This article was first published in the May 2019 International edition of Accounting and Business magazine.

App attacks, cryptojacking, ping of death (the sending of a malicious ping to a computer), zero-day vulnerabilities – the A-Z of cybersecurity threats is constantly growing. New menaces emerge almost daily, the number of attacks is increasing, and no individual or organisation is invulnerable. ‘It is no longer a case of if you will be attacked, but when,’ says Geraldine Magarey, thought leadership and research leader at CA ANZ. A perfect cyber storm is brewing, and CFOs need to understand and mitigate the associated risks.

There are signs, however, that many CFOs and their finance teams regard cybersecurity as somebody else’s problem – the IT department is typically the one in the frame. Recent global research among more than 1,500 members of ACCA and CA ANZ found low levels of cyber risk awareness. ‘CFOs often regard cyber risk as a technology issue, not a governance or business issue,’ says Magarey. The research, Cyber and the CFO, a joint report with the Optus Macquarie University Cyber Security Hub and Singtel Optus, indicated that cyber threats did not register prominently, except perhaps where privacy was more front of mind as a result of recent legislation.

You are not alone

The responsibility for managing and mitigating cyber risk does not rest solely on the shoulders of CFOs. ‘It is the collective responsibility of the C-suite,’ says Clive Webb, senior insights manager at ACCA. However, CFOs are becoming more involved in operational crisis planning as business operating models evolve. ‘As more businesses are cloud-enabled and more technology resources are third-party hosted, technology starts looking less like an operational domain in its own right and more like a strategic operational issue,’ says Webb. Failing to respond to this trend can have dire operational and financial consequences for organisations.

Trying to recover after an adverse cyber incident such as a data breach or ransomware attack can be complex and time-consuming. Money spent trying to remediate damage – to data, systems, relationships with customers and suppliers, and the reputation of the business – can quickly mount up. Then you need to factor in opportunity cost and loss of revenue due to downtime. ‘Cybersecurity is a business issue, not a technology issue. CFOs need to understand and act on this,’ says Webb, because the damage a cyber attack can cause is determined by how ill-prepared an organisation is.

Plan to survive

Basic cybersecurity controls can protect against the most common cyber attacks, according to British government organisation the National Cyber Security Centre (NCSC). Like public and private sector specialists in other countries, the NCSC has made some simple guidance freely available (go to bit.ly/NCSC-Guidance). Cyber risk and liability insurance may give you a sense of security, but implementing and regularly testing basic cyber monitoring procedures and controls will make your organisation more resilient to the most common threats and make recovery from adverse cyber incidents easier to manage when they do occur – as they inevitably will.

All organisations should assume that they will be attacked, even small and medium-sized enterprises (SMEs). ‘SMEs think they are not a target because cyber attackers will go after somebody bigger, but this is not true,’ says Magarey. Adverse cyber incidents afflicting the biggest businesses and brands may grab headlines, but such victims are merely the tip of an iceberg. Beneath the waterline, many smaller organisations are also being attacked by cyber criminals. According to Verizon’s 2018 data breach investigations report, 58% of cyber attack victims were businesses with fewer than 250 employees.

No organisation can be 100% secure; but a lack of cyber risk awareness leaves small businesses less well prepared for cyber attacks than larger organisations and less able to deal with the consequences. Research by the US National Cyber Security Alliance found that 60% of small businesses go bankrupt within six months of falling prey to a cyber attack. Unfortunately, SMEs are increasingly popular with cyber criminals, who see small businesses as a soft target for penetration and extortion, and an easy-to-access conduit into supply chains; hence the appeal of sector and multi-industry cyber wargaming.

The spread of internet connectivity among objects, organisations and people – the internet of things – is turning us all into links in a chain, and the associated cyber risks are unlikely to diminish any time soon. As technology advances, so do the weapons that cybercriminals can deploy, along with the sophistication of their methods.

‘As a CFO, you need to appreciate how fast the nature of cyber risks and the types of attack you may face are changing,’ says Webb. This, though, does not mean you need to become an expert on app attacks, cryptojacking or ping-of-death attacks. Webb says: ‘As a CFO, you should know what you don’t know and who to ask when you do need to know.’

Lesley Meall, journalist