The impact on a business of a cyberattack can be devastating. Not only can it disrupt operations; it also requires investment to recover, it can damage the brand and can incur hefty legislative fines.
However, although the average UK company spend on cybersecurity rose from £0.68m in 2019 to £1.4m last year, the consultancy Gartner predicts that growth in cybersecurity spending will slow down. The reason for this prediction is that boards are increasingly demanding to see more tangible results from investment in cybersecurity, including better data analysis and performance.
The CFO is ideally situated to highlight to the board that cybersecurity is a business issue, not an IT issue. They have visibility of the real risks, priorities and investments required around company data, particularly in transactional organisations.
It’s vital to develop a clear strategy that makes employees take ownership of the cyber threat
The traditional approach to cybersecurity has centred around systems – that is, data storage, processing and computing. However, the real threat is to data itself – in particular, customer transactions and employee records. The cybersecurity agenda needs to shift to focus on data integrity and security.
Here are some of the key threats that the board should consider as part of its cybersecurity strategy.
Shifts in business model
One of the effects of the pandemic has been a shift in business models; a number of companies are now using technology either to facilitate remote working or to move to an e-version of the business. But having dispersed employees means an increased risk around access to systems and potentially more relaxed attitudes to individual logins.
One quick win is to introduce password-less authentication. With a quarter of employees in the US using weak passwords such as ‘Password’ or ‘123456’ (responsible for 30% of ransomware infections), and over half incorporating a name or birthday into passwords, it is unsurprising that companies’ systems are susceptible to brute-force attacks.
Focus needs to shift to developing risk and investment strategies based on the real impact to the business
Certain industries have become more at risk from cyber-attacks. Organisations within sectors such as healthcare and manufacturing are being targeted by ransomware. These sectors are particularly vulnerable due to their reliance on old technology: the use of legacy systems means that these companies are often reluctant to carry out updates in case it causes system failure or the need to reboot.
Internet of Things
Many organisations are unaware of the risks around the collection of sensitive data derived from the Internet of Things and its collation within software-as-a-service (SaaS) solutions. This brings a multitude of cybersecurity risks – particularly when you add in third parties accessing the systems – whether from an IT, product development or after-sale perspective.
According to research, a third of employees in the UK prioritise connection speed over secure connections; one in five has fallen prey to a phishing attack, and many are unaware whether or not their organisations provide cybersecurity training.
It’s vital to develop a clear cybersecurity strategy that is shared across the whole business to ensure that employees take ownership of the threat. This should be the responsibility of the whole leadership team, not just the chief information officer (CIO).
The CFO also needs to be right across the regulatory requirements – the financial penalties for non-compliance can be severe. Key among these is the Data Protection Act (2018) and the current General Data Protection Regulation (GDPR). The legislation covers the key principles of lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. Recent research shows that just over a quarter of companies are still not fully GDPR-compliant.
There are severe fines of up to £17.5m, or 4% of annual global turnover, for failing to comply with the GDPR. Over the past three years, there have been a number of high-profile cases including Google (fined £43.2m), H&M (£32.1m) and British Airways (£20m).
While each organisation’s cybersecurity strategy needs to be tailored, there are some key elements that apply across all companies:
- Typically, cybersecurity is seen as a technical problem for the CIO. The board needs to recognise the value of its data so that support and investment is seen as a company-wide initiative.
- If the focus for cybersecurity is on systems, this needs to shift to understanding the threat and developing risk management and investment strategies based on the real impact to the business.
- Take a holistic view of cybersecurity so that it future-proofs the organisation and doesn’t focus solely on today’s issues.
- Analyse both the requirements for compliance and protection so that both are achieved.
The growth in technology and our changing working patterns means cyber risks are increasing. As Christopher Wray, director at the US Federal Bureau of Investigation, said earlier this year:
‘The scale of this is something I don’t think this country has ever really seen and it’s going to get much worse.’