I have written before about the possibilities the digital age opens up for accounting and finance professionals. However, the flip side is the new risk that technology exposes organisations to, including the danger of cybersecurity breaches. Unfortunately, dealing with these threats has become one of the costs of doing business in the digital economy.
That cost can be frighteningly large. Attacks that result in the loss of personal data can result in expensive litigation and a huge amount of reputational damage for the targeted organisation. IBM estimated in 2023 that, globally, the average total cost of a data breach was $4.45 million. A recent cyberattack on an outsourcing company in the UK will cost an estimated £15 million–£20 million to clean up.
Make no mistake, this threat is real, and it is happening all the time. A 2022 survey by Palo Alto Networks of 1,300 C-suite leaders from around the globe found that 96% had experienced at least one cybersecurity breach or incident in the prior year. Of those surveyed, 33% said they experienced an operational disruption as a result of a breach.
The presence of organised criminal groups and state-backed actors means that cyberthreats are becoming more sophisticated. To mitigate against this increased risk, more time and resources will inevitably have to be deployed. Palo Alto found that none of the C-suite leaders it surveyed thought their cybersecurity budget would decrease in the following year, while 68% of them were anticipating an increase of up to 10%.
There is a temptation to see cybersecurity as an issue for an organisation’s IT department to deal with, but that would be deeply misguided. The risks associated with cybersecurity from a business interruption perspective have escalated the level of concern of governing boards, their audit and risk committees, and investors, as well as customers and suppliers in the enterprise value chain.
This level of stakeholder concern means we as finance professionals need to familiarise ourselves with the potential threats our organisations face and the possible mitigations we need to put in place. This must be a core part of our ERM strategy.
To help guide you in this task, the research team at AICPA & CIMA produced the CGMA Cybersecurity Tool: Risk, Response, and Remediation Strategies. It provides guidance for minimising the financial, brand, and reputational impact of cybersecurity attacks, and covers topics that include:
- Building cyber-resilience by developing solutions and promoting effective practices across digital ecosystems.
- Developing the capacity to respond quickly and effectively to cyberattacks and minimising the costs involved by containing breaches that do occur.
- Determining the necessary steps to take in the event of a ransomware attack. These steps range from isolating impacted systems to containment, eradication, and post-incident response activities.
Now is a good time to make use of our resource to make sure you are not caught off-guard by a cyberattack. In the digital age you cannot afford to be unprepared.
Andrew Harding, FCMA, CGMA, is chief executive–Management Accounting at AICPA & CIMA, together as the Association of International Certified Professional Accountants.