Cyber security is repeatedly in the news, with headlines shouting about security breaches and stolen data, as PR teams scrabble to fix the reputational damage to companies.
With all this noise on cyber security, it would seem safe to assume that there is also a wealth of informed and collected data on how best to defend against this new threat.
However, the effects of cyber security breaches are hard to define, and even harder to quantify, which makes it impossible to classify what option makes a company more secure.
In turn, financial directors, who are most often the executives within organisations who are expected to shoulder the management of this new risk, cannot perform
accurate cost/benefit analysis of investments in security and can be left trying to prepare for something which they know nothing about.
Unfortunately for financial directors, if the wrong solution is in place, or the controls are not robust enough, and the company suffers an embarrassing security breach, the FD will suffer the repercussions personally, with a knock-on effect on career and reputation
Navigating through the myriad of options available that claim to prevent breaches can be overwhelming, leading to poor purchases and a security system that lacks the ability to stand up to hacks in the long run – leaving FDs exposed.
With so many different options available, from hardware to software and systems, it can be difficult to make a strategic, business focused decision and financial directors can lack the technical knowledge to confidently spend on these solutions, which also makes it difficult to assess how much to spend in the first place.
So how should FDs decide on investment in cyber security?
Research suggests that FDs are not investing the right amount nor in the right things. In order to stay ahead of the game and ensure their business is not taken by surprise in a cyber-attack, FDs need to be of the attitude that it is not ‘if’ a cyber breach will happen, but ‘when?’
If approached in this way, FDs can then consider that attacks are not only inevitable, but will increase in technical sophistication and frequency. With this view, a reasoned and appropriate long-term response can be offered, that will put FDs ahead of their competitors. By preparing for the future and the inevitable, businesses will have an edge over those that view security as an ad-hoc or reactionary task.
There is strong evidence from major governmental organisations such as GCHQ, the NSA in America, and the Australian Cyber Security Centre, that certain security controls can have a huge impact on the safety of an organisation and its data.
The National Cyber Security Centre (NCSC), run by GCHQ, launched a Cyber Essentials scheme emphasising five basic technical controls that have a positive impact on the overall security of an organisation, a number it believes all organisations can implement effectively.
The UK Government’s Cyber Essentials scheme addresses five basic steps to help businesses prevent the vast majority of cyber attacks. Although it is a good place to start, the broader problem is to improve the effectiveness of the controls, as
For financial directors, what this means is not only do they need to approach cyber security with a mindset that it ‘will’ happen to them, they need to ensure they are implementing the right controls and effectively.
To do this takes time and needs guidance to ensure that the implementation of these controls is robust and effective. Finance leaders should not attempt to go it alone, but that doesn’t mean hiring costly advisers, either.
Instead, they need to rethink how they assess their processes and controls. Instead of performing an audit, which is just a snapshot of a particular moment in time, for cyber security to be fully effective, a maturity assessment is needed.
Although these take time, they will offer a lasting indication of whether security controls are working effectively or not and better place not only your organisation, but also your own skills at managing this new risk in an ever-changing landscape beset by political instability and shifts in currency and markets.
FDs need to start considering how they approach cyber risk. By changing the way you approach the problem, while the solution will never be clear-cut, it will become clearer. FD’s will have a better overview of how to implement effective cyber security and need not be overwhelmed by a problem that has little quantitative data available to base decisions on.
This forward-thinking will set FDs apart from their peers and will ultimately, shield FDs from the possibility of a reputation-damaging cyber attack.
As the landscape changes and cyber-attacks evolve, agility will be key and maturity assessments will provide the necessary detail for FDs to cut through the noise and make decisions that keep their organisations safe and ahead of the competition.