What CFOs need to know about cybersecurity (and why)

The year 2018 is a pivotal one for the C-suite office when it comes to cybersecurity. Each executive will be required to take the steps needed to protect their customers’ and the business. 

Click image to zoom Tap image to zoom

For chief financial officers, changes to government regulations and the growing threat landscape both have the potential to impact the bottom line - whether through a direct cost to business, the risk of punitive fines or the loss of brand reputation. 

“The impact of a breach can be catastrophic to a business through loss of customers, falling share price, brand reputation and the cost of recovery.”

Regulatory changes

Regulatory and legislative changes require the CFOs attention. In Australia, an amendment to the Privacy Act, the Australian Notifiable Data Breach scheme comes into effect from February 22 2018.

The regulations outline the data breach notification obligations of entities when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.

The amendment impacts any organisation with revenue of more than $A3 million a year.  Organisations unable to respond effectively to a serious data breach face fines up to $A360,000 for individuals and $A1.8 million for corporates as well as the possibility of civil penalties.

This is not to mention the effects the European GDPR laws will have on organisations hosting their citizen’s data.

Skills shortage

Demand for experienced security staff is growing and yet globally there is a shortage of skilled security professionals.

This shortage means many Australian organisations will struggle to bring in new talent and will need to develop the skills of existing personnel. Coupled with the challenge of a rapidly changing threat landscape, hiring effectively and skilling up a workforce to reduce security incidents is a critical part of a business’ defences.

Redefining how to find, hire and retain and retrain new collar talent, the people with a curiosity and thirst for problem solving is the start of making the goal a reality.

Without action

There was an unprecedented number of high profile data breaches recorded in 2017 and the reality is the trend is likely to continue. The impact of a breach can be catastrophic to a business through loss of customers, falling share price, brand reputation and the cost of recovery.

According to Ponemon and IBM’s 2017 Cost of a Data Breach report the average total cost of a data breach to Australian organisations is $A2.51 million, with the average cost per lost or stolen record at $A139.

The report estimated lost business costs including turnover of customers, increased acquisition activities, reputation losses and diminished goodwill to average $A790,000 in 2017.

Steps to reduce costs

Clearly reducing the frequency and impact of a security breach will have a direct impact on the bottom line.

Organisations today have little choice but to increase investment in cyber security over the next five years, with a longer-term view paying the biggest dividends.

The most profitable investment organisations can make to reduce the costs and impact of a data breach include an extensive use of encryption, employee training, appointing a CISO and having an incident response team in place - whether internally or with a credible partner.

Skills and training

It is estimated 28 per cent of data breach incidents are the result of simple human error. Employees and contractors need to better understand the value of data, and how to avoid putting it at risk.

Training staff on best practises like encrypting sensitive data or implementing technology controls around sensitive data can help reduce incidents.

Furthermore, as malicious attacks become more targeted and sophisticated, and hackers use social engineering to trick people into providing access to systems, staff training on how to identify suspicious activity offers additional IT security defence.

Understand the intelligence environment

Just like in a financial audit where the books are thrown open, the expectation will be an organisation is also accountable for their cyber maturity.

This requires the capability to collect and analyse data across endpoints, applications, network, cloud providers, from employees and customer behaviours.

Tools can also help to better understand what is coming from the global threat landscape.

Proactive incident response planning

With data breaches the speed and precision of response matters. Build a threat aware, risk-based approach to cyber security programs.

A detailed gap analysis is identified through the development, testing and simulation of a cyberattack and will uncover the questions which need answered under pressure.

Taking board members through a simulated incident response will inform them on the impact on customer data, so they understand what’s expected in response to an attack.

It is a time of enormous change but with planning and investment in the right areas, organisations can protect their customers, shareholders and the bottom line.

After all, wouldn’t you rather be known for your breakthrough in digital disruption than your break ins?

Chris Hockings is Chief Technology Officer at IBM Security

The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.

editor's picks

14 Nov 2016

BlueNotes debate: security, influence & trust

Erica Hardinge & Craig Templeton | Manager Security Culture and Capability & Former Head of Security Enablement, ANZ

Cyber’s gone mainstream. The internet and online services have brought amazing opportunities to our personal and professional lives. From the lounge room to the board room – understanding online safety has never been more important.

12 Oct 2016

Cybersecurity: don’t learn the hard way

Tamsyn Harris | Head of Fraud Risk Strategy, ANZ

Often we are told, to understand something we need to experience it for ourselves. This applies to most things in life, including business but I would argue it certainly does not apply to cybercrime and fraud. In these scenarios it is much better to learn from the experiences of others.