Mitigating cyber-risk – risky business?

By Krist Davood - August 24, 2017

As a board member, owner or executive of a company, how much cyber-risk are you prepared to incur and, more importantly, how much risk are you taking that you don’t know about and therefore haven’t measured or tried to mitigate?

Read the full edition of Contact Magazine here

Dealing with risk can be fairly straightforward. But, recent international IT events, such as the Petya virus, evidence that it’s the cyber-risks that can pose the greatest threat.

Any number of directors will tell you, since the focus on regulatory compliance and best practice standards, the demands on board members, owners and executives have increased significantly.

A recent survey backs these claims, especially from a cyber-risk perspective. According to results of the GSIS survey, they rank the assessment of security risks, inadequate policies and insufficient standards of third-parties among their highest priorities, translating to 75% of directors who need to spend more time on board-duties related to cybersecurity risks and 27% attending more meetings regarding cyber-breaches.

Most executives will tell you they have a rigorous methodology in place to handle cyber-risk management and internal control issues. An example of such a methodology/roadmap is as follows:

These seven basic components of the methodology are typically used to produce a cyber-risk mitigation plan for the board and/or owners to consider.

In spite of this vigilance, few CEOs, CIOs or CFOs serve their terms in office without being confronted with unwanted surprises arising from the failure of internal, technical, environmental, physical or administrative cyber-controls.

Typical surprises include:

  • Unauthorised monies exchanging hands on the dark web
  • Selling of private data on the cyber ‘black market’
  • Staff, clients and service providers finding ways of defrauding significant sums of money, and
  • IT staff not being aware of how weaknesses in the computer systems expose the organisation to risk

Such surprises can bog an organisation down in an endless cycle of firefighting and litigation activities, leaving decision makers with very little time to be innovative.

Frequently, the ensuing state of disrepair is so extensive that the organisation is competing in the marketplace with one hand tied behind its back. Then, as the organisation begins uncovering a frightening number of intrusions or transactions that are processed without the proper controls, its strategic projects take a back seat.

From an executive’s perspective, it is easier and cheaper to maintain the status quo by assuming cybersecurity is limited to their technology department. This logic is no longer true as Australia awaits the introduction of the Privacy Amendment (Notifiable Data Breaches) Act 2016 coming into effect 22 February 2018.

Australian companies must adopt and embrace the attitude that mitigating cyber-risk is part of the road to business success. In part, that success is shaped by an organisation’s willingness to review and minimise its cybersecurity issues so those risks won’t get in the way of innovation.

Such a review of an organisation would occur between a Cybersecurity Governance Professional, specialised IT Security staff and internal audit. This team can enhance and dynamically change a company’s IT, cybersecurity and internal audit functions to being a proactive force in true risk management activities. Cybersecurity controls can represent up to 65% of an organisation’s internal and technical controls It is ironic however, that the very people most suited to drive the mitigation of cyber-risk are the most difficult to find.

From a compliance perspective, it is not realistic for an internal auditor or an IT security professional with no cybersecurity background to unilaterally sign off on a systems control review that he/she is not qualified to judge. Cybersecurity Governance Professionals are difficult to come by because most of the technical people who have the technical skills lack the risk management and governance background. The Cybersecurity Governance Professional would use his or her business/IT expertise to identify all risks to the appropriate processes, data and systems.

Integrating risk management and Cybersecurity Governance is a vital evolution for most organisations, especially as they seek to comply with the relevant standards.

Before CEOs and/or CFOs can sign off on the integrity of their privacy obligations, they need to see and understand the complete picture. It is a paradox that the very digital engine of today’s e-commerce driven market is the least available skill set in the IT departments of most organisations. How much cyber risk are you prepared to take?

Read the full edition of Contact Magazine here


Contact our experts


Other articles


 

Top of Page







IN THIS SECTION:


Rob Southwell

Sydney

Managing Partner and Partner – Private Clients Group


> View profile

John Brazzale

Melbourne

Chairman - Pitcher Partners Association Partner/Executive Director - Tax Consulting


> View profile

Bryan Hughes

Perth

Chairman


> View profile

Michael Minter

Newcastle

Managing Partner


> View profile

Tom Verco

Adelaide

Managing Principal


> View profile

Ross Walker

Brisbane

> View profile



Partnership fraud

SUCCESS

Paperwork and independent advice saves partnerships from fraud

Discover more

Kia Ora Horse Stud

CASE STUDY

Pitcher Partners fills a Financial Manager gap to keep the business on track

Discover more

Fuel Injection Company Administration

LEADERSHIP

A fuel injection company began life as an Australian public company before being acquired by a UK publicly listed company while in the research and development stage of a “green...

Discover more



@PitcherPartner The message of spread right across our firm last week, with our Perth team coming together sharing their fave… https://t.co/cpohHiAE0G