Security Awareness for… series: What do Finance Directors want from Security Awareness Training?

Technology and Psychology – The Cybercriminal’s Toolkit

In our Security Awareness for… series, we’ve already looked at what:

• Chief Executives, 
• Heads of Information Security; and
• IT Directors and Managers

want from security awareness training , so now we turn to consider what the Finance Director seeks.

If you’d asked anyone about Cybersecurity problems ten years ago you’d likely get a shrug of the shoulders and a nonchalant look. Today, you would have to have been asleep for several years not to have noticed that cybercrime has hit the roof and security incidents have impacted the minds, and pockets, of us all.

One of the innovations that has given cybercriminals the upper hand has been the use of not only technology but human psychology to enact their criminal activities. Many modern cyber threats use our own behaviour as part of an often, multi-pronged attack. The jigsaw puzzle needed to fix cybercrimes is complicated. The result of cybercriminal activity can be seen in the statistics collated by industry analysts and firms fighting on our side.

• Number of breaches. In 2017, we saw a doubling of cyber attacks. Companies of all sizes and types were under siege. Statistics by the UK government has found over 40% of businesses experienced a cyber attack in 2017 with that number rising to over 70% for larger firms. We witnessed major breaches like the Uber and Equifax data leaks in which hundreds of millions of personal data records were exposed. In 2016, there was a reported ransomware attack every 40 seconds As we move into 2018/2019 the attacks are morphing into new methods such as cryptojacking which saw an increase of 8500% in 2017.
• Cost of breaches. The Ponemon Institute provides an annual insight into the costs of cybercrime across all types of organisations. In their 2017 report, they found that in the UK, for example, the average cost of a data breach was £2.48 million
• Type of breaches. The one thing you can predict about cybercrime is that it is ever-changing. Breaches, however, focus on certain core outcomes which include: the theft of data; denial of service (e.g. to shut a website down); sabotage; and, financial theft, including ransomware. Cybercriminals use a variety of techniques to achieve their end goal. This includes: web attacks such as SQL injection and XSS; phishing to steal login credentials or install malware; Distributed Denial of Service (DDoS); Business Email Compromise (BEC). One thing you can be sure of is that cybercriminals innovate.

All in all, the landscape of cybercrime is convoluted, complex, and changing. It takes an intelligent and proactive approach to deal with this and make headway.

In this short series of articles, we will take a look at how having an awareness of cybersecurity threats and building a culture where security becomes second nature, affects different organisational roles. And, how applying security awareness campaigns to combat cybercrime, places the ball in the court of your organisation, rather than the cybercriminal’s hands.

The Finance Director On Security

“Where the ‘buck’ stops” and “it’s all about the money” must be phrases invented for the Finance Director.  And, those words have never rung more true. The average cost of a security breach is now reaching epic proportions with studies such as that from IBM, reporting losses of around $3.6 million USD, per breach.

Security has entered the common language of all of us, and the Finance Director has not been spared. The costs of a security breach hit hard, and not only in the obvious places like loss of productivity while systems are being fixed or ransom demands from ransomware infections. Costs come in many guises. Share price is one such area impacted by a cyber-attack. The Ponemon Institute found that, on average, the share price of an affected company would drop 5%, post-breach. Companies with particular high profiles, like Equifax feel the pain even more acutely. When Equifax experienced a data breach in 2017 their share price lost 33% at one point.

The Finance Director is a key person in the data security decision-making objectives of any organization. This key position focuses on certain aspects of the cybersecurity puzzle with the following being of concern:

• It’s all about the money – Finance Directors are instrumental in business risk management. As cybersecurity issues now form an integral part of business risk, it goes without saying that the Finance Director has now firmly taken a seat at the cybersecurity management table.
• Order and disorder – A happy employee is a productive employee – so say analysts like McKinsey.  A cybersecurity attack affects the entire organization when it happens. Employees often feel it is their fault, or blame it on poor organizational management, when an attack happens. Keeping employees engaged in their work and not distracted by media headlines when a data breach happens, will help keep a workforce productive.
• A damaged brand – Brand damage along with share price drops are two of the hidden costs of a cybersecurity attack. The earlier mentioned Ponemon Institute study found that 91% of CMOs felt that loss of brand value had the greatest cost implication, post-breach.
• Share plummets – As mentioned earlier. Share costs can plummet post-breach. A Finance Director will then be in the hot chair with shareholders to explain why this loss was not mitigated.

Finance Directors are part of the wider company culture of security that needs to be used to prevent cyber attacks. As part of the C-level team, you can influence and encourage the uptake of security awareness throughout the organization to ensure that cybersecurity costs do not become part of your annual budget.

What security awareness can offer the Finance Director

Cost is the bottom line for any commercial business, and when something, like a cyber attack happens, the pain is felt keenly, by those on the finance frontline. A recent study carried out by the World Economic Forum and McKinsey, interviewed executives from across the world, about cybersecurity impact on business.  They found that “Concerns about cyber attacks are starting to have measurable negative business implications in some areas.” One of these areas is around meeting the compliance requirements of security and privacy regulations. Compliance can be industry specific, e.g. PCI-DSS in finance, and general, like the GDPR. In a security landscape where human factors, like behaviour, are used to scam a company, having a culture of security that incorporates everyone from the C-level down, is a fundamental and highly practical way to take on the threat of a cyber attack.

Fortunately, there are tools at your disposal in the form of security awareness training that can create a culture of security, tailored to your specific business. This culture is built on education in just what cybersecurity is all about. Your people become the foundation stone of your cybersecurity strategic planning and policy. Finance Directors are in the perfect position as a company leader, to encourage and promote a safe and secure working environment built on education and knowledge. What benefits can security awareness training offer you?

1. Return on Investment (ROI):  Security awareness training can be tailored to the exact needs of your organization. With global cybersecurity spending expected to top $1 trillion USD by 2021, cutting security costs for your organization is paramount. Tailoring security awareness training means that you can ensure that you have a good return on investment compared to the costs of a cyber attack.
2. Healthy business: A business that is crippled because of one or more cyber attacks is not healthy. And, attacks can be like buses, often experiencing several, one after the other, as your defences are down. Your organization will benefit from all employees being aware of threats and taking the right precautions to avoid them.
3. Strategic risk management: Managing corporate risk is a strategic investment that will reap benefits. Using a security awareness training package as part of this risk management can give you a focus and pathway to engage employees in an overall risk management process.
4. Fine avoidance: Many modern data security and privacy based laws and regulations are now requiring that a security awareness program is part of a general security policy of an organization. Being security aware and ensuring that employees understand their role in the wider compliance requirements, can help you to avoid, often massive, fines from the likes of the EU’s GDPR (General Data Protection Regulation) and the UK’s DPA 2018 (Data Protection Act)

In Conclusion

The Finance Director should work alongside other C-level team members to build a better prepared organization that can win the war on cyber threats. As Finance Director, you are in a unique position in your organization as you see the financial impact of a cyber attack, at source. Security awareness training is a cost-effective way of mitigating the business risk of cyber attacks. As Finance Director you can be an integral part of your organization’s fight against cybercrime by helping to create a culture of security.