Andrew Beckett, managing director at risk management company Kroll, explains how CFOs can learn what risks to accept and what costs to bear.
For the past decade, market analysts have been telling industry that cybercrime is now more lucrative than the illegal drugs trade. Estimates of the annual cost to the global economy vary significantly – currently anywhere between $1.5tn and $6tn – but no-one expects the figure will fall any time soon.
What businesses need to understand is that the real treasure no longer lies in a bank vault but on servers, in data centres, and on our laptops and phones.
“Data is the new gold,” says Andrew Beckett, managing director and EMEA cyber risk practice leader at Kroll. “Cybercrime is continuously growing as a threat to businesses and individuals. Almost anything can be monetised by a criminal. For example, email addresses that are sold for pennies by the million generate targeted attacks and can put intellectual property or bank account details at risk. That all adds up to a big cost to the economy.”
That heavy cost is paid by large enterprises, small businesses, individuals, insurance companies, banks – any person or organisation that is successfully targeted by any one of a host of threats, be it a phishing email, ransomware, data theft or anything else.
For businesses, the initial financial cost of a successful cyberattack is only a fraction of the real price of a failure to manage cyber risk. The real damage often comes in the form of lost trust. When customers no longer trust an organisation to protect their data they will, at the very least, reconsider their relationship with that business. The damage to an organisation’s reputation may be hard to quantify but it will always be expensive.
“The war on drugs was very high profile,” says Beckett, “but cybercrime has gone under the radar. During the Covid-19 pandemic, we have seen the frequency of some types of cyberattack increase. Compromising business emails were, for a long time, the most popular kind of attack but, during Covid, they have been overtaken by ransomware attacks.
“The payment of a ransom might be covered by insurance, but the decision to pay is never easy, and is frequently considered a last-case scenario,” he adds. “But some countries are introducing new laws under which you might be prosecuted for paying a sanctioned organisation or individual. So, a company may end up being fined for paying a ransom.”
A risk like any other
Managing cost and risk are firmly within the remit of the CFO, but the intricacies of IT systems are not. The temptation to see cybersecurity as a technology issue could, therefore, deter a CFO from fully grasping the potential risks. That would be a huge mistake.
Think of the risks that Beckett describes. A compromised business email could, for instance, allow a criminal to monitor the CFO’s behaviour and observe how financial transactions are performed. When a transaction is about to be completed, the criminal could insert an email into the chain asking for the payment to be sent to a different account – a classic redirection scam – which might not be questioned until the payment is gone.
“A ransomware attack is a quick way to get money,” he explains. “It installs malware and demands payment in order to unlock access to your data. There are many types of attacks and they are changing all the time. The CFO does not need to know about every threat, but they do need to understand that cyber is a risk, how to measure it and what controls to put in place.
“In that way, it is the same as any other risk CFOs need to address,” he adds. “They need to acknowledge it, mitigate it with the right controls or transfer it using, for example, cyber insurance. Someone needs to be in charge of cyber risk and have the resources to achieve an acceptable risk limit.”
As a leading global provider of risk solutions, Kroll helps its clients with risk management decisions about people, assets, operations and security through a range of investigations, cybersecurity advice, due diligence and compliance, physical and operational security, and data and information management services.
Its experience in cybersecurity, whether advising on long-term strategy or co-ordinating the response to a data breach, gives Beckett and his team an in-depth understanding of what board members, including the CFO, need to know.
“In many ways, it is the same as financial risk, but some boards think that cyber risk is too big to understand,” he remarks. “At Kroll, we break it down into chunks and put it in language that the board can understand. That way, we give them back control and provide them with a path to risk mitigation or risk transfer.”
Strike a balance
The means of attack used by criminals are often familiar, but their approach to exploiting potential weaknesses to maximise their effectiveness is always changing. Counteracting cyber threats is like trying to hit a moving target. Cybercrime is such a potentially lucrative business that the promise of great rewards foster innovation, and criminals are always trying to stay one step ahead of the controls put in place to protect high-value data assets.
Because there are so many potential pathways of attack, so many doors into an enterprise system and so much data that could potentially prove valuable in the wrong hands, leaving cybersecurity exclusively in the hands of the CIO or the data protection officer is not the right approach
“Cyber risk is not a technology risk, it is a people risk,” says Beckett. “Technology is used to exploit weaknesses, but the risk is not from the technology itself, it is from people failing to follow the right processes. They might lose their phone, leave their laptop on the train, open a phishing email or take sensitive data home where it is no longer protected.
“Properly trained staff are the biggest and most valuable asset in fighting cyber risk,” he continues. “Yes, you need the firewall, but technology is only one part of the solution. You need the focus to be on governance, relationships with technology vendors and law enforcement, policies and processes, and specialist training of staff.”
Training is part of Kroll’s service offering, so the company understands the role that CFOs play in preparing an organisation and its staff to prevent attacks and quickly respond to breaches in the network. Effective preventative measures and appropriate responses to successful attacks will reduce costs for CFOs and minimise reputational damage.
Eliminating cyber risk completely, however, is not an option. “CFOs must understand that they will have to accept some level of cyber risk,” Beckett notes. “It is too expensive to eliminate it entirely, which is true of any other type of risk. It is about risk management, not risk elimination.
“They have to ask themselves what they can control and what level of risk they can accept,” he continues. “We help CFOs to find the right balance between cost and risk by helping them understand the risk and develop the right controls. It starts with knowing what you are protecting.”
Every year the vast majority of businesses suffer some kind of data loss. The important factor, however, is understanding whether that loss poses a serious risk to the organisation. In the era of big data, when companies are trawling through oceans of information to find valuable insight that will boost profit margins or improve customer experience, it should be possible to identify within those data pools the most valuable items and, taking the next step, to protect them with more security controls.
“You have to ensure you have the right controls for the value of the data,” stresses Beckett. “If you are carrying years of R&D around on a laptop then you need a high degree of encryption.
“We help organisations to understand their data map and to protect their most vulnerable digital assets,” he adds. “CFOs are involved in the setting of these controls. They are involved in building the roadmap to appropriate risk management, setting the level of risk the business is comfortable with and setting a budget to put the controls in place.”
Cybersecurity may sound like a technology issue but, if it is inadequate, it can incur huge costs for a business. Where costs are involved, so is the CFO.