RISK MANAGEMENT

Five Cybersecurity Truths That Should Inform the CFO’s Spending

Cyber risks, it seems, are everywhere. Retailers breached. Intellectual property stolen. Data hacked almost on a daily basis. It’s enough to rattle even the most steadfast of chief financial officers – and often it does.

In fact, in our quarterly CFO Signals™ survey, cyber attacks have become a fixture on the list of CFOs’ most worrisome risks, which includes perennial macroeconomic factors, such as economic volatility and overregulation. Four years ago, when the survey first launched, cyber risk was rarely mentioned.

And in our CFO Transition Lab™ sessions, newly named CFOs tell us of their increasing concern for cyber attacks as well.

A company’s probability of a material breach involving 10,000 records or more stands at 22% over the next 24 months

That change in mind-set is directly correlated to both the frequency and the cost of cyber attacks. According to the Ponemon Institute’s “2014 Cost of Breach: Global Analysis” study, the average total cost for a data breach is now US$3.5 million globally, up 15% from last year (and considerably higher – US$5.85 million – for US companies).

In addition, the survey found that a company’s probability of a material breach involving 10,000 records or more stands at 22% over the next 24 months.

Given the costs and the increasingly malicious nature of the attacks, CFOs are understandably focused on identifying potential cyber risks and planning their corporate responses. Moreover, with a large percentage of finance chiefs also overseeing IT, they are equally committed to determining how and where to invest company resources on prevention.

In this article, we will discuss some basic “truths” about cybersecurity and offer guidelines for investing in an enterprise-wide cybersecurity plan.

Sophisticated attackers

For CFOs, getting a handle on cyber risk can be a frustrating process. Part of the problem is that finance chiefs typically don’t have trend information on their companies’ vulnerability.

Plus, with the ubiquitous nature of cyber risk, classic security controls (firewalls, antivirus, Intrusion Detection Systems, Intrusion Prevention Systems, and so on) are increasingly less effective as attackers employ innovative techniques to evade them (see Deloitte LLP video: “Companies like yours”).

Meanwhile, the battlefield keeps expanding. Consider the march to the Cloud. While the potential savings might be attractive, there’s inherent security issues with going to the Cloud, such as “Who has access to my data in the Cloud?” and “Can it be shared with other customers?”

Compounding the problem is the mobile evolution. In addition to standard desktop computers, company-issued laptops, PDAs, cell phones, and mobile phones typically offer a wealth of personal information and multiple access points for cyber thieves.

Those thieves are also patient: no longer focused on “smash and grab,” they are operating below the security radar of victim organizations and maintaining a presence for years.

Reality check

What that means is that companies – and CFOs – are fighting a multi-front, long-term battle where victory is difficult to measure. To have any chance of winning the cyber wars, there are several realities that CFOs should understand:

Your information network will be compromised. Unfortunately, it’s inevitable that you will be attacked. If you operate an information network, you’re not going to get to a point of zero risk. Accept it.

Physical security and cybersecurity are increasingly linked. Typically, the physical security domain and the cybersecurity domain have been viewed separately. But that is no longer the case.

Why? While threats like espionage, intellectual property theft, fraud, counterfeiting, and terrorism may involve cyber breaches, they potentially can begin by physical access.

In a common example, certain administrators may have full control over a system such as payroll, customer data, or billing. 

  • 1
  • 2
  • 3
  • Next page

Related Articles

The theft 40 million credit card numbers from the US retailer Target has put...
Cybercriminals are targeting entities which were not commonly considered attack...
The top executive of a cloud services provider was in full flow. “We have never...
Standard Chartered Bank recently caused a stir in Singapore when it reported...