Cyber and the CFO
A survey ‘Cyber and the CFO’ conducted jointly by ACCA, Chartered Accountants Australia and New Zealand, Macquarie University and Optus showed that 57% of respondents rank cyber security in their top five business risks and 52% saw cyber security as a high or very high risk to their organization. Unsurprising, maybe, as the global cost of cybercrime is estimated to reach US$6 trillion by 2021. It is a subject that is never far from the press. Is this a business risk that we, as finance professionals, can afford to ignore?
Weakness in cyber security is a significant business risk across all organizations. The level of threat evolves and changes as technology changes. Organizations are, however, increasingly connected in the ways in which they undertake business, and this too transforms the risk profile. Yet, cyber security is not managed as a business risk, and too often, it is left to the information technology professionals alone to handle. The impact is not only financial; it is, perhaps more significantly, reputational and operational.
You Have Been Attacked, But Do You Know It?
Does the evolving nature of the threat, the changing nature of the risk, mean that we are less comfortable in addressing this business risk? There is a saying in the cyber world, there are those who know they have been attacked and those that have been attacked but are unaware. 54% of our survey respondents were either not aware that their organization had been attacked or thought that it had never been. Only 26% of respondents were aware that their organization had been attacked in the last six months.
Time to Play Your Role in The Reality of Cyber Risk
Do not wait for a cyber attack to occur. Do not wait for the fine or the measurable reputational loss. Finance leaders need to recognize that cyber risk is one that is very relevant to them. The constantly evolving nature of the threats and risks is something that organizational leaders need to manage. Finance teams with their broad view of the organization have a key role to play in providing leadership.
In doing this, you need to ensure that you are fully up to date on the nature of the risk that the organization faces on an on-going basis.
The evolving nature of the risk will continue so take advantage of the programs run by professional bodies and others to keep yourself informed. The risk is more comprehensive than people appreciate.
Redefine Risk and Resilience
As part of this evolving threat cyber criminals constantly find new vulnerabilities to exploit. The importance of maintaining software and hardware to protect it from exploitation is paramount. This is not the whole story. Traditionally we have relied on the existence of a secure perimeter for our IT systems. However, in our hyper connected world, the border between the inside and the outside is blurry. Think of the personal devices that we bring to work. To effectively manage the cyber risk, we need to move to a zero trust model, where users and equipment are systematically verified before getting access.
The process of a cyber attack is a complex one. It does not, necessarily, happen overnight. The cybercriminal can afford to play a long game. To prepare their attack and then to exploit the vulnerabilities until they are discovered, or if not, until such time as they want to leave and cover up where they have been.
Guidelines such as those published by Australian Cyber Security Centre and the UK National Cyber Security Centre provide practical advice in managing the cyber risk, especially for smaller entities. Above all, whatever the consequences, we should ensure that we report a cyber attack to the relevant national authority.
Focus on Recovery Plans
In preparing for an attack it is important not only to manage the attack itself but also to manage the recovery afterwards. This requires effective planning not only to manage the technical issues but also the relationships with regulators, customers and suppliers. Only 37% of the survey respondents noted that there was a remediation plan in place that was regularly updated and tested. It is not only the loss of personally identifiable information that we should be concerned about. It is how we do business in the connected world.
Audit Your Supply Chain
Our supply chains become ever more complex and integrated. Our cyber risks exist at the boundary of our organizations, which may well be a direct connection with a third party. The weakest point may well be that third party. Providing support to and assessing the vulnerability of these third parties is essential, yet 41% of respondents had no knowledge of any cyber security assessment or audit being conducted on their organization’s supply chain.
Invest in Cyber Insurance
Cyber risk should be a topic that the leadership of the organization regularly reviews and actions as part of its business risks assessments. The potential financial impact needs to be qualified. For the cybercriminal the activity can be more profitable than any other illegal activity. Paying the criminals to unlock data attacked through ransomware will mark you as a vulnerable target on the dark web. Insurance will help manage some of the losses arising from an attack, and 44% of respondents were unsure their organization had cyber insurance, if the cover is at an appropriate level.
Some Key Steps to Take
- Ensure that responsibilities and accountabilities for cyber security are properly established.
- Ensure that the cyber risk faced by the organization is appropriately quantified.
- Appreciate that it is not a question of ‘if’ you are attacked, but of ‘when’ and ‘how’.
- Ensure that the cyber risk assessments are performed on a regular basis and reviewed at board level.
- Ensure that sufficient resources are allocated to cyber risk prevention, including skilled individuals as well as protection measures.
- Review the results of cyber prevention activities on a regular basis.
- Understand which data elements support your critical business operations and ensure that they are appropriately protected.