Five cyber risk insights for CFOs

Read time 3min 50sec
Deloitte says CFOs need to be aware their information network will be compromised.
Deloitte says CFOs need to be aware their information network will be compromised.

Deloitte notes the pervasive nature of cyber risks is "enough to rattle even the most steadfast" CFOs, and often does.

Cyber attacks have become a fixture on the list of CFOs' most worrisome risks, which includes perennial macro-economic factors, such as economic volatility and overregulation, says the consulting company. It adds both the frequency and cost of cyber attacks are a concern.

"According to the Ponemon Institute's 2014 Cost of Breach: Global Analysis study, the average total cost for a data breach is now $3.5 million globally, up 15% from last year. In addition, the survey found a company's probability of a material breach involving 10 000 records or more stands at 22% over the next 24 months."

Because of the costs, and the increasingly malicious nature of the attacks, CFOs are focused on identifying potential cyber risks and planning their corporate responses, says Deloitte. In addition, with a large percentage of finance chiefs also overseeing IT, they are equally committed to determining how and where to invest company resources on prevention, it adds.

"What that means is that companies - and CFOs - are fighting a multi-front, long-term battle where victory is difficult to measure." To have any chance of winning the cyber wars, CFOs should understand several realities. According to Deloitte:

1. Your information network will be compromised.

Inevitably, you will be attacked. If you operate an information network, you will not get to a point of zero risk. You need to accept it.

2. Physical security and cyber security are increasingly linked.

Typically, the physical security domain and the cyber security domain have been viewed separately. However, that is no longer the case. Why? While threats like espionage, intellectual property theft, fraud, counterfeiting and terrorism may involve cyber breaches, they potentially can begin by physical access. In a common example, certain administrators may have full control over a system such as payroll, customer data or billing. Armed with that access, those employees or contractors might pay themselves with false invoices, approve loans with special rates, or copy customer credit-card data and employee files that contain sensitive information such as Social Security numbers, with the purpose of selling the data, creating identity theft, embezzlement or other fraud.

3. Cyber damages go beyond dollars.

While the average cost of a data breach may be well documented, the long-term effects on corporate reputation and brand significantly add to the toll. In particular, breaches of customer data can lead to a breakdown in trust that could inevitably hurt the top line - one reason for several payment networks to demand that retailers move to new payment cards that store information on computer chips rather than on traditional magnetic stripes. In addition, many companies are now considering cyber insurance to limit excessive damages.

4. Everything can't be protected equally.

Ask yourself: "What and where are the crown jewels in my organisation?" In other words, what data is crucial to running the organisation; and what databases, if compromised, could put you out of business? Not every piece of information, after all, is equally important. To a retailer, for example, customer credit-card data and employee ID numbers are crucial, as is logistics information related to supply chains. By making a hierarchy of data customised to your company and industry, CFOs can also make better decisions on how to prioritise protective controls and other aspects of cyber spend.

5. Your walls are probably high enough.

Companies continue to invest heavily in the protection side of cyber security - with more firewalls and more intrusion-detection systems. Yet, most wall-building may be about as high as it needs to be. Given that hackers have likely already infiltrated, companies should focus more on the detection side to increase their vigilance against attacks and on recovery after the fact. The formula is different for every company, of course; but, of the typical IT cyber-risk spend, 30% might be allocated to wall-building, 50% to detection, and another 20% to resilience preparation.

See also