Working patterns have changed as a result of the pandemic and organisations have become increasingly aware of cyber risk. Cyber security is taking greater prominence on the leadership agenda, but the activities that we all need to undertake need not be ground-breaking. Cyber security is a personal issue first and foremost: we all need to be observant and cautious.
A survey conducted jointly by ACCA, CA ANZ, Macquarie University and Optus in October 2018 showed that 57% of respondents ranked cyber security among their top five business risks while 52% saw cyber security as a high or very high risk to their organisation.
The level of cyber threat evolves as technology changes and an increase in connectivity transforms the risk profile for organisations. Yet, cyber security is still not managed as a business risk and, too often, left to the information technology professionals alone to handle.
Redefine risk and resilience
This evolving threat means that cyber criminals constantly find new vulnerabilities to exploit, so it is important for businesses to maintain their software and hardware system and protect it from risk, but this is not enough. Traditionally, hardware is understood as the boundary of our IT system. In the connected world we are moving to managing the cyber risk by verifying the user and the equipment that they use instead. As users we are less tolerant of inflexibility in the infrastructure that we use, and many people bring their own devices to work. This surge in the use of remote access, however, provides further vulnerability that the cyber threat actor can exploit. Both as individuals and organisations, we need to be vigilant.
Cyber threat actors have time on their side. They need not act immediately. An annual IBM global survey published by IBM in early 2021 showed that, on average, it takes 280 days for organisations to identify and contain an attack. The average total cost of a breach was US$3.86 million.
For organisations, the question about suffering an attack is not “if” but “when”. The results of the ACCA survey found that 26% of respondents were aware of attacks detected by their organisation in the preceding six months. More concerning still was the 54% of respondents who thought that their organisation had never been the subject of a cyber-attack; or were not aware that it had ever been. Cyber-attacks cause both financial and reputational damage and businesses cannot afford to ignore them.
Focus on recovery plans
Preparation for an attack should focus not only on the management of the attack itself, but also on the recovery afterwards. This requires effective planning to manage the technical issues as well as the relationships with regulators, customers and suppliers. Only 37% of participants in the survey noted that there was a remediation plan in place that was regularly updated and tested. The risks associated with cyber-attacks go beyond the loss of personally identifiable data and they may harm the company’s operations. It is how we do business in the connected world. Especially during the pandemic, organisations have shifted their focus to online interactions with customers and suppliers. That level of connectivity and inter-dependency creates a higher risk.
Audit your supply chain
As supply chains become ever more complex and integrated, the extent of cyber risks at the boundary of organisations grows. The weakest point may well be a connection to a third party. Providing support to and assessing the vulnerability of these third parties is essential, yet 41% of respondents had no knowledge of any cyber security assessment or audit being conducted on their organisation’s supply chain.
Invest in cyber insurance
Leadership needs to regularly review and action cyber threat measures as part of its broader business risks assessments. This includes the qualification of the potential financial impact of exposure. For the cyber-criminal, the activity can be more profitable than any other illegal activity and paying criminals to unlock attacked data through ransomware will mark the organisation as a vulnerable target on the dark web. Insurance will help manage some of the losses arising from an attack, and 44% of respondents were unsure whether their organisation had a cyber insurance plan, or if the cover is at an appropriate level.
Play your role in the reality of cyber risk
Do not wait for the cyber-attack to take place. Do not wait for the fine or the measurable reputational loss. Finance leaders need to recognise that cyber risk is especially relevant to them. Ensure that you are fully up-to-date on the nature of the risk that the organisation faces on an ongoing basis. The cyber threat actor has time on their side, and it is not time that you can afford to waste.
Clive Webb leads ACCA’s research on business and technology related matters from the perspective of chief financial officer. He has a background in information technology assurance as well as being a qualified accountant.