A single cybersecurity breach can cost millions of dollars, so it’s critical that companies take a proactive approach and commit to shoring up their defences by making informed decisions and investments. An updated CGMA cybersecurity tool provides a place to start.
Ken Witt, CPA, CGMA, AICPA & CIMA’s associate director–Management Accounting Research and Development, joins the FM podcast to discuss the latest trends in cybersecurity and share details about what the soon-to-be-released tool offers organisations of all sizes.
What you’ll learn from this episode:
- How digitalisation sped up by the pandemic has accelerated cyber risk.
- The stunning price tag of a security breach and the areas that are most vulnerable to breaches.
- The unique challenges facing small entities, and a small step they can take to combat their concerns.
- Top “amplifiers” and “mitigators” that finance decision-makers should keep in mind.
- How the CGMA cybersecurity tool can help IT pros and non-IT stakeholders alike.
Play the episode below or read the edited transcript:
To comment on this episode or to suggest an idea for another episode, contact Neil Amato at Neil.Amato@aicpa-cima.com.
Transcript
Neil Amato: Welcome back to the FM podcast. This is your host, Neil Amato. Today’s topic is cybersecurity. It’s a topic that just really is not going away. Cybersecurity was a topic of discussion on this podcast back in 2015 with one of the first guests on the show, former secretary of the US Department of Homeland Security Tom Ridge. He was a guest when the show was called the CGMA Magazine podcast. Today, the topic is an updated CGMA cybersecurity tool and to talk about that tool and it’s use for finance professionals is Ken Witt. Ken is a CPA in the US. He holds the CGMA designation, and he is AICPA & CIMA’s associate director for management accounting research and development. Ken, thanks for being on the podcast.
Ken Witt: You’re welcome, Neil, and thanks for having me. As you said, this is the third iteration of this CGMA cybersecurity tool, which is the risk response and remediation strategies. This is the 2023 version. We originally did this in 2017 on the heels of that Ridge recording, and he also presented at our CFO conference and then subsequent to that, we had a webcast series by a colleague of Ridge’s, Ken van Wyk, which is the basis for the original tool. We’ve updated it twice now. In 2021, we updated it and added some information about ransomware, since that was just exploding at the time, and we’ve also added some small business resources, and we’ve updated it again this year in 2023.
Amato: Thanks for a little bit of the background on the tool and some of the resources that we’ve had over the years related to cybersecurity. What would you say is a state of cybersecurity today, especially as it relates to finance professionals?
Witt: It’s one of those issues as you said, is just getting increasingly more important over time. It’s trying to stay one step ahead of the attackers is a continuing challenge. The World Economic Forum is one of the resources that we always monitor pretty closely. They do an annual report and for their 2023 report, they’ve ranked cybersecurity as No. 8 out of the top ten risks, and they also cite some of the implications of that socially as being major problems. It is an increasing problem and one that has become an important strategy consideration for any CFO or controller.
Amato: This tool has a lot of data from research that’s been done. What are some of the highlights?
Witt: We based most of the updates on this stuff and the current trends on this IBM Security and Ponemon Institute cost of Data Breach Report, which they do on an annual basis. One of the things that we found this year is that we’re seeing the implications, sequela maybe of the digitalisation that’s going on, which is accelerated by the pandemic. We had a lot of people using new forecasting platforms, a lot of businesses converting to e-business, and we’ve also got an increasingly large number of workforces that are working remotely. Those are some of the complicating factors that are contributing to some of the highlights of this year’s report.
In terms of the data, what we’re finding in this year’s report is that the average cost of a data breach is $4.5 million. That’s up 2.3% from 2022, and up 15.3% from 2020. Twenty-four per cent of these breaches are ransomware with an average cost of $5.13 million, which is up from the average cost over all of $4.45 million, and that excludes the ransom costs. That’s just the cost of the breach and all the associated costs of the breach. Eighty-two per cent of the breaches are in the cloud, which indicates as companies are moving toward increasing digitalisation and cloud, they’re not secure around the cloud, their cloud applications is not keeping pace. Fifty-two per cent of them involve customer personal identifiable information, and another 40% include employee personal identification.
It’s just an increasing problem, and one of the things that we’re also seeing this year is that the detection of an escalation cost last year actually for the first time surpassed lost business cost as the top-ranking report. That reflects the increasing technology involved in keeping pace with the breaches.
Amato: You said the average cost of a breach, $4.5 million, up 15.3% from 2020. Those are big numbers. I know that report focuses on big companies, but it’s not to say that the smaller businesses — they’re still susceptible to these things, but for this audience, the smaller business CFO or controller, what can they get from this tool?
Witt: Actually, that’s one of the things that we found, and as I mentioned in 2021 update, that’s one of the things that we added to the report. Because the consequences for small businesses are possibly even greater than the consequences for a larger business that can maybe absorb the cost of a breach, but not necessarily so for a small business.
We added a specific section on trends and challenges in 2021, and even with some of the information that was updated, one of the things that we’re still finding is that the problem with small businesses is they don’t have the expertise to address these challenges. Companies really need to be on top of this. Depending on their business, they need to contract for or outsource this service and make sure that they’ve got something on board. It’s a simple: 42% of the small business breaches involve passwords. Two-factor [authentication], and some of the simple things that major businesses put in place. It’s just second nature these days. Small businesses really need to get on top of this.
The other thing we added to the report in 2021 was an appendix, which summarises the Global Center for Internet Security Framework, which is a very comprehensive framework, but it breaks down the controls by size of business. So that’s in the appendix and just really list all of the controls that you need to consider if you’re a small business. That’s that’s one of the value adds for a small business practitioner.
Amato: You mentioned earlier that detection and escalation costs had, I guess for the first time, surpassed the lost business cost. What can you tell me more about some of the factors involved in that change?
Witt: That’s one of the breakdowns that this IBM and Ponemon report gets into is they summarise the components of the costs, and the way they break it down as the share at the top costs was detection, escalation, which has to do with the internal processes involved in identifying breaches and monitoring them and managing them. Second place in last year’s ranking was lost business costs, which used to be the top-ranked cost for several years, and then you’ve also got post-breach response and notification costs [following] that. That’s how the Ponemon report breaks things down.
We also have a dynamics table that we’ve included in this year’s report that comes right out of the IBM and Ponemon report. It really gives a comprehensive analysis of what they call the amplifiers and mitigators. The amplifiers of cost the top three years security system complexity, which contributes to an increasing number of breaches and the difficulty in anticipating and identifying them; security skills shortage, there is just a widespread need for more security skills in all the organisations, not just small businesses; and also noncompliance with regulations is an amplifier of the costs.
The mitigators: adopting what’s called a DevSecOps approach, which has to do with software development processes. They used to be done in a more sequential basis. The way they’re doing things now, they need to have this security layer in there for the software development process. Employee training is another big mitigator, and incident response training and testing. These are protocols around breach identification and containment, and that goes goes into this. The more significant technology is driving the cost of detection and escalation. Those are the sort of the basic cost drivers and amplifiers and mitigators from this year’s report.
Amato: I think that’s a good rundown. We will include a link to the tool, to the report when it is live, in the show notes for this episode. Ken, anything else you’d like to add to sum up what else is in the report that people should know?
Witt: Sure. Basically it’s got two sections to it. It’s got the core content, which provides an IT person a glossary of terms and concepts and explains things and helps inform the risk strategy for a business. It gives the non-IT person, the CFO, the controller, an idea of what they need to be aware of in order to participate in their cybersecurity strategy. It’s prevention, detection, response. What are the cybersecurity objectives and controls and some of the application guidance of implementing some of this stuff. We also have a handful of appendices. Cybersecurity insurance is a big one.
I mentioned this Center for Internet Security Controls report when I was talking about small businesses. We also have a summary of the AICPA’s cybersecurity risk management framework, which has information about what management can put into their description of their cybersecurity program if they need to have assurance on their cybersecurity program. It’s a comprehensive checklist for that and we also have added a ransomware guide in 2021, which gives us summary of the steps you need to take in the event of a ransom attack on your organisation.
Amato: Ken, thank you for this. Anything to add in closing?
Witt: Sure. Neil, I think the one thing that I would like to add is that I indicated we’ve got the ransomware guide as one of the appendices to the report. That gives a breakdown of this [US Cybersecurity and Infrastructure Security Agency] guide that gives the steps to take in the event of a cybersecurity ransomware attack. As I mentioned before, 24% of the breaches involve ransomware. That’s a pretty significant number and it’s a likely candidate, and one of the things that IT experts and cybersecurity experts recommend is to not pay the ransom. Just follow the steps in the guide to sort of tie off the parts of your system that are impacted and minimise the damage as best you can.
Amato: I think that’s a great way to close. Ken Witt, thank you very much.
Witt: You’re welcome, Neil.