App attacks, cryptojacking, ping of death (the sending of a malicious ping to a computer), zero-day vulnerabilities – the A-Z of cybersecurity threats is constantly growing. New menaces emerge almost daily, the number of attacks is increasing, and no individual or organisation is invulnerable. ‘It is no longer a case of if you will be attacked, but when,’ says Geraldine Magarey, thought leadership and research leader at CA ANZ. A perfect cyber storm is brewing, and CFOs need to understand and mitigate the associated risks.
There are signs, however, that many CFOs and their finance teams see cybersecurity as somebody else’s problem. Recent global research among more than 1,500 members of ACCA and CA ANZ found low levels of cyber risk awareness. ‘CFOs often regard cyber risk as a technology issue, not a governance or business issue,’ says Magarey. The research, Cyber and the CFO, a joint report with Optus Macquarie University Cyber Security Hub and Singtel Optus, indicated that cyber threats did not register prominently, except perhaps where privacy was more front of mind as a result of recent legislation.
SMEs think they are not a target, because cyber attackers will go after somebody bigger, but this is not true
You are not alone
Responsibility for managing and mitigating cyber risk does not rest solely on the CFO’s shoulders. ‘It is the collective responsibility of the C-suite,’ says Clive Webb, senior insights manager at ACCA. But CFOs are becoming more involved in operational crisis planning as operating models evolve. ‘As more businesses are cloud-enabled and more technology resources are third-party hosted, technology looks less like an operational domain in its own right and more like a strategic operational issue,’ says Webb. Failing to respond to this trend can have dire operational and financial consequences.
Trying to recover after an adverse cyber incident such as a data breach or ransomware attack can be complex and time-consuming. Money spent trying to remediate damage – to data, systems, relationships with customers and suppliers, and the reputation of the business – can quickly mount up. Then you need to factor in opportunity cost and loss of revenue due to downtime. ‘Cybersecurity is a business issue, not a technology issue. CFOs need to understand and act on this,’ says Webb, because the damage a cyber attack can cause is determined by how well prepared an organisation is.
Plan to survive
Basic cybersecurity controls can protect against the most common cyber attacks, according to the National Cyber Security Centre (a British government organisation), which has made some simple guidance freely available; so do public and private sector specialists in other countries. Cyber risk and liability insurance may give you a sense of security, but implementing and regularly testing basic cyber monitoring procedures and controls will make your organisation more resilient to the most common threats and make recovery from adverse cyber incidents easier to manage when they do occur – as they inevitably will.
All organisations should assume that they will be attacked, even small and medium-sized enterprises (SMEs). ‘SMEs think they are not a target, because cyber attackers will go after somebody bigger, but this is not true,’ says Magarey. Adverse cyber incidents afflicting the biggest businesses and brands may grab headlines, but such victims are the tip of an iceberg. Beneath the waterline, many smaller organisations are also being attacked by cyber criminals. According to Verizon’s 2018 Data Breach Investigations Report, 58% of cyber attack victims were businesses with fewer than 250 employees.
Cyber storm ahead
No organisation can be 100% secure; but lack of cyber risk awareness leaves SMEs less well prepared for cyber attacks than larger organisations and less able to deal with the consequences. Research by the US National Cyber Security Alliance found that 60% of small businesses go bankrupt six months after a cyber attack. Unfortunately, SMEs are increasingly popular with cyber criminals, who see them as a soft target for penetration and extortion and conduits into their supply chains; hence the appeal of sector and multi-industry cyber wargaming (see below).
The spread of internet connectivity among objects, organisations and people – the internet of things – is turning us all into links in a chain, and the associated cyber risks are unlikely to diminish any time soon. As technology advances, so do cybercriminals’ weapons and the sophistication of their methods.
‘As a CFO, you need to appreciate how fast the nature of cyber risks and the types of attack you may face are changing,’ says Webb. This does not mean you need to become an expert on app attacks, cryptojacking or ping of death attacks. Webb says: ‘As a CFO, you should know what you don’t know and who to ask when you do need to know.’
Read the report, Cyber and the CFO.