Top ten things CFOs should do immediately about cyber security

11 October 2018

Leon Fouche , National Leader, Cyber Security |

As a CFO, managing an organisation’s financial risk is a top priority. With the potential for serious financial damage from a cyber security breach, it is vital that savvy CFOs today are aware of their organisation’s cyber security risk profile and take action now to put safeguards in place.

BDO’s Cyber Security experts recommend ten things CFOs should do immediately.

1. Know the value of your assets

Today, the average cost of the impact of a cyber breach is $2.82 million with a cost of $144 per record lost or stolen, according to an Australian-specific report commissioned by IBM and conducted by the Ponemon Institute. With this in mind, it’s imperative that CFOs determine their organisation’s most valuable information/digital assets so they know what has to be protected.

2. Consider cyber insurance

Insuring against a potential cyber security breach could make a lot of sense for some businesses. If it is a fit for your business, determine how much coverage you need to financially protect the organisation’s assets.

3. Determine your organisation’s risk of a cyber security breach

According to the Office of the Australian Information Commissioner’s most recent Notifiable Data Breaches Quarterly Statistics Report, 59% of all reportable data breaches originate through malicious or criminal attacks. Make sure you consider all possible breach sources.

4. Mitigate against internal risks

Has your organisation created an insider-threat program to mitigate the risk of a cyber breach by trusted individuals, e.g. your employees, contractors and business partners who have access to your systems and data? 

5. Act to ensure ‘real’ cyber security

Achieving information security compliance with one or more government regulatory requirements and standards for information security (i.e. ISO 27001, Notifiable Data Breaches Scheme, GDPR, PCI-DSS, the Security of Critical Infrastructure Act 2018, etc.) is good, but not sufficient to ensure real cyber security. Do you have a strategy and plan in place that clearly defines what actions your organisation should take to ensure real cyber security?  

6. Source independent assessments

Conduct an independent cyber security health check or network threat assessment. If one was recently conducted, then what were the results? What action is needed?

7. Assess cyber insurance coverage

If you have cyber insurance, obtain an independent assessment of the adequacy of the coverage. Cyber liability insurance premiums are significantly increasing in cost and often do not cover all of the damages caused by a cyber breach.

8. Integrate your monitoring and response services

Ensure that your Monitoring, Detection, and Response (MDR) services are integrated and operating effectively. Determine if your internal resources who perform MDR are effective or if these need to be outsourced. If so, then how much will it cost?

9. Review cyber security response plans

Determine if your organisation has comprehensive cyber incident response (IR), disaster recovery (DR) and business continuity plans (BCP). Ensure these are regularly tested. 

10. Use scenarios to test your plans

Undertake scenario thinking and ask: If we are attacked by ransomware, would we pay the ransom? If so, then how much should be budgeted? Will it be covered by cyber liability insurance coverage? This approach can highlight potential gaps in your organisation’s response plans and allow action to be taken before it is too late.

To help CFOs get started on the path to determining their organisation’s cyber security resilience, BDO and AusCERT have released their third annual Cyber Security Survey. Participation in the survey provides access to the survey report that will include information that helps organisation’s assess their risk profile against industry trends.