“Cybercrime is the greatest threat to every company in the world,” said IBM CEO Ginni Rometty two years ago. 40% of Australian directors seem to agree, rating cyber risk higher than other business risks in a recent survey. If you’re a Board member or director and not involved in cyber-protection, it’s time you should be. Why?
In the past 25 years, the nature of corporate asset values has changed significantly, shifting away from the physical and toward the virtual. Close to 90% of the total value of the Fortune 500 now consists of intellectual property (IP) and other intangibles. With the rapid digitisation of corporate assets, there has been a corresponding digitisation of corporate risk.
What’s more, cyber breaches are more likely than ever to be made public and expose your company to reputational damage since Australia’s Mandatory Data Breach Notification Law came into effect.
Cyber attack trends
The facts and figures from recently released cybersecurity threat reports illustrate some alarming trends:
- More than 4 billion records were leaked in 2016, 500% more than the previous year
- Malicious email attachments increased over 600% from 2015-2016
- Ransomware attacks spiked over 500% in 2016
- 76% of websites scanned by security professionals in 2016 were found to have vulnerabilities.
So who are the cyber attackers?
Cybercriminals are the biggest source of attacks as the diagram below shows. However, what may be surprising is that people inside your organisation pose the next biggest risk. Unintentional actions by employees, contractors and third parties result in significant data breaches.
How employees can accidentally cause data breaches
Staff are already inside a business’s security framework and their actions can easily be exploited by cybercriminals. The sorts of employee actions that can cause data breaches include:
- Using ‘unpatched’ applications which have not been updated with software containing security fixes
- Using easy-to-guess or default passwords
- Opening an infected attachment or using an unsafe URL
- Falling for a social engineering scam (such as phishing)
- Neglecting operating processes or security protocols.
Security awareness training for your employees, including how to recognise common scams, can help manage these risks more effectively.
Examples of social engineering scams
As accountants and auditors, social engineering scams are the type of breach we often hear about. For example, a bookkeeper received an email from a supplier informing them of a change of bank account details. That email was not really from the supplier, and payments of $30k a month were requested. Another case involved a PA who received an email from her boss (traveling interstate) to transfer $200,000 to secure a business deal. She did as requested – only to find out later that the email was not from her boss.
Staff should personally check transactions and requests like these by calling the sender and asking for verbal confirmation. Two different people in your organisation should be required to authorise payments and updating bank details. As an extra safeguard, run monthly exception reports on creditors to check if any unusual changes have been made. Scammers may wait weeks or months to make their move.
How Boards should be involved in cyber risk
Cyber risk requires an enterprise-wide approach with leadership by the top levels of management. A senior executive should lead the cybersecurity program to ensure that management and the Board understand the business’s current cyber risk state and most critical processes, IT systems and information assets. Only then can effective protection strategies for people, processes and technologies be implemented across the business.
Boards and Directors should consider these pointers.
- Be prepared for success and business innovation Managing cybersecurity is not just about managing the risk of bad things happening—it’s also about handling the upside of a company’s successful digital initiatives to ensure that the organisation’s cybersecurity systems are resilient enough to handle them.
- Accept that your organisation is at significant risk of breach It is not simply a matter of trying to prevent a cyber risk from occurring. Breaches are happening—now. Boards should be concerned about the duration of significant breaches before they are detected, and the organisation’s ability to respond, recover and resume normal business operations afterward.
- Cyber threats are constantly evolving Boards should question how the organisation’s threat management program proactively identifies and responds to new cyber threats, taking into consideration the company’s most valuable assets, the business outcomes it wishes to avoid, the nature of its industry and business model and visibility as a potential target.
- Expect more from your security function As well as protective technologies, your security function needs to clearly articulate the current cyber risks facing all aspects of the business, recent cybersecurity incidents, how they were handled and lessons learned. It should also provide a short-term and long-term road map outlining how the company will continue to evolve its cybersecurity capabilities to address new and expanded threats, and meaningful metrics to judge the success of managing top-priority cyber risks.
- Assess the advice you receive and your understanding of it There may be circumstances where a Board should consider adding individuals with technology experience, either as members of the Board or as advisers to the Board.
Cyber risks are impossible to eliminate and resources are finite, but there are nevertheless many measures you should be taking to protect your organisation. No Board or business, large or small, can afford to ignore cybersecurity.
Please contact your Accru advisor if you would like some initial guidance.