2020 will be remembered as a uniquely disruptive year — and in more ways than one. Online life was digitally transformed, as exponential change accelerated at home and work via the internet. While Covid-19 unleashed a health pandemic, the period also marked a cyber pandemic – directed at both national governments and the rest at corporates. Given the powerful weapons in the arsenal of cyber-terrorists, one can assume that an attack today can unleash the kind of mayhem that was unimaginable a few years back. A case in point was the recent ransomware attack on the US pipeline which gave the world a vivid demonstration of the vulnerability of energy infrastructure to cyberattacks. US administration officials believe the attack was the act of a criminal group, rather than a nation seeking to disrupt critical infrastructure in the United States. Almost 14,000 kms away, India’s state-owned airline, Air India was subjected to a cyberattack basis which the personal details of about 4.5 million customers around the world were compromised including passport, credit card details, birth dates, name and ticket information.
For organizations, government and individuals, an aspect that has to be considered is the increasing risk related to the use of new or quickly expanding technologies: mobile devices, contactless and mobile payment systems, the Cloud in its various incarnations, the IoT (Internet of Things), advanced personal authentication technologies, and, last but not least, social networking. While all these things are convenient and useful, they often introduce new security loopholes that cybercriminals look for and exploit.
According to a 2021 report by Blackfog, global damages from cybercrime are expected to hit US$6 trillion this year (up from $3 trillion in 2015) as the number of ransomware attacks increase and newer forms to become more sophisticated and disruptive.
Cybersecurity is a complex issue and it can only be ensured if businesses and individuals appreciate that they themselves have to accept a large part of the responsibility for it, because neither governments and law enforcement nor IT professionals can be relied upon to provide adequate protection. At the corporate end, as companies feverishly scramble to gauge their vulnerabilities to ransomware, it is the finance professionals, primarily the CFO, along with the CEO and CTO who need to keep an eye on the changing cyber-threat landscape and be wary of knowledge gaps. A ‘head in the sand’ attitude is not a viable option.
There is only so much that law enforcement can do. Cybercriminals operate in a borderless world and their activities often leave very little, if any, physical evidence. This and the balance of potentially huge financial gain versus relatively low operational risk make cybercrime a very tempting proposition for cybercriminals. Cybersecurity is no longer a purely technical issue; the impact of a cyber-breach is typically felt across every aspect of a business and often involves operational, reputational and financial damage, as well as regulatory penalties.
At the corporate end of the spectrum, finance professionals are as yet, not overly concerned about the pervasive capturing and storage of, and access to, sensitive consumer and other data or information. What is needed, but is still often lacking, is a strategic approach to mitigating cybercrime risks. Professional accountants and finance professionals can, and should, play a leading role in defining certain key areas of such an approach: creating reasonable estimates of financial impact that different types of cybersecurity breaches will cause, defining risk-management strategy, helping businesses to establish priorities for their most valuable digital resources. A vitally important aspect of cybersecurity is also maintaining client and customer confidence. Safeguarding this and ensuring confidentiality of sensitive data is a vital task for any finance and accountancy practice. Therefore, cybersecurity must become a key concern for the CFO and his team.
Accountants and finance professionals can, and should, play a leading role in defining key areas of a strategic approach to mitigating cybercrime risks. These include:
- Creating reasonable estimates of financial impact that different types of cybersecurity breaches will cause, so that a business can be realistic about its ability to respond to an attack and/or recover from it
- Defining risk management strategy
- Helping businesses to establish priorities for their most valuable digital resources, in order to implement a “layered” approach to cybersecurity; and
- Closely following the work of government and various regulators, in order to have clear, up-to-date information on adequate legislation and on requirements for adequate disclosure and prompt investigation of cybersecurity breaches.
Solving cybersecurity problems is a complex technical discipline that is arguably better left to professionals; but whichever way you look at it, cybersecurity is a top priority for both boards and CFOs. what is very important is firm knowledge of the basics of safety. This is also important when looking at the bottom-line. At a time when corporate budgets are shrinking, worldwide security spending is expected to grow 8.1% annually and hit $174.7 billion by 2024, according to IDC. If boards and CFOs learned anything in 2020, it was to expect the unexpected. But to be truly effective, they need to fully understand the risks and view cybersecurity as foundational to almost everything an organization does—starting at the very top.