Is your company prepared for a cyber-attack?
Large or small, the reality is most organizations will face a cyber-attack at some point. The FBI reports that more than 4,000 ransomware attacks have occurred daily since 2016 – a 300% increase over the number of attacks seen daily in 2015. Gartner reports that there is a “rising awareness among CEOs and boards of directors about the business impact of cybersecurity incidents.”
There are predictions that worldwide spending on information security products and services are set to grow to $170.4 billion this year. But too often, executive leaders only take action after they’re compromised. This reactionary approach to cyber threats can damage a company’s reputation and bottom line. With so much at stake, cyber risk management is no longer just a technical or operational issue to be handled by the IT department. Cybersecurity threats need addressing from a strategic and economic perspective by the entire company. Leadership in the financial functions of a business are the most logical ones to lead this effort.
Take an active role
CFOs should collaborate with CIOs, CMOs and other information security leaders to gain an understanding of the company’s risk and the financial costs associated with it. A 2017 study from Centrify and Ponemon Institute found that 39% of IT practitioners and 36% of CMOs don’t believe their senior management understand the impact a security breach could have on the company’s reputation. Financial leaders need to become active members of the security team. They can’t remain passive observers to reduce the threat of a cyber-attack.
Invest in cybersecurity and training
While security spending has increased in recent years, many organizations are not investing enough or investing in the right technologies. According to Gartner, organizations spend an average of 5.6% of their overall IT budgets on security and risk management. That’s actually in line with their recommendation that organizations should spend 4-7% of their IT budgets on security. However, that investment is not enough if the organization is investing in the wrong technologies. For that reason, it’s important to not just blindly make IT investments.
Keep up with “best practices for IT operations and security that reduce the overall complexity of the IT infrastructure and work toward reducing the number of security vulnerabilities.” Furthermore, companies need to address the human aspect of cybersecurity. People are often the largest security vulnerability in any organization. But too often, organizations believe security training for employees is a one-time event. Instead, organizations need to consistently update employees on the latest security vulnerabilities. Then it must train them on how to recognize and avoid them.
Hold finance accountable
Ponemon Institute’s 2017 Cost of Data Breach Study found that the average total cost of a data breach is $3.62 million, including loss of customers, hiring forensic experts, outsourcing hotline support, providing free credit report monitoring subscriptions and discounts for future services, and performing in-house investigations and communication.
Given the stakes, leadership in the financial function of an organization should ultimately be accountable for cyber risk. However, the CFO cannot do it alone. Every C-Suite leader in the organization has a clear and vested interested in cyber risk management. Cyber threats aren’t going anywhere. Financial leaders cannot have a complete picture of the risk without an understanding of their organization’s security. Financial leaders need to work closely with security professionals and lead cyber-security investments to protect the company’s most vital asset – its reputation.