Cyber security and the strategic business leader
Syllabus area E4 of the SBL study guide requires students to discuss, assess and evaluate the security of IT systems. This article explains why these skills are crucial for those seeking to become effective strategic business leaders and demonstrates how they can be applied in practice.
Although awareness of cyber security risk has increased, many companies admit that they are not managing this risk effectively. UK government research published in 2019 revealed that 72% of FTSE 350 companies identified cyber threats as a high risk but 46% admitted that they did not understand the risks themselves (1).
This lack of understanding coincides with an increase in the frequency and impact of cyber-attacks. A 2019 Hiscox report found that 61% of companies experienced a cyber-attack over the preceding twelve months, up from 45% the previous year (2). Large companies (over 1,000 employees) are particular targets, with 74% reporting an attack in the past year. Furthermore, the costs of these attacks have risen dramatically. According to the same report, the average cost of an attack was $369,000, up a disturbing 61% on the previous year.
Why does cyber security need special attention?
Although cyber security is best managed as part of an overall risk management programme, there are four factors that mean it requires special attention:
Increased value of data
The volume and value of data available has increased exponentially. ACCA reports that '90% of the [40 trillion GB of] data in the world has been created since 2016'. (3)
Advances in machine learning and artificial intelligence allow patterns to be analysed that revolutionise the way organisations interact with their stakeholders. This trend caused The Economist to report in 2017 that 'the world’s most valuable resource is no longer oil, but data.' (4)
A lack of awareness of the vulnerability of personal data
In 2010, reports emerged of Mark Zuckerberg having described Facebook users as 'dumb' for being so ready to part with their personal data. (5)
At the time, there was no public awareness of how this data might be used but, in 2018, it emerged that Cambridge Analytica had harvested the personal data of 50 million Facebook users as part of a strategy to target and influence voters in democratic elections. (6)
Storing and sharing data
Cloud technology enables organisations to store and share huge volumes of data. However, the action of making data available outside organisations creates channels which are open to being exploited through unethical or illegal behaviour.
The inevitability of software bugs
Software is now so complex that it is beyond the scope of any human to identify every possible weakness. For example, the software used in the average new car contains over 100 million lines of code, leaving the potential for flaws or 'back doors' to exist that could be exploited.
Measures to promote cyber security
The UK government became so concerned at the lack of engagement with cybersecurity that, in 2016, it set up the National Cyber Security Centre (NCSC). This organisation recommends ten steps to promote cyber security within an organisation:
1. Set up your risk management regime
As part of good corporate governance, organisations should already have an effective risk management policy in place. However, the technical complexity of cyber security creates a specific risk that directors fail to engage with the issue, even though it is a critical risk for any organisation. It is therefore crucial that any general risk management regime refers explicitly to cyber security risk. The subsequent steps give examples of specific matters the board should consider.
2. Network security
In the same way that an organisation’s offices are kept physically secure, the perimeter of its network needs to be kept secure in order to prevent unauthorised access.
3. User education and awareness
A network is only as secure as its weakest link, so it’s crucial that all those authorised to access an organisation’s network understand how they might be exploited by a hacker.
4. Malware prevention
Malware is a generic term that covers all forms of malicious software, including viruses spyware and ransomware. Organisations and individuals can protect against malware by subscribing to software that screens for such infections. With new malware threats emerging all the time, it’s crucial that anti-malware software is kept fully up-to-date – many reputable providers provide daily updates.
5. Removable media controls
The ability to transfer media via removable media creates a key weakness that hackers can exploit. A 2019 report from Dtex Systems reported that 74% of staff surveyed were able to circumvent security controls to use unsanctioned portable applications such as USB sticks (7).
Organisations clearly need to be more robust in regulating the use of such media.
6. Secure configuration
In the same way that removable media needs to be controlled, hardware added to an organisation’s network needs to be configured in a way that restricts unauthorised use. An obvious example here would be a standard configuration for any laptop connected to the company network.
7. Managing user privileges
The separation of duties is a widely used control, but the 2019 Dtex report discovered that 95% of users actively attempted to circumvent corporate security policies. Much of this would not have been malicious (how many people have allowed someone else to log on using their password so that they can do their job?). Nevertheless, it creates a culture that dramatically undermines basic controls.
8. Incident response
Cyber security attacks are inevitable. When they happen, an organisation needs to have a robust response that minimises the immediate threat (eg off-site back-ups). However, what happens after an attack has been neutralised is equally important – the organisation needs to learn from the incident in order to minimise the risk of it recurring.
An organisation that spots an unsuccessful cyber attack will be able to implement additional measures that target potentially sensitive areas. For example, some organisations send fake phishing emails to staff – messages that could result in unauthorised users gaining access to sensitive information. Staff that fall for the trick can be targeted for additional training.
10. Home and mobile working
The increase in remote working requires organisations to permit network access from different geographical locations. Effective controls in this field include the use of a Virtual Private Network (VPN) which should only be accessed using appropriately configured devices (see 6 above).
The role of the finance department in managing cyber security
A recent report by ACCA, Cyber and the CFO, highlights the need for chief financial officers (CFOs) to be much more pro-active in managing cyber risk (8).
It explains that, while there are complex IT issues involved, 'this should not absolve the finance team from involvement… It falls to the CFO to take the broader view of cyber security as a commercial and business-wide risk rather than a technical issue.'
The ACCA report recommends several specific actions for the CFO to take:
1. Redefine risk and resilience
As cyber criminals become ever more sophisticated, the report recommends a 'zero trust' model, where all users and equipment are systematically verified before gaining access to a network. This can be seen with the 'two step verification' techniques being adopted by many banks and consumer service providers.
2. Focus on recovery plans
Preventing cyber-attacks is a noble ambition but it’s virtually impossible to achieve. It’s therefore crucial to have plans in place to manage any attack itself but also, crucially, the recovery afterwards.
3. Audit your supply chain
A system is only as strong as its weakest link so organisations need to place as much emphasis on the cyber security protocols of any connected suppliers as it does on its own systems and controls.
4. Invest in cyber insurance
Insurance will help to minimise the damage caused by a cyber attack.For this to be effective, the CFO needs to help the board to quantify the financial damage that an attack could cause. However, while it may be tempting to pay off a ransomware attacker, such an action is likely to make the organisation considerably more attractive to other attackers.
The ACCA report concludes with the following warning:
'Do not wait for a cyber attack to occur. Do not wait for the fine or the measurable reputational loss. Finance leaders need to recognise that cyber risk is one that is very relevant to them. Ensure that you are fully up to date on the nature of the risk that the organisation faces on an on-going basis.'
As the strategic business leaders of tomorrow, students need to demonstrate a good awareness of cyber security issues and be ready to discuss, assess and evaluate the controls that an organisation has (or doesn’t have) in place.
(1) HM Government, 'FTSE 350 Cyber Governance Health Check 2018', 2019
(2) Hiscox, 'Cyber Readiness Report', 2019
(3) ACCA, Machine learning: more science than fiction, April 2019
(4) The Economist, 'The world’s most valuable resource is no longer oil, but data', 6 May 2017
(5) Business Insider, 'Well, These New Zuckerberg IMs Won't Help Facebook's Privacy Problems', 13 May 2010
(6) The Guardian, 'Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach.' 17 March 2018
(7) DTex Systems, 'Insider Threat Intelligence Report', 2019
(8) ACCA, Cyber and the CFO, March 2019