Why CFOs Should (REALLY) Care about Cybersecurity

There is no point in sugar-coating it – cyber attacks are a fact of life for organizations in all industries. It doesn't matter if you are an SME or large enterprise, you can still get hit. Therefore, cybersecurity should be high on the agenda of all senior-level executives.

It might be a headache, like tax filings, complex HR situations, bureaucratic red tape, and litigation, but it's something that needs to become a top priority.

The reality is that cybercriminals will target any organization, they are extremely well-financed, and they are patient. However, the biggest pain in the you-know-what is the fact that cybercriminals only have to be right once. Your organization, on the other hand, has to be on its game play after play after play. 

The football analogy is a good one, actually. In football, it's impossible to be successful if you only invest in highlight-reel offensive players. In business, the equivalent would be strategies that improve profitability and productivity, and initiatives that deliver tangible returns on investment. You need these things, of course, but failure can still happen even when you have them.

In other words, you can still lose the company money.

This brings us back to the football analogy. In a football team, you also need those big brutes that are in the trenches toughing it out against the opposition. Most of the work they do is unseen and unrecognized, and it's often about stopping something from happening rather than making things happen. This makes it hard to calculate a return, but they are still essential components of successful football teams.

Cybersecurity is the business world's defensive line.

Isn't cybersecurity largely an IT problem, though? No, is the short answer, as cybersecurity risks are too big. Of course, the risks range in severity. While the starting point is small, the scale ticks right on past mission-critical to top out at existential threat. That puts cybersecurity firmly at the door of the C-Suite.

Let's look at some of the main reasons why cybersecurity should be such a high priority for senior executives. 

Cybersecurity breaches come in a range of forms, but one of the most common is where normal business operations are halted. Ransomware attacks fall under this category. Attacks like this and similar attacks can last days, weeks, and even longer. In fact, it can take months in some cases for systems and data to be fully cleaned and restored.

There is a direct cost that applies in these situations, but the company will also suffer lost revenue while it isn't able to operate.

Other negative impacts can result, too, including a loss of morale among staff, customers trying out the competition and never coming back, and stakeholders generally losing confidence. Employees might even leave as a result of the attack, prolonging the pain and increasing the recovery time.

Decisions to improve protection can also be made in the immediate panic following a cyberattack, with companies giving the green light, often prematurely, to projects or initiatives that are still in the planning stage. This can lead to challenges with delivery, missed opportunities, and solutions that are not fit for purpose.

What would you do if you had a strategy that would see your business grow by a further 15 percent per year for the next five years – at least? You would do everything you could to ensure the strategy was successful. That figure of 15 percent is the estimate of how much cybercrime costs will grow each year over the next five years.

That makes cybercrime lucrative for criminals and a massive financial risk for organizations.

In fact, the financial risks are open-ended. It is not hard to imagine a hacking scenario affecting an airline, for example, or pharmaceutical company that leads to loss of life on a significant scale. The reputational and financial impact of an event like this would be catastrophic.

Putting real numbers on the level of risk, the average cost of a data breach is currently $4.24 million.

That said, the actual financial and business continuity impact varies from company to company. Some of the factors that influence the real costs include:

• The type and volume of data that your company holds. The more data you hold and the more sensitive it is, the cost of any breach goes up.

• Compromised intellectual property and the challenges it can bring, including lost revenue, product disputes, legal expenses, and more.

• Regulatory fines that you might be liable for as a result of a cyberattack. It is also important to remember that regulations in this area are developing as lawmakers reshape the rules to deal with evolving threats and a new type of criminality. Inevitably, these developments will increase the financial burden on businesses.

• Long-term budgeting challenges brought about by decisions taken in the middle of a cybersecurity crisis. It is common for firms to quickly re-evaluate their cybersecurity spend immediately following an attack. This can lead to poor decisions and solutions that don't deliver value.

Companies in all sectors are developing and implementing strategies to become data-driven organizations, where all decisions are based on facts and insights. With this increased use and reliance on data, its value to your company will increase.

Data is also one of the things at greatest risk from cyberattack.

You must also consider the type of data that you are collecting and processing. For example, there is an increasing trend in business to monitor how employees use data. This adds a new dimension to the cybersecurity risk. When organizations monitor employee data, they also have a responsibility to protect that data and the privacy of their employees.

TalkTalk is a small mobile network operator in the UK. In 2015, it suffered a cyberattack, compromising the personal information of 150,000 customers. It incurred costs to deal with the attack, but the long-term impact was much more damaging. It lost 100,000 customers and its value shrank by a third.

Capital One is another example. In 2019, it revealed a data breach that compromised the personal details of 140,000 credit card customers. By the end of the following day, its share price was down 6%.

These examples show the reputational risk of a cyberattack, i.e., there are immediate and long-term impacts that can severely damage a business.

• Take a proactive approach to cybersecurity where you expect the worst and put in place mitigations to prevent it from happening.

• Match your investment in cybersecurity with the level of risk your company faces.

• Develop a strategy and approach that takes into account the increasing size of the threat landscape. For example, while there may have been investment in IT cybersecurity in the past, OT (operational technology) was often regarded as less important because it was siloed and unconnected. In the modern world of digital transformation, this is changing, increasing the level of cybersecurity risk.

• Get cybersecurity insurance to help with some of the costs that you will incur as a result of an attack.

• Put in place business continuity and disaster recovery plans as part of your cybersecurity strategy.

You should also invest in third-party cybersecurity expertise to help with the above, and to help with the practical steps required to protect your systems and data. After all, cybersecurity is an area of business and technology that never stands still, making it difficult to stay ahead of the threat curve.

We can help at Amoeba. We have tried and tested procedures, technical solutions, and strategies that will help protect your organization. 

We’ve got our pads and helmets on – put us into your cybersecurity defensive line by getting in touch today.