No business wants to become the next data breach poster child. And companies are right to be concerned: in 2018, data breaches cost American businesses an average of $7.91 million – significantly higher than any other country.
By comparison. Canadian organizations suffered the next-worst effects with an average price tag of $4.74 million.
It’s nearly impossible for businesses to keep up with emerging threats. Malware, such as the massive WannaCry attack of 2017, is infecting systems and disrupting business at major companies worldwide at a ridiculous rate. Ransomware strains like the infamous SamSam have sapped more than $30 million from organizations in a wide range of industries, even crippling the city of Atlanta for days and draining $17 million from taxpayers.
Phishing attacks deliver malware into company networks when unsuspecting employees open a malicious email, or trick them into revealing sensitive data or company secrets. Companies are even becoming the target of espionage from malicious nation-states, which represented 23 percent of data breaches so far in 2019.
And those losses? They are likely to increase as new regulations such as the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act make protecting customer’s private information a priority. Businesses found guilty of violating the GDPR may have to cough up the greater of $20 million or 4 percent of global annual turnover for the preceding financial year.
In September of 2019, a U.S. court fined Uber $148 million for attempting to cover up a data breach in 2016 that impacted over 600,000 drivers and 57 million user accounts. The Securities and Exchange Commission and Federal Communications Commission have also hinted that tougher U.S. regulations are coming.
Reputational damage may be an even greater concern than financial risk. Breaches lead to average stock price drops of 5 percent and revenue declines of $3.4 million. Seventy percent of consumers say they would stop doing business with an organization after a data breach.
With new and increasingly sophisticated threats emerging nearly every day, it’s no longer a matter of if a business will suffer an attack, but when. In the first half of 2018 alone there were nearly 950 data breaches, with 4.5 million records compromised.
Let’s face it, finance organizations are more traditionally associated with numbers and spreadsheets than cybersecurity strategy. But the issue is particularly relevant to CFOs – after all, managing financial risk and sustaining shareholder value rank among their core responsibilities.
CFOs are tasked with providing leadership and oversight, but they also create focus and define priorities. Not only can they keep cybersecurity a top concern in the C-suite, but their interaction with every department within an organization puts them in a unique position to help ensure compliance with cybersecurity efforts and to deploy the necessary controls to defend the business against attacks.
Unfortunately, 40 percent of IT professionals believe that the C-suite doesn’t grasp the full risks of cybercrime. Tech leaders estimate average total data breach costs around $27 million, including lost business and reputational harm. Executives project the damage around $6 million.
Underestimating risk so greatly can have some serious consequences. The rise of the Internet of Things (IoT) for example, and the rapid automation of business processes through digital transformation efforts is expanding the attack surface for companies that, until recently, were relatively safe behind secured perimeters. In today’s digitally connected world, cyber risks are increasingly numerous and diverse, spreading to consumer products that are connected to company networks, manufacturing production lines, and mobile devices.
In this new era, CFOs must realize that managing financial risk now means understanding the magnitude of the cyber-exposure gap. That gap is the vulnerable soft spot between the threats that are addressed and those that aren’t - whether it's because security tools won't stop them or new methods of attack are evolving or orgs may not have taken the threats seriously enough.
The bigger the gap, the greater the risk of incidents that can lead to millions of dollars lost to cleanup costs, angry customers, fleeing investors, declining stock value, and reputational harm.
The clock is ticking and new approaches are needed to deal with the realities of a digital business landscape that’s regularly exposed to highly motivated hackers and highly sophisticated threat levels.
Let’s take a look at five ways CFOs can mitigate risk and protect the business’ bottom line by taking a proactive role in managing cybersecurity challenges.
- Team with the CISO and CIO. In many organizations, there’s a disconnect between the CFO and IT professionals when it comes to cybersecurity. CFOs need to partner with IT leaders to understand their company’s greatest security risks and the financial costs that accompany them. By becoming an active member of the security team, CFOs can evaluate the true cost of cybersecurity and ensure that security budgets are allocated so they have the greatest impact on data protection and business priorities.
- Make informed investments in cybersecurity. Companies’ security spend has increased in recent years, but there’s still a major under-investment given the exploding levels of cybercrime. IT budgets are typically between 3 and 7% of a company’s revenue, and security budgets are about 5% of IT spend. But how do you know the right amount to earmark?
CFOs don't need to understand the technology or how it works, but in order to invest in a cybersecurity portfolio that’s built to last, they need to understand what matters. In a nutshell, companies should identify their biggest risks and spend enough to protect against them – the same process they would use in any risk-management evaluation. At the end of the day, security strategies should not only align with immediate security issues, but also with the long-term digital transformation goals of the business.
- Understand critical protections. It’s impossible to invest in every cybersecurity measure against every possible risk. Savvy CFOs prioritize investments that integrate with each other and offer broad protections. Here are some important guidelines:
- Create a culture of security within your organization. Nearly half of data breaches begin with employee negligence, whether it’s clicking on a malicious email, logging into the company network from a location with unsecured Wi-Fi, or losing a connected device. The best cybersecurity practices are only achieved by creating a company mindset that’s committed to cyber protections.
- Invest in employee training and education. While employees play a role in most cyber-attacks, they can also be a strong weapon in an organization’s cybersecurity arsenal. Extensive employee training has your business better positioned to recognize risks and respect threats within every level of the organization.
- Consider the customer’s point of view. It makes sense that sensitive data is more important to the people attached to it than the companies that possess it. Assessing risk from the customers’ perspective can help organizations prioritize and determine the right level of protections.
- Stay abreast of changing regulations. A wave of regulations focused on protecting consumer information are popping up around the globe. Steep penalties await businesses that don’t take adequate measures to follow these rapidly changing laws. Companies that don’t stay on top of the legislation pipeline won’t fully understand their risk.
- Regularly re-evaluate risk. Cyber threats evolve rapidly. Continuously re-assessing risk is the only way to understand new vulnerabilities that emerge and the potential cost of cyber-attacks.
- Build trust with customers and investors. While massive data breaches continue to grab headlines, customers are more aware than ever that companies need to step up their efforts to protect their data. Putting the right security policies and solutions in place is an investment in customer retention and value.
CFOs should also learn from the mistakes of previous organizations that suffered negative impact to their brands by failing to report breaches to stakeholders or only sharing generic information. Keeping investors informed of breaches and potential security risks and explaining the aggressive measures you're taking to protect the company builds trust – an invaluable commodity for organizations.
- Get the rest of the C-suite invested. CIOs and CISOs are easy allies, but cybersecurity and risk management must become priorities of the entire C-suite to maximize their effectiveness. However, it’s not always easy to convince the rest of an executive team stretched with other obligations to become more than passive observers to security planning. Showing the potential impact of cybersecurity risk to the business’ financial future can help get the rest of the executive team on board.
In closing, the impact of massive data breaches can be felt by organizations for years – and 60 percent of smaller businesses never recover. As the world becomes increasingly connected, forward-looking CFOs are taking a proactive approach to risk management and becoming champions of cybersecurity within their organizations.
An effective security strategy is no longer a “nice to have,” but a key requirement for every organization. With over 20 years of IT consulting and operations experience, Auxis brings practical and proven security solutions to companies of all sizes through best-in-class products, governance, and services. Our IT security experts not only serve as consultants, but as day-to-day operators with real hands-on experience. Click here and schedule your consultation today.