Finance executives from the CFO down are being warned to prepare for an uptick in data breaches in 2016.
“It’s definitely on the radar,” said Dexter Clarke, CFO at automotive remarketing services provider Manheim. “Like every other risk it falls on the CFO to be the guardian of the risks and risk mitigation.”
In its top five cyber security predictions for 2016, US cyber security company Imperva forecast more data breaches due to insiders.
“Insiders have privileged access to data/databases and remain largely unmonitored even today,” Imperva said.
“Encryption of data and transport does not help protect against insider threats. Data stored in the cloud is more at risk from the insider threat since IT security and controls in the cloud are still playing catch up.”
A typical data breach – as presented in a case from the Australian Cyber Security Centre’s first threat report – concerned an employee who failed to check the legitimacy of an email sent from an unfamiliar webmail account.
After the employee opened an email attachment, which was an executable (.exe) file masked as a MS Excel file, the cyber attacker was able to steal intellectual property, personnel records, business development proposals and project information belonging to the business.
Breaches like this one can be costly.
Due to the rapid digitisation of consumers’ lives and enterprise records, the cost of data breaches is expected to lead to $US2.1 trillion globally by 2019 – almost four times the estimated cost of breaches in 2015, according to UK researcher Juniper Research.
Locally, the sixth Australian Cost of Data Breach Study by IBM and the Ponemon Institute in 2015 reported that the total average cost for a business to fix a data breach increased by $20,000 in just one year –from $2.8 million in 2014 to $2.82 million in 2015.
Financial, services, industrial and energy companies reported higher than average costs
These costs included a sizeable jump in detection and escalation expenditure, from $1.07 million to $1.16 million. This comprises forensic and investigative activities, assessment and audit services, crisis team management, and communications to executive management and boards of directors.
Consulting firm Protiviti’s 2016 Finance Priorities Survey of 650 US CFOs, listed cyber-security as a top emerging issue, along with margins and earnings performance. Likewise, when CFO Research investigated top concerns among CFOs in 2016, it also found that information security and the risk of data breaches was a major cause of worry.
For many businesses, having effective cyber security is important from a customer perspective. In highly competitive markets, both retail and business customers do not need to find a reason to go to another supplier – who may have better cyber security systems built into their risk management framework. A breach impacts on the company’s reputation, the customer experience, their trust, and ultimately sales and profits.
According to the Ponemon data mentioned above, lost business costs account for about 30 per cent of the average total cost to fix a data breach. And that figure does not reflect the multiplier effect of customer turnover, customer acquisition activities, reputation losses and diminished goodwill.
CFOs and their teams are ultimately responsible for the integrity of a company’s data, and as cyber attacks multiply, CFOs will play a central role in developing measures to prevent breaches. These measures must both ensure the security of financial information, and assess the risk of the financial impact of a breach on all data.
Stephen James, a principal with GRC Services, specialising in information and data security, notes that information security is often seen as a ‘dead’ cost, like insurance.
“CFOs should be considering the ROSI – return on security investment,” Dr James says. “It is often poorly quantified in many organisations.”
One potential benchmark is the number of successful blocks achieved against hackers, versus the number of attacks.
Indeed, CFOs and finance executives are recognising that the execution of their priorities increasingly depends on their ability to lead outside their function – this includes addressing cyber security risks.
In Australia, the Federal Government is believed to be looking at a voluntary standard that would certify companies that have installed the latest security measures to protect their networks.
While the responsibility for cyber security can be jointly held by the CFO and CEO, backed by an organisation’s IT executives, it is not always the case.
“What I see, is that the owner of risk management in the business is more commonly seen as a CFO role,” Mr Clarke says. “Wherever that responsibility lies, it will continue to grow in importance.
As the ACSC report highlighted: “The cyber threat to Australian organisations is undeniable, unrelenting and continues to grow. If an organisation is connected to the internet, it is vulnerable.”
Put simply. Cyber security is no longer just an IT issue. It’s a business one.