Business leaders are coming up against the precipice of what might be the most significant challenge they face in 2023 and beyond: increasingly frequent and sophisticated cyberattacks devastating to business.
During the World Economic Forum’s 2023 annual meeting, experts warned that “2023 will be a consequential year for cybersecurity.” According to a report released during the forum, both business and cyber leaders believe escalating global geopolitical instability will likely result in a catastrophic cyber event in the next two years.
It’s not that cyber threats are a new phenomenon. CFOs and other business leaders are aware of the potential risks they pose. The present problem is that economic, geopolitical, and cultural instability are expanding the cyberthreat landscape while a shrinking workforce and the ensuing war for talent continue to create significant resource gaps.
“There’s a gathering cyber storm … and it’s really hard to anticipate just how bad that will be,” said Sadie Creese, a cybersecurity professor at the University of Oxford, during an interview in Davos, Switzerland.
Every business is now a potential target from the smallest to the largest. Therefore, it’s a critical time for CFOs to engage with every department to strategically invest in cybersecurity across the business as your current strategy is likely no longer adequate. As hackers and technologies evolve, so too must your engagement with how cybersecurity is delivered across your organization.
Think of cybersecurity as an investment in resiliency. Taking a comprehensive approach to cybersecurity increases the odds that your organization will not only identify malicious activity and successfully deflect attackers, but also respond effectively and recover with minimal impact if a worst-case scenario unfolds. However, you need to proactively validate that your company’s approach is truly comprehensive.
Historically, cybersecurity has assumed the purview of IT, while the reality of cybersecurity is much more complex and pervasive. While IT can manage and solve many risks, every leader in an organization has a role to play, from governance, legal, compliance, public relations, human resources, etc. So does every third party including your vendors, suppliers, contractors, service providers, and customers. So, it’s not only about technology, but people and processes as well.
Simply put, cybersecurity is like a tree with a complex root system. To stand tall and firm, it must reach into every corner of the business, rooting itself in your “cybersphere” (every department and employee, extending to vendors, suppliers, contractors, and customers). It’s complex, to be sure. Still, there are ways for CFOs to keep it simple.
Three overarching questions every CFO should be asking in their role as a guardian of organizational resiliency include:
Are we protected from cyberattacks?
What more can (and should) we be doing to protect against cyberattacks?
How can we ensure our business has the resources it needs to face looming cyber challenges head-on?
When determining if your organization is protected, CFOs should expect cross-departmental, plain-English answers to discern effective controls from potential weaknesses and root-cause issues within your cyber sphere. That means not solely valuing IT’s opinion of their ongoing efforts to secure the organization but holding accountable all third parties to their role, and seeking insights gleaned through independent assessment of your organization’s threat landscape and corresponding control environment. The input from IT combined with assurances from your third parties — and results from your independent assessment of both — will clearly highlight the answer to this question.
In truth, the pervasive nature of cybersecurity makes it incredibly difficult for CFOs, chief information officers, and other organizational leaders to identify what else they should be doing to protect their companies. So, just as accountants shouldn’t audit their own work, you need to seek objective intelligence that either confirms the direction of your cybersecurity efforts or adjusts it to achieve long-term resiliency. The key to cybersecurity is to invest in understanding:
“What” the company has
“Where” the company has it
“Who” can access it
“Why” someone would want it
“How” the company is controlling it
These questions should be assessed across your cybersphere to identify immediate, near-term, and long-term strategies for addressing known and unknown weaknesses. This isn’t the time for bravado but for candor and collaborations that marry people, processes, and technology throughout your cyber sphere. After all, the best firewall in the world is useless if hackers can circumvent it by targeting busy people, permissive processes, or unaware third parties.
It is important to work with IT, management, the board of directors, and your trusted advisors in aligning strategy with resources and tactical initiatives to face any looming challenges head-on.
Remember, while it is important to look at what you already have and strengthen your control layers where necessary, it’s just as important to exercise this same discipline on every business decision made in support of your organization’s overall business strategy. For example, if management decides to utilize a cloud-based third-party system without considering potential risks to the organization, processes won’t necessarily address the corresponding risks, your people won’t be trained to identify likely problems, and your technologies won’t be tuned to monitor for inappropriate activity. Seem unlikely? It’s not. Most of the successful compromises involving business email we’ve investigated take advantage of just this, and it often costs companies millions of dollars.
While it’s hard to quantify the impact of proactive cybersecurity measures, a lack of investment in cybersecurity can have all-too-quantifiable downstream effects.
In addition to forensic and recovery costs, businesses that suffer a cyberattack could face civil and legal costs, regulatory ramifications, and reputational damage. Moreover, despite rising cyber insurance premiums, organizations that don’t have a proactive control environment are more likely to find that insurance payouts after an attack are denied because of their lack of due diligence.
As the World Economic Forum warns of an impending cyber storm, we should return to the analogy where we liken cybersecurity to the root system of a tree. Trees with strong roots are nourished. They flourish and remain anchored even during the strongest storms. Trees with weak roots are easily toppled. To protect against the thunderheads gathering on the horizon, CFOs must start examining and strengthening those roots.
Joe Oleksak is a partner with the cybersecurity practice at Plante Moran.