Cyber risk assessment: metric of the month
An employee recently received an email from me letting him know I was at an important meeting and asking if he could text me. The only problem was, it wasn’t me. “Fake Perry,” as we call the potential scammer, had sent messages to our employees in an attempt to gain access to company accounts.
If Fake Perry had obtained the employee’s number, the next step would have been to call the phone company and have the employee’s number ported to their phone, which would have made it easier to hack our accounts. Thanks to the vigilance of our employees and the cybersecurity training we provided them, no one fell into the trap.
We love to poke fun at Fake Perry, but we take cybersecurity seriously, and you should too. Hackers have managed to extract millions of dollars in ransoms from organizations such as schools and hospitals. More recently, the Colonial Pipeline hack left much of the Southeastern United States reeling from gas shortages and soaring gas prices. Cybercriminals will eventually come for your organization if they haven’t already. What are you doing to identify and assess your cyber risks?
Our recent Enterprise Risk Management survey asked respondents to identify the percentage of their top risks that fall into categories, including strategic risk, operational risk, financial risk, and cyber risk. We found that 1 in 10 primary risks rated by respondents fell into the cyber risk category, both at the 25th percentile and at the median. The 75th percentile organizations reported that a fifth of their top risks were cyber risks.
Median and 25th percentile organizations aren’t necessarily lagging behind – it’s good that cyber risk is at least on their radar. At the same time, it would make sense for organizations to rate more cyber risks among their top risks, given the financial and operational damage these attacks can threaten.
Protect your business
Taking action to combat cyber risk is in the best interests of every organization because it is not a question of if, but when, these attacks will occur. And there is no doubt that a successful breach of your systems will have financial consequences. Because of this, CFOs and other finance managers cannot afford to consider cyber risk preparedness just one more item on the IT checklist. Below, we discuss three recommendations based on the moves we see top companies making.
1. Invest in Cyber Risk Preparations
Committing resources to protect your organization from cyber risks is always a smart investment. It is best to commit these resources up front to prevent or mitigate the damage of an attack. Otherwise, you will pay upfront once the ransom is due or customer data has been compromised. If you have the resources, now is also the time to invest in tools to verify whether vendor payment requests are valid and to flag suspicious transactions.
Preparing for cyber attacks also means training employees, so that they are familiar with typical hacker approaches. Assuming that all employees are savvy enough to read the signs of an attempted attack could be a costly mistake. Basic security features like two-factor authentication are very effective if employees learn to use them.
2. Assess cyber risks
At a high level, cyber risk assessment is very similar to any other business risk assessment. You will need to identify the areas most at risk and assess whether existing controls and safeguards are keeping risk below the organization’s risk appetite. Cyber risk assessment should also include computer penetration testing and the implementation of filtering systems for suspicious or external emails. Along with these steps, make sure you have action plans so you don’t find yourself in trouble when an attack has already taken place.
3. Make sure policies are clear and employees follow them.
A common form of cyberattack involves seemingly legitimate payment requests from vendors who ask an organization to change the accounts to which payments are made. To ensure that requests from bad actors are not addressed, it is essential to establish clear cash flow policies that every employee follows to the letter.
Unfortunately, we have discovered through our recent research on treasury that many organizations are struggling in this area. Less than half of the respondents to our treasury survey indicated that their organization communicates the treasury policy widely. This means that more than half of those surveyed probably don’t do a great job making sure cash policies are clear.
Almost half of those polled said employees do not adhere to established policy very closely either. With the increase in cyber attacks, it is simply not worth taking unnecessary risks; even a single employee who plays politics quickly and freely could cause financial damage.
With the growth of cyber attacks and the certainty that they will continue, it is time to redouble our efforts to assess, prioritize and mitigate cyber risks. Investments in this area will pay off in the long run, either by preventing cyber attacks or by reducing the damage they cause. We may not all be responsible for ensuring that gasoline circulates in a large area of the United States. Yet these attacks threaten to cause significant damage to a business and its customers.
Perry D. Wiggins, CPA, is Chief Financial Officer, Secretary and Treasurer of APQC, a nonprofit benchmarking and best practice research organization based in Houston, Texas.