Innovation | Cybersecurity

Innovation | Cybersecurity

A perfect storm

The cyber threat landscape is changing fast, and CFOs must run to keep up

Lesley Meall, journalist

App attacks, cryptojacking, ping of death (the sending of a malicious ping to a computer), zero-day vulnerabilities – the A-Z of cybersecurity threats is constantly growing. New menaces emerge almost daily, the number of attacks is increasing, and no individual or organisation is invulnerable. ‘It is no longer a case of if you will be attacked, but when,’ says Geraldine Magarey, thought leadership and research leader at CA ANZ. A perfect cyber storm is brewing, and CFOs need to understand and mitigate the associated risks.

There are signs, however, that many CFOs and their finance teams see cybersecurity as somebody else’s problem. Recent global research among more than 1,500 members of ACCA and CA ANZ found low levels of cyber risk awareness. ‘CFOs often regard cyber risk as a technology issue, not a governance or business issue,’ says Magarey. The research, Cyber and the CFO, a joint report with Optus Macquarie University Cyber Security Hub and Singtel Optus, indicated that cyber threats did not register prominently, except perhaps where privacy was more front of mind as a result of recent legislation.

SMEs think they are not a target, because cyber attackers will go after somebody bigger, but this is not true

You are not alone

Responsibility for managing and mitigating cyber risk does not rest solely on the CFO’s shoulders. ‘It is the collective responsibility of the C-suite,’ says Clive Webb, senior insights manager at ACCA. But CFOs are becoming more involved in operational crisis planning as operating models evolve. ‘As more businesses are cloud-enabled and more technology resources are third-party hosted, technology looks less like an operational domain in its own right and more like a strategic operational issue,’ says Webb. Failing to respond to this trend can have dire operational and financial consequences.

Trying to recover after an adverse cyber incident such as a data breach or ransomware attack can be complex and time-consuming. Money spent trying to remediate damage – to data, systems, relationships with customers and suppliers, and the reputation of the business – can quickly mount up. Then you need to factor in opportunity cost and loss of revenue due to downtime. ‘Cybersecurity is a business issue, not a technology issue. CFOs need to understand and act on this,’ says Webb, because the damage a cyber attack can cause is determined by how well prepared an organisation is.

Plan to survive

Basic cybersecurity controls can protect against the most common cyber attacks, according to the National Cyber Security Centre (a British government organisation), which has made some simple guidance freely available; so do public and private sector specialists in other countries. Cyber risk and liability insurance may give you a sense of security, but implementing and regularly testing basic cyber monitoring procedures and controls will make your organisation more resilient to the most common threats and make recovery from adverse cyber incidents easier to manage when they do occur – as they inevitably will.

All organisations should assume that they will be attacked, even small and medium-sized enterprises (SMEs). ‘SMEs think they are not a target, because cyber attackers will go after somebody bigger, but this is not true,’ says Magarey. Adverse cyber incidents afflicting the biggest businesses and brands may grab headlines, but such victims are the tip of an iceberg. Beneath the waterline, many smaller organisations are also being attacked by cyber criminals. According to Verizon’s 2018 Data Breach Investigations Report, 58% of cyber attack victims were businesses with fewer than 250 employees.

Cyber storm ahead

No organisation can be 100% secure; but lack of cyber risk awareness leaves SMEs less well prepared for cyber attacks than larger organisations and less able to deal with the consequences. Research by the US National Cyber Security Alliance found that 60% of small businesses go bankrupt six months after a cyber attack. Unfortunately, SMEs are increasingly popular with cyber criminals, who see them as a soft target for penetration and extortion and conduits into their supply chains; hence the appeal of sector and multi-industry cyber wargaming (see below).

The spread of internet connectivity among objects, organisations and people – the internet of things – is turning us all into links in a chain, and the associated cyber risks are unlikely to diminish any time soon. As technology advances, so do cybercriminals’ weapons and the sophistication of their methods.

‘As a CFO, you need to appreciate how fast the nature of cyber risks and the types of attack you may face are changing,’ says Webb. This does not mean you need to become an expert on app attacks, cryptojacking or ping of death attacks. Webb says: ‘As a CFO, you should know what you don’t know and who to ask when you do need to know.’

Read the report, Cyber and the CFO.


Cyber wargaming

War games used to be the preserve of armed forces, but corporate wargaming is on the rise – and it’s not hard to understand why. The simulation of moves and counter-moves in real-time settings can be an effective way to test your organisational reflexes, surface gaps in plans, and to develop your collaborative judgment capabilities – particularly in a fast-moving cyber attack scenario. 

‘Cyber wargames are an important way to raise awareness of the latest cyber risks and attack types, as well as cyber risk management and adaptive response capabilities an organisation needs during, after, and preparing for the next cyber incident,’ says Daniel Soo, cyber wargaming leader for Deloitte cyber risk services, and Deloitte risk and financial advisory principal.

‘The most impactful wargames are those that use live knowledge of an organisation’s current threat environment to support the decision-making process across operations, finance, regulatory, marketing, and beyond,’ says Soo. With supply chains and cyber risks increasingly interconnected, industry bodies are also testing and practising their collective response and information sharing procedures.

Examples include Cyber RX in the healthcare industry and Quantum Dawn, a regular simulation event that most recently involved more than 50 financial institutions, utility and infrastructure providers, plus various government agencies. The biennial exercise, Cyber Storm (sponsored by the Department of Homeland Security in the US), spans multiple industries.

The benefits of business wargaming go beyond cyber risk. Management consulting firm McKinsey suggests that wargaming can help CFOs to strengthen their strategic decision-making, by simulating various scenarios in which executive teams make big and consequential decisions under pressure. A podcast and transcript on this is available from McKinsey.