Cybersecurity beyond IT: the hidden costs for finance teams

In early 2024, a finance worker at a global enterprise sat down for what appeared to be a routine video call. On the screen were the familiar faces of colleagues, including the CFO. The instructions that followed seemed urgent but legitimate: transfer over $200 million Hong Kong dollars (over €21 million) to multiple bank accounts across 15 transfers. What the worker didn’t realise was that the entire meeting, apart from themselves, was a meticulously crafted deepfake. Within hours, the funds vanished. The criminals had used advanced AI to mimic voices and faces, bypassing every technical control in place.

This story could be the plot for a science fiction film, but cyberattacks like these are a reality for businesses worldwide. In Germany alone, cybercrime cost the economy an estimated €178 billion in 2024. Similar stories have surfaced in the US, the UK, and across Asia. The sheer scale of financial loss and reputational damage has led to a shift in perspective: cybersecurity is no longer the exclusive concern of IT teams. It has become a boardroom priority, essential to risk management, business continuity, and stakeholder trust.

As Dr. Christian Reinhardt, Director of Human Risk Management at SoSafe, explained during a panel discussion with Bastienne Föller, CFO at Treasury Intelligence Solutions (TIS), at Forge Connect in Dusseldorf, “If cybercrime were an economy, it would probably be the third largest in the world”. With these numbers, it’s safe to say that finance professionals and leadership teams cannot afford to treat cyber risk as a distant or technical issue.

As cyber threats become more sophisticated and business models more digital, safeguarding finances and reputation must become a shared responsibility.

Behind every cyberattack, there is a financial story, one that often unfolds in unpredictable and costly ways. For finance leaders and teams, the impact of a breach goes far beyond the initial ransom or theft. The fallout can disrupt entire operations, derail business plans, and leave a long shadow on reputation and company value.

Bastienne Föller puts it plainly: “If you think about what interests cybercriminals, it’s always about money. Whether it’s ransom, or operational outages that lead to liquidity issues, business plans that have to be thrown out. At the end of the day, it’s always about money. And that’s what lands on my desk, something I see regularly in my work.”

TIS processes around €9.5 billion in payments every day for major financial institutions, making robust cybersecurity a hidden, yet essential, part of their product. “If that’s not in place, customers will leave,” Föller explained. Last year, during a company sale to a private equity firm, she saw how investors scrutinise not just revenue or profit, but a company’s cyber resilience. “They also carry out so-called penetration tests to see how secure the company is against such attacks. Because if something does happen, the company’s reputation can be quickly destroyed. Customers leave, business plans are obsolete, and company value drops. So, from a financing and investor trust perspective, this is a crucial issue.”

The risks are real and multiplying. According to Netwrix’s 2025 Cybersecurity Trends Report, 51% of organisations reported experiencing a security incident in the past 12 months, with phishing being the most common threat. In the US, ransomware attacks alone cost businesses billions in direct losses and insurance claims every year.

The impact extends beyond financial health. Customer attrition, negative media coverage, and regulatory scrutiny often persist long after the technical issues are resolved.

For finance teams, this means cyber risk has become a permanent fixture on the risk register. Boardrooms now view cybersecurity not just as IT hygiene, but as an essential pillar of business continuity and long-term value creation.

Yet, as the frequency and scale of attacks rise, it’s clear that financial losses often begin not with a failure in technology, but with a lapse in human judgment or behaviour. This shift in risk, from technical to human factors, demands a deeper look at how psychology influences an organisation’s defences.

Ask most finance professionals how cybercriminals break through corporate defences, and many will point to technical vulnerabilities. Yet, research and frontline experience show a different reality: people, not systems, are the real “attack surface.”

Christian Reinhardt, Director of Human Risk Management at SoSafe, has studied the psychology of attacks for years. “About nine out of 10 attacks are conducted through the human factor,” he explained during the panel discussion. Attackers know that the fastest way past security controls is to manipulate, pressure, or deceive people inside the company, especially when money or authority is involved.

Criminals are highly organised, persistent, and professionally trained. “Most attackers are not just hoodie-wearing teenagers in a basement with pizza and energy drinks. We’re up against opponents who are very well resourced and, above all, psychologically trained. Our employees will be trained, either by us or by the attackers,” Reinhardt warned.

Classic attack methods exploit urgent requests, authority figures, or emotional triggers, tactics that can trip up even experienced staff. A good example of this is one of the first reported cases of a cyberattack using a voice clone, where an employee from a UK-based energy firm received a call from his boss, who requested a transfer of over €220,000 to the bank account of a Hungarian supplier. The fraudsters went so far as to mimic the executive’s German accent and tone.

Deepfakes, voice clones, and spear-phishing emails have become mainstream tools. The technology keeps advancing, but the principle remains: if someone can be convinced, rushed, or made to feel afraid, mistakes happen. “Attackers want you to respond quickly, because in that emotional state, you’re not at your best”, Christian explains.

What’s changed is the scale and accessibility. Attackers no longer target only major banks or multinational firms. “As of last year in the US, one in four private individuals has been affected by such an attack,” Reinhardt noted, citing the growing reach of social engineering and fraud techniques. As Bastienne added, no sector or size of company is immune. “Whether you’re a global corporation, a mid-sized company, or a small business, no one is protected from these kinds of attacks.”

For finance teams, the lesson is clear: technical defences are necessary, but human vigilance and training are what make or break security. Real resilience comes from understanding how people behave under stress, and from building habits that make safe decisions second nature.

Understanding behaviour is only the beginning. Today’s sophisticated cyberattacks rarely succeed on technical grounds alone. Attackers rely on subtle tools: trust, authority, and company culture. When these are poorly managed, even strong technical defences can be breached.

The people behind these attacks know how to hit where it hurts most. They do their homework, researching and deep-diving into an organisation hard enough to know what, when and who to target. As Christian Reinhardt pointed out, “These are actual organisations with 10,000 to 100,000 employees, working 50 hours a week on nothing but cybercrime. They reinvest about 50% of what they make back into their attack infrastructure.” With this level of professionalism, their methods often bypass traditional controls by targeting everyday human emotions.

“Attackers trigger emotional people”, Reinhardt noted, explaining how cybercriminals weaponise emotions, often targeting the same victim more than once. “If cybercriminals are already inside a company, they often contact the victim again. Why? Because they want to shame the victim, hoping they won’t report it because they are embarrassed.”

Environments where hierarchy is strict or mistakes are stigmatised can be especially vulnerable. When companies foster a culture of shame or blame around mistakes, employees may hide errors or avoid reporting suspicious activity. Attackers often exploit this, contacting victims again to capitalise on embarrassment and discourage disclosure. “The worse my culture around mistakes, the higher the chance someone doesn’t come forward and say, ‘something just happened.’ The longer it takes for a company to notice, the greater the damage,” said Reinhardt.

This is why security culture must also revolve around mistakes. When employees feel safe to speak up, no matter how small the issue is, threats are caught sooner and damage can be contained. If mistakes are hidden, the window for attackers grows. For that, Bastienne Föller pointed out, leadership must lead by example.

“Culture depends on two things. First is setting an example, which the entire leadership team must follow, and second is making it absolutely fine to approach the security team with concerns, without getting blamed or shamed for it. Otherwise, people will just try to cover things up, hoping no one notices.”

For finance teams and business leaders, the challenge is to cultivate habits of questioning, openness, and early reporting, making security everyone’s responsibility, not just IT’s.

Understanding these cultural and psychological risks is one thing. But what actually happens when an organisation is targeted? And how do real teams cope during a breach?

The numbers don’t lie. According to the Global Cybersecurity Outlook report, only 14% of organisations are confident they have the people and skills they need to meet security requirements. This gap in readiness can quickly (and painfully) become clear when attacks do happen.

Speed and clarity are key during a breach. Preparation, clear roles and rapid communication can mean the difference between a minor incident and a major business crisis. Bastienne Föller has seen the value of a response plan firsthand. “I’ve been through small-scale attacks myself, but the team was always able to communicate well. Some outages lasted a few minutes, but it never led to major issues, because there was a clear procedure in place for who does what, when, and where.”

Companies lose precious time when there is no system in place, as responsibilities and authorities are unclear. Reinhardt warned, “Sometimes it happens that companies get hacked, rarely on a Monday at 11 a.m., but more likely on a Saturday night at 3 a.m., and only the board is allowed to decide whether to shut down the data centre. Trying to get that decision at 3 a.m. is a challenge.”

Clarifying who makes key decisions in advance, such as taking systems offline or notifying stakeholders, is essential. These prevention plans also need to consider holidays, nights and weekends, as well as all the communication channels to be used. During the panel at Forge Connect, Föller mentioned mobile emergency groups. “If there’s an incident, it works like a national emergency alert. The phone rings and beeps every few minutes, night or day, so everyone knows: there’s an issue, we need to dial in immediately.”

External support matters as well. Companies should know their insurance coverage and have contacts for forensic, legal, and technical expertise at the ready. But as Bastienne pointed out, insurance isn’t a substitute for prevention: “It’s really important to be able to prove you weren’t negligent, otherwise, the insurance won’t pay.”

Regular testing and real-life simulations can reveal gaps in crisis response, help teams understand their roles, and create a culture of readiness. Every finance leader should ask: is our plan written, tested, and truly understood?

Incidents like these underscore the reality that cyber risk is a permanent, evolving challenge, and responding effectively is only half the battle. True resilience is built in advance, through preparation, culture, and leadership.

Finance leaders and their teams can take a series of practical steps to strengthen their defences, and most of them go beyond technology. It all starts with people and processes. As Christian Reinhardt explained, one doesn’t necessarily need programming skills or IT expertise to be protected against cybercrime. “As someone with very little IT knowledge, I can say: that’s not true. The main thing is to develop a basic understanding of secure behaviour. In the end, almost everything that happens, happens because of emotional manipulation.”

Bastienne Föller emphasised the importance of working together as a team and bringing the topic to the table on a regular basis. “You can’t win alone. It’s much more enjoyable as a team. We discuss it together every month, and we don’t even call it ‘compliance’, but ‘active risk management.’”

Based on Bastienne’s and Christian’s experience and lessons from real incidents, here are some concrete actions for building a more cyber-resilient organisation:

Clarify responsibilities and decision rights

Ensure everyone knows who is responsible for what before an incident occurs. Write down roles, create a clear escalation path, and confirm decision authority for critical actions, especially outside office hours.

Run real-world simulations

Go beyond annual training or paperwork. Simulate attacks that reflect your company’s real working environment. Test your plans in stressful conditions, including Friday evenings, holidays, and leadership absences. Learn where gaps exist and close them.

Create emergency response groups and mobile alerts

Set up a rapid-response team that can be mobilised at any time. Use mobile alerts so the right people are notified, even if they’re away from their desks.

Invest in ongoing, engaging training

Make security a regular, practical topic, not just a compliance tick-box. Train employees to spot manipulation, report incidents, and support one another. Look for internal champions, those who are naturally interested and can motivate others.

Monitor internal threats with a ‘zero trust’ approach

Internal risks are rising, from accidental mistakes to insider threats. Review access rights, watch for unusual behaviour, and stay vigilant during hiring and onboarding processes.

Lead by example and foster openness

Effective leadership means being transparent, taking part in training, and responding quickly, so everyone feels safe to raise concerns.

Every organisation is different, but these principles can help finance and business leaders build resilience into the fabric of daily operations. The more proactive and open the approach, the faster a company can adapt to new threats and recover when incidents occur.

However, lasting resilience is not achieved with a one-time project or a checklist. It’s a mindset that must be maintained, and that means moving from compliance to an ongoing practice of active risk management.

Building resilience is a mindset shift, one that perseveres long after an audit, training session or even an incident. Many organisations still treat compliance as a checklist. But real security is built into daily habits, conversations, and decisions.

Christian Reinhardt drew a clear distinction: “For me, a security culture develops beyond just ticking the compliance box. Compliance is a good framework, but security culture is more than that. For me, cybersecurity is not just something you talk about, or on Cybersecurity Monday. You make it part of everyday life.”

Active risk management requires the entire organisation, not just IT or security, to treat cyber risk as a shared responsibility. Reinhardt explained that to really understand the risks, it helps to put yourself in the attacker’s shoes, and he shared an example of how he has done this with his team. “We actually did this with colleagues. I got them together and said, ‘Let’s do some social engineering: how can I manipulate someone? How do I find out a password?’ Sometimes you’re shocked at how easy it can be.”

Other industries have already adopted this mindset. For example, Bundesliga football clubs must meet strict cybersecurity standards to maintain their league licence. Regulatory frameworks like DORA (Digital Operational Resilience Act) in Europe set the baseline, but leading companies use these rules as a springboard for ongoing improvement.

The practical message for finance and business leaders is clear: treat compliance as the starting point, not the finish line. Encourage your team to talk openly about new threats, share learnings from real incidents, and continuously test your readiness.

Teams that live active risk management are ready to adapt, respond, and protect trust, even when facing new threats.

Cyber risk is woven into the daily operations of modern finance teams, extending far beyond IT. Incidents have become a part of everyday business, not just rare events. Stakes are high, but the tools for resilience are within reach.

The challenge for finance and business leaders is not simply to react, but to anticipate and build resilience into every layer of the organisation. A strong culture gives every employee the confidence and responsibility to speak up and act on threats. Effective cybersecurity is an ongoing leadership commitment, a matter of trust, and a foundation for business continuity.

As Bastienne and Christian highlighted, cybersecurity is no longer about ticking boxes or doing the minimum. “Cybersecurity is like a seatbelt: you have it, you invest in it, you hope you’ll never need it, but it’s good that it’s there,” Bastienne pointed out. “You need to make sure that investment is maintained, that it doesn’t snap, that it stays robust and up to date.”

Now is the moment to review your team’s approach. Is your response plan clear and tested? Are roles understood across teams? Does your culture encourage early reporting and open dialogue? The next incident may be closer than you think.

The next incident may be closer than you think. Taking these steps now can turn cybersecurity from a persistent worry into a source of strength and competitive advantage.