BDO's top then things CFOs should do immediately about Cyber Security
02 October 2018
BDO has conducted throughout 2018 discussions with CFOs from hundreds of global industries, including financial services, healthcare, government contracting, automotive, manufacturing, private equity, and law firms. In these conversations, it became apparent that CFOs are frustrated by a ‘knowing’ versus ‘doing’ gap. This is understandable, since most C-Suite or Board members Directors never receive appropriate cyber security education and training.
CFOs need not become a Certified Information System Security Professionals. Rather, CFOs should increase their knowledge of core cyber security concepts and leverage their own leadership skills to conceptualise and manage risk in strategic terms and how best to invest their time and resources to improve cyber defence.
To address this Know/Do gap, BDO provides a list of 10 effective, proactive actions any CFO can undertake immediately and enhance his or her company’s cyber defence.
Top ten things CFOs should do immediately about cyber security:
- Determine what are the organisation’s most valuable information/digital assets: Cyber-attacks and security breaches will continue to occur and will negatively impact the business. Today, the average cost of the impact of a cyber breach within the EU is €3.4 million according to IBM Security and Ponemon Institute.
- Determine how much cyber liability insurance coverage is necessary to financially protect the company’s assets.
- Determine what their organisation’s risk of a cyber breach is: According to the survey, 50% of all data breaches were caused by malicious or criminal attacks, some of which originate from one of the organisation’s current employees, contractors, or third-party suppliers.
- Has your organisation created an insider-threat program to mitigate the risk of a cyber breach from within the organisation? Note to firms: again, add or replace with local data
- Achieving information security compliance with one or more government regulatory standards for information security (i.e. ISO 27001, NIST 800-171, HIPAA, NYDFS, AICPA- SOC, etc.) is good, but not sufficient to ensure real cyber security. What actions should our organisation take to ensure real cyber security?
- Conduct an independent email and network threat assessment. If one was recently conducted, then what were the results?
- Obtain an independent assessment of the adequacy of our cyber liability insurance coverage. Cyber liability insurance premiums are significantly increasing in cost and often do not cover all of the damages caused by a cyber breach.
- See that managed Monitoring, Detection, and Response (MDR) Managed Security Services (MSS) are combined, to achieve real information security and data resilience. Determine if the internal resources to perform MDR work or if these need to be outsourced. If so, then how much will it cost?
- Determine if the organisation has comprehensive incident response (IR), disaster recovery (DR) and business continuity plans (BCP).
- Undertake scenario thinking and ask: If we are attacked by ransomware, would we pay the ransom? If so, then how much should be budgeted? Will it be covered by cyber liability insurance coverage?
Organizations may not realise how valuable a cybersecurity strategy is until there’s a vulnerability. BDO wants to make sure your organisation never faces that situation.
BDO professionals are available to provide guidance and specialised resources surrounding any cyber security issue. To contact BDO's Global Cyber Security Team, visit www.cybersecurity.bdo.global