New data privacy rules make it compulsory for many businesses to make a report to the Office of the Australian Information Commissioner (OAIC) when they experience a cyber breach that is likely to result in serious harm to those affected by the breach. This puts cyber security front-and-centre for finance chiefs as fines apply to businesses that fail to comply with these rules.
A cyber breach occurs when the sensitive or personal information a business owns is unlawfully or inadvertently accessed. It might involve hackers purposely seeking to breach an organisation's IT security system. However, cyber breaches are sometimes 'inside jobs' which happen when staff unintentionally distribute information.
While disgruntled staff could potentially release sensitive or commercially-in-confidence material, breaches are often inadvertent. For example, an employee's phone or laptop may be stolen or lost, compromising the company's ability to protect the personal information it holds.
As with any situation exposing an organisation to risk, the response from the business to a cyber breach still needs to be swift even if the cause of the breach is unintentional.
Aside from regulatory risk for businesses that experience a cyber breach, CFOs are warned such incidents could come with high financial costs.
According to IBM's latest Cost of Data Breach Study, the global average cost of a data breach is US$3.62 million.
Sean Duca is Vice President and Chief Security Officer - Asia Pacific, for IT security firm Palo Alto Networks. He says the scope, scale, and wide-ranging repercussions of cyber-attacks – as well as the possibility any employee within the business can make the system vulnerable – makes internal cyber security a business risk that must be addressed by the CFO.
“Cyber-attacks frequently target poor processes and manipulate human tendencies. The number of connected devices is also estimated to grow to 50 billion by 2020, with these devices potentially acting as opportunities for cybercriminals to obtain unauthorised access to an organisation's network or an employee's personal information," Duca warns.
This could form an important watching brief for CFOs given a successful attack could result in productivity and financial losses, and impact the business's reputation, share price and ability to attract customers.
Mitigating threats with protection
Cyber-attacks can be mitigated when organisations put themselves ahead of developing threats. This can shift the focus of regular employee training to preventing breaches rather than how to react to a breach once it has occurred.
“This goes hand-in-hand with a good cyber hygiene policy that allows you to know what assets you have and where they are. Then it's important to build systems to regularly patch them or ensure that there is a way to mitigate a potential risk through protection mechanisms," says Duca.
“This allows an organisation to distinguish the difference between a meaningful and less meaningful risk, so responses can be prioritised," he adds.
Duca believes businesses should be encouraged to share threat information if they are subjected to cyber-attacks as this could potentially nullify the cyber-criminals' approach.
“This kind of herd immunity may make it increasingly difficult for cyber-criminals to successfully use the same attack multiple times," says Duca.
Some organisations also intentionally avoid collecting more data than they require, and this may help to protect against internal breaches.
Others may choose to de-identify information so that they hold as little personal or sensitive data on file as possible. Consequently, even if the database is attacked, cyber-criminals cannot acquire valuable personal information such as names, addresses or credit card details.
“This reduces the organisation's risk of a serious personal data breach and also means it has to secure much less data," he adds.
Developing a safe cyber culture
While important for organisations to develop and implement strong security policies designed to prevent exposure to cyber risks, it is also important to convey that message clearly to all staff.
Duca stresses that all employees must understand and subscribe to the company's cyber security approach and conduct safe cyber practices.
He suggests finance chiefs commit to a continuous and consistent program to educate all employees and stakeholders about the importance of cyber security and to implement and reinforce a prevention-focused mindset.
“CFOs must understand cyber risks, the impact they can have on the business, and how to mitigate them to implement a strong strategy. Successful prevention of cyber-attacks occurs when risk is recognised and managed," Duca explains.
Some firms' cyber security policies outline disciplinary action for staff found to have breached internal policies and procedures.
“But more important than penalising staff for doing the wrong thing is educating them. Making sure staff know what the policies are, why they were developed, and how they protect the organisation is crucial in getting their buy-in and compliance," says Duca.
“When staff understand security imperatives, they're more likely to comply with policies. Create a culture where staff know that if they accidentally do something wrong, they can come forward," he adds.
However, Duca points out it is different when staff members deliberately and maliciously breach security protocols for their own financial gain or to sabotage the organisation. In that situation, it should be considered a serious offence and should be viewed on the same level as theft, corporate espionage, and gross misconduct.
Security needs to be built into everything the organisation does, from the ground up, says Duca.
“When that happens, finance chiefs will have more freedom to try innovative things and to further transform the organisation with emerging technologies. Managing business risk is fundamental to business success, and cyber security is a key part of that risk," he says.
- Internal cyber breaches can result in damage to a business's reputation, share price and ability to attract customers.
- Protection starts with robust cyber security systems and procedures and ongoing staff education.
- Cyber security is an ongoing responsibility for CFOs as it impacts all aspects of the business.