Cybercrime is on the rise.
Globally the cost of cybercrime to the organisations is expected to double to $6tn by 2021 from $3tn in 2015, according to a forecast by research firm Cybersecurity Ventures.
The risks are not just financial. Data losses have hit the reputations of even the largest businesses, such as Sony Pictures which was hit by a high-profile and embarrassing cyberattack in 2015. In the worst cases, the risks are existential. One in five corporate victims of ransomware go out of business as a result, according to a study by US software firm MalwareBytes.
“The looming EU General Data Protection Regulation, which will come into force in 2018, is just one example of increasingly onerous compliance measures facing organisations”
Regulators are becoming tougher too. The looming EU General Data Protection Regulation, which will come into force in 2018, is just one example of increasingly onerous compliance measures facing organisations and how they manage data.
The operational damage caused by interrupted business can also be severe with the average cost of a data centre outage now standing at around $750,000, says the Ponemon Institute, a US-based security research group.
“An effective approach to the cloud can make a business more secure against attack”
An effective approach to the cloud can make a business more secure against attack. The best providers should also help their customers be more resilient in the face of attacks, offering greater intelligence and faster responses. The right cloud partner can also take on the risk of downtime disruption and help ensure compliance.
“CFOs are well placed to oversee how a company builds effective precautions”
Risk and the CFO
Given the multifaceted nature of data risk, senior ownership of it inside the business is more important than ever. CFOs are well placed to oversee how a company builds effective precautions.
Managing security at an enterprise-wide level can help tighten security and is something CFOs can help with given their high level grasp of other areas of risk.
Another reason for handing data risk management to the CFO is that a significant part of any organisation’s data defences comes down to good governance and staff awareness rather than to technological fixes.
Cyber security also needs to be embedded in the organisational culture, says Ken Allan, a partner at PA Consulting Group’s Digital Transformation Team.
“In an organisation of 100,000 people, if you have not trained anyone in the basics of IT security then you have 100,000 weak points,” he says. “Regardless of the organisation everyone should be trained to identify threats such as malware and phishing emails.”
“Risk resides wherever data travels and with whomever you do business"
Risk resides wherever data travels and with whomever you do business. The data security threat posed by operating across borders, and especially in the case of M&A, only strengthens the case for the CFO to be the senior custodian of cyber security.
When acquiring a business, the risks are two-fold: first, data espionage and second, the risk that the acquired organisation may put the entire business at risk owing to lax data security or historic breaches that have not yet come to light.
Minimising risk in the cloud
Auditing and testing a prospective cloud service provider is. A service provider must prove its processes are as robust or more so than a businesses on-premises solution.
It is also necessary to identify potential risks, including any possible problems with where the data will reside and to understand what effect this will have on compliance to various national and regional data protection rules.
Prospective partners will also need to answer some key questions. Could they continue to serve an organisation in the event of and following a disaster? How quickly can they recover lost data? What would the cost of data outages be to an organisation? Will businesses have the right to audit or assess their provider in future? What level of liability has the provider assumed in these respects in service level agreements?
Businesses should check their prospective providers’ disaster scenario processes and establish what technologies they will be using. It is also a good idea to establish from the start the sensitivity level of different kinds of information held on the cloud, who can gain access to them and how. Establish also whether especially sensitive information should be stored in the cloud or not and if so understand the relative merits of private versus public clouds.
“In the evolving cybercrime war, familiarity with the latest security tools can offer enhanced protection against attack”
In the evolving cybercrime war, familiarity with the latest security tools can offer enhanced protection against attack. Prevention strategies can include use of cyber security analytics tools, which can help an organisation prepare against future attacks and identify any weaknesses in their defences.
Even the most rigorous prevention strategies may not be enough to prevent entirely any loss or theft of information, however, so establishing a response plan in the event of a data breach is also important, says Mr Allan.
“The outlines of a response and readiness plan include defining the chain of command; who should be involved in decision making and when; having a communications plan in place to media, your own employees, customers and regulators; and very clear protocols around decision making. This is a plan for crisis management and it requires short, sharp, precise execution.”
While it is important to take such sensible measures against the threat of data breaches, it is also important not to let this slow down the process of adopting the cloud, says Stuart Orr, a technology partner at EY, the professional services firm.
“I think it is sensible to proceed cautiously at first provided there is a fairly rapid plan behind it to exploit the benefits after you’ve proven it is working.
“Economics are forcing most companies to rethink how they work and there is a risk you will be disaggregated by a rival with lower costs or a completely different offering from yours. What companies cannot afford to do is delay.”
Digital Security: Enabling the Modern Enterprise »