The frequency and severity of cyber attacks are on the rise around the world, making it more important than ever for finance directors to be involved in the fight back.
No longer is it acceptable for CFOs to focus purely on numbers, they must help devise and enable strategies that keep the business profitable. This must include promoting cyber security; the consequence of an attack could be disastrous.
Within the financial director’s remit is a responsibility to alert the board on the financial impact of a potential breach, while also ensuring that a budget is allocated for preventing and containing incidents. As most financially focused attacks directly threaten the company balance sheet, it is vital that CFOs are aware of those strategies which make their organisations resilient to cyber-attack.
To give you some perspective on just how prominent cybercrime has become, a 2018 University of Surrey study conservatively estimated that cybercrime carried out on platforms such as Amazon, Facebook and Instagram generated $1.5 trillion for cyber criminals, equivalent to the GDP of Russia.
The scale of the problem means that cybercrime is fast becoming a top priority in the boardroom, with the CFO a central part of this. Increasingly, we are seeing boardrooms begin to request a list of non-technical strategies they can use to fight back. They want to adopt strategies that are fit for the modern technological age, that they can readily understand and control, rather than just guidance targeted at seasoned tech gurus.
For too long, cyber security standards and best-practice have been targeted at an audience engaged at tactical and operational levels and made difficult for boards to digest.
Yet many financial directors have a responsibility to know that their organisations are adequately protected from a potential attack. To be able to manage budgets effectively they must become well-versed in those foundational strategies which can be used to drive down their business exposure to cybercrime.
Analogous to a military hierarchy, whilst a General may need an appreciation of the challenges in the positioning and use of artillery, they may not be best serving the effort if they spend most of their time on the front line when there is a bigger picture to manage.
It is essential then that cybersecurity experts begin to adopt a language that is easily understood by all, rather than focusing on technical jargon which is baffling to many.
Devising cyber risk management strategies that are easily understood and led by the boardroom will become ever more important in the current digital age. Understanding what has gone before and what does and doesn’t work will help CFOs and other board members to address current and future cyber risk.
Explaining the Cyber|Seven Strategies
For years, we have collected key observational data from hundreds of cyber incidents to which we have responded. We have spent time analysing incidents to distil the strategies every organisation needs to adopt to avoid cyber risk.
We call these strategies the Cyber|Seven.
The Cyber|Seven strategies are non-technical actions defined in straightforward terms that any competent board will understand and be able to implement.
CFOs and their boardroom peers are increasingly realising that effective cyber risk management is not just about technology. Other protections including staff skills, awareness and cyber insurance are also essential considerations.
To enable Boards to ‘self-assess’ their organisations effective implementation of the Cyber|Seven strategies we have built a simple, secure online tool which is free and anonymous at the point of use. Importantly, the questions are designed to be answered by board-level executives. They are focused on key strategies, so the problems of referral, delegation and feedback that many tactical and operational level assessment systems have do not apply to Cyber|Seven.
What are the Cyber|Seven Strategies?
The key strategies forming the foundations for effective cyber risk management are:
Effective cyber risk management needs Ownership: Boards must appoint a “Cyber Champion” who is responsible for oversight of cyber risk management (budget, staffing, SLAs, security protection, cyber incidents, cyber insurance).
- Information Asset Awareness
Boards must be aware of their intangible (data/info) assets and ideally sort them into broad categories and criticality. The CFO is central to this.
- Adequate IT Budget
Is your IT budget big enough? Most IT departments are notoriously under-funded by boards. Information is the lifeblood of pretty much all modern organisations and information technology needs adequate funding to ensure resilience.
- Payment Control
Because many payments systems are now online and almost all cybercrime is simply cyber-enabled fraud, payment controls such as segregation are more important than ever.
- IT Staff Count Ratio
The ratio of IT staff to end users: Too many organisations are massively understaffed leading to stressed IT teams who make silly mistakes and leave organisations vulnerable to cyber-attack. IT staff and cyber security staffing is a key risk management strategy.
- IT Skills & Staff Awareness
Most organisations considerably under-invest in on-going training for IT staff; in standard IT, let alone cyber security. They need to support staff and make skills acquisition a prerequisite for career growth and/or good job performance. Furthermore, all staff need to be given awareness training to enable them to spot cyber incidents and scams.
- Technology Versions
The older the technology the longer hackers have had to find vulnerabilities in it. Staying current means keeping the organisation ahead of the attackers. Boards do not need to know the details but do need a strategy which rejects suppliers who do not support the latest technologies.
The Cyber|Seven approach is a rapid yet extremely targeted way for business leaders to establish key strategies which form the foundation for effective cyber risk management. So, what will your business score result look like? Are you a Cyber|Strategist?