen.
Remember, flexibility is king – this is one takeaway from this crisis that is clear even now, when the crisis is far from over.
Adding scores of new employees working from home – and adding them overnight – increases your company’s exposure to risk.
Take the most-feared IT risk, ransomware, as an example. Do all your employees working from home have their devices protected with a reliable security solution? Have they been educated about security hygiene and the need to practice it?
If you think this is your CIO’s business, not yours, you’re wrong. Those questions relate to whether your insurance policy would cover you, or, at worst, they relate to possible direct financial losses.
Similarly, make sure your corporate lawyers and HR department have the paperwork done concerning the liabilities for what your employees do with their company-issued (or, at least, company-controlled) devices. Sure, it’s not your job to solve these issues – just ask the right questions and insist on relevant answers.
While every employee working from home poses an additional risk for your company, one of them stands out in terms of how costly a mistake might be – you. Remember that so-called CFO fraud – impersonating the CFO to persuade their subordinates to transfer money – costs companies billions each year. Now, with even fewer options for confirming requests, the chances grow that such an attack would succeed. With the crooks knowing this, the risk of having your employees targeted also grows.
Make sure your people are aware of this risk and insist that they adhere strictly to rules and guidelines. You might even want to have their resistance to this attack tested – such a test is easy to conduct and may provide invaluable experience to your people.
Resilience to cyberattacks
CFO fraud is a very specific type of attack with an extremely low number of possible targets – after all, not everyone in your organization is authorized to conduct a bank transaction. However, even people with legitimate access to your corporate network can cause a disaster if acting negligently.
Opening an innocuous-looking email attachment may end with your organization paralyzed with ransomware or having valuable corporate information siphoned off.
Ask your IT security team to create a simulation to test if your employees can resist the temptation to click on everything that looks interesting. Besides coronavirus and other scamable topics, the lures might be specific to what the employees in your department might be expecting to deal with. Help design a really tempting lure to make the test relevant for attacks by dedicated and knowledgeable actors.
Supply chain disruptions
As a CFO, you are used to ensuring your company’s business partners – more importantly those along your supply chains – do not pose a risk for your company. In normal times, it’s their financial situation that matters: as long as they don’t show any signs of financial stress, you don’t question their reliability. So, you pay for some services that assess their creditworthiness, and until a red flag shows, you consider your supply chains to be fine.
With COVID-19 threatening to put whole businesses out of operation, you can no longer consider your partners’ creditworthiness score a key measure of viability. Coronavirus-related information is what you should now be seeking.
As an alternative to established service providers, consider contracting local freelancers. The process of contacting and contracting freelancers has changed dramatically in recent years. Services like Upwork and Freelancer have made it easy to locate additional resources. In addition to finding people with specialized expertise, it is often possible to engage them relatively cheaply and on flexible terms.
On a side note: Remember that those who hunt for valuable information about your business partners might end up being in possession of “material information” that must be disclosed in compliance with applicable regulations. Make sure your contract with the freelancers covers this compliance risk.