Cybersecurity – Three Fundamental Steps to Safeguarding the Finance Function

OCT 06, 2021 | Mohamad Bachar Saidi, CMA, ACMA, CIPP™

Cybercrime has been at the center of so much media attention that it has become perceived as a kind of familiar, omnipresent, and inevitable ill force that everyone simply needs to accept and learn how to live with. In fact, nothing can be further from the truth. 

Cybersecurity is a complex issue that can only be managed if businesses and individuals appreciate that they themselves have to accept a large part of the responsibility for it, because neither governments and law enforcement nor IT professionals can be relied upon to prevent it from occurring. It is now essential but no longer sufficient to understand and follow the basic rules of cyber-hygiene, as cyber-criminals constantly find new and inventive ways of perpetrating crime at many different levels. Given the powerful weapons in the arsenal of cyber-terrorists, one can assume that an attack today can unleash the kind of mayhem that was unimaginable a few years back. A case in point was the recent ransomware attack on the U.S. pipeline which gave the world a vivid demonstration of the vulnerability of energy infrastructure to cyberattacks. U.S. administration officials believe the attack was the act of a criminal group, rather than a nation seeking to disrupt critical infrastructure in the United States. 

With the UAE being one of the leading economies in the Middle East, the nation-state has had its fair share of malicious COVID-19 themed attacks.

In the region, the main reasons for surge in cyberattacks is the growth in online users, remote work culture, and vulnerabilities in digital communication networks. Therefore, an effective cybersecurity risk management strategy is essential for business operations in the current environment and for future preparedness.

Here are three key steps to enabling finance and accounting professionals to safeguard their organizations’ data security from the growing risk of cyberattacks.

 

  • Cyberattacks are Here to Stay

 

A key consideration for organizations is that cybersecurity is no longer a purely technical issue and has become so complex, that there is no single third party that a business can fully rely upon to stay secure. At the leadership level, it is increasingly falling to the CFO and his team to step up to the challenge and learn how to mobilize against and survive the tidal wave of cybercrime. As automation continues to play an ever-increasing role in what finance and other professionals have to do on a daily basis, cybersecurity is becoming inextricably linked to such fundamentally important tasks as protecting the safety and continuity of the business, ensuring confidentiality of sensitive data and helping clients to understand and manage a wide range of cyber-risks.

 

  • The Search for Vulnerabilities Should be Proactive

 

Professional accountants and finance professionals can, and should, play a leading role in defining certain key areas of such an approach: creating reasonable estimates of financial impact that different types of cybersecurity breaches will cause, defining risk-management strategy, or helping their business establish priorities for their most valuable digital resources. They can also closely follow the work of governments and various regulators, to have clear, up-to-date information on relevant legislation and on requirements for adequate disclosure and prompt investigation of cyber breaches.

 

  • Identifying and Setting Priorities is Key

Another vitally important aspect of cybersecurity is closely linked with maintaining clients’ and customers’ confidence. Safeguarding clients’ trust and ensuring confidentiality of sensitive data is a vital task for any accountancy practice. Therefore, as the reliance on digital technologies and online collaboration continues to grow, cybersecurity must become a key focus and concern. This is especially true because cybercriminals often use the so-called “lateral movement” approach, whereby they might target an accountancy practice in order to use its breached IT system as a stepping-stone for subsequent attacks on the victim’s clients. Keeping things like this in mind, it must be accepted that no company is too small to become a victim of a cyberattack.

Recap

What is needed, but is still often lacking, is a strategic approach to mitigating cybercrime risks. Given the many possibilities for disaster, it’s imperative that companies be prepared for such events. Professional accountants and finance professionals can, and should, play a leading role in defining certain key areas of such an approach. These include: 

  • Creating reasonable estimates of financial impact that different types of cybersecurity breaches will cause, so that a business can be realistic about its ability to respond to an attack and/or recover from it 
  • Defining risk management strategy and having a disaster recovery plan (DRP) in place. DRP is a documented, structured approach with instructions on how to respond to unplanned incidents. The plan will serve as a crisis management tool and should include potential threats and risk assessment, safeguarding data and handling cyber threats, backup systems, an emergency response checklist, routine tests of the recovery plan, and a communication plan.
  • Helping businesses establish priorities for their most valuable digital resources, in order to implement a “layered” approach to cybersecurity 
  • Closely following the work of governments and various regulators to have clear up-to-date information on relevant legislation and on requirements for adequate disclosure and prompt investigation of cybersecurity breaches.

 

Solving cybersecurity problems is a complex technical discipline that is arguably better left to professionals; but what is very important is firm knowledge of the basics of safety. Gaps in such knowledge are a huge risk factor, as even one small gap is often enough for the enemy to get a foot into the door. The CFO and his team should therefore always be mindful of the old saying: “a fool and his money are soon parted.” Now, and for as long as the profession heavily relies on technology, no one can afford to be a cyber-fool.