Cyber risks analysed
Professional services firm Deloitte has offered five cyber risk insights for the chief financial officers (CFOs) of companies, noting that these risks are ‘enough to rattle even the most steadfast’ of CFOs. The company says that cyber attacks have now become a regular fixture on lists of ‘most worrisome risks’ for CFOs – lists that include economic volatility and overregulation – and cites both the increasing frequency of such attacks and the associated costs are of extreme concern. “According to the Ponemon Institute’s 2014 Cost of Breach: Global Analysis study,” said Deloitte in a statement, “the average total cost for data breach is now $3.5 million globally, up 15 per cent from last year. In addition, the survey found a company’s profitability of a material breach involving 10,000 records or more stands at 22 per cent over the next 24 months.”
The five insights offered by Deloitte are:
- Your information network will be compromised. CFOs need to accept that, inevitably, any information network will be attacked – ‘you will not get to a point of zero risk’;
- Physical security and cyber security are increasingly linked. The twin domains of physical and cyber security have traditionally been treated as separate entities, but Deloitte suggests that this is no longer the case. “While threats like espionage, intellectual property theft, fraud, counterfeiting and terrorism may involve cyber breaches, they potentially can begin by physical access,” said Deloitte. “In a common example, certain administrators may have full control over a system such as payroll, customer data or billing. Armed with that access, those employees or contractors might pay themselves with false invoices, approve loans with special rates, or copy customer credit card data and employee files that contain sensitive information such as social security numbers, with the purpose of selling the data, creating identity theft, embezzlement or other fraud.”;
- Cyber damages go beyond dollars. Deloitte suggests that while there is a financial cost, the damage potentially done to reputations and brands ‘significantly add to the toll’;
- Everything can’t be protected equally. “What data is crucial to running the organisation,” asks Deloitte, “and what databases, if compromised, could put you out of business?” Using a retailer as an example, customer credit card data and the ID numbers of employees represent crucial data. CFOs are advised to build a ‘hierarchy of data’ customised to both their company and their particular industry; and
- Your walls are probably high enough. “Companies continue to invest heavily in the protection side of cyber security – with more firewalls and more intrusion-detection systems,” said Deloitte. “Yet, most wall-building may be about as high as it needs to be. Given that hackers have likely already infiltrated, companies should focus more on the detection side to increase their vigilance against attacks and on recovery after the fact. The formula is different for every company, of course; but, of the typical IT cyber-risk spend, 30 per cent might be allocated to wall-building, 50 per cent to detection, and another 20 per cent to resilience preparation.