We are entering a world where things are changing very quickly. In the past, investing in security against a cyberattacks was something fairly low down the chief financial officer's (CFO) priority list. But with online crime becoming all the more sophisticated, cybersecurity should be more integrated in the financial risk to the business.
During a panel discussion at the CFO conference held in Cape Town recently, a number of role players discussed cybersecurity and the CFO.
“If you talk of risks, the position of CFO itself is a risk, and there is an expectation that he or she must be prepared for all financial threats to the company. When cybersecurity is breached, it causes damages to company – not only financially, but also reputationally,” said Dr Conchita Manabat, president of the Development Centre for Finance in the Philippines.
What should be spent on cybersecurity?
Spending money on securing a businesses’ digital space is still very much a grey area because so many company’s still don’t see cyberattacks as a real risk. “There has to buy-in to get people to understand the risk and protect the business. Executives need to realise that cybersecurity requires specialist skills that are always evolving. It’s hard to put a number to it, especially in financial services, where there is a lot of sharing of information,” said Linda de Beer, chairman of the IT committee: Sasfin.
According to Kris Budnik, director: PwC Africa, companies really need to understand what threats they are vulnerable to, which can be very specific. For example, with something like ransomware – should the company pay the extortion money, or rather spend it rebuilding the IT framework. “CFOs should ask how they are spending on cyberrisk. Is it on detection or prevention?”
“The cloud is a fantastic place to store data, but it can be both an opportunity and a threat. It’s better for security because the cloud provider is dependent on that security for livelihood. The risk is if you choose badly, so reviewing the product is more critical than ever before and reserve the right to test the controls.”
Over the last decade, businesses have spent quite a bit of time elevating the position of the CIO, but now cyber has extended far further than just IT. The fundamental concern is far greater than CIO, but incorporates CFO, who must be involved in the strategy.
It seems that the human element is the most vulnerable chink in any company’s cyber armour. “Phishing, for example, is attacking the human. Cyber attackers are starting to target non-IT folk – that’s why they are successful. Therefore there must be more integration across all departments to reduce cyber threats,” said Nathan Desfontaines, cyber security manager at KPMG (South Africa).
What is a good cyber incidence response plan?
“Generally these are non-existent, very few companies have them. Also even the best strategy can never cover every possibility. It’s best to have a playbook, which responds to various themes of attacks – ransomware, phishing etc. and these should be tested across the organisation. Businesses should also consider insurance against cyber risks, which is becoming more popular,” he said.