'Cybercrime is big-game hunting now ... you need to be prepared'

The global COVID-19 pandemic has exponentially increased the number of cyberattacks on companies, countries, and individuals — in part because of widespread government spending programmes applied for and administered online. A 2021 global threat report by cybersecurity firm CrowdStrike found intrusions involving hands-on keyboard techniques increased fourfold during the prior two-year period.

In a world of increasingly linked organisations, each target is a risk to others, and the financial damage wrought by these attacks can be significant. Attacks on companies can compromise critical national infrastructure, and attacks on individuals can open back doors into companies already stretched to the limit. As the harried world works from home and more businesses join the cloud to manage their data, bad actors continue to take every advantage they can.

Not up to speed

EY's Global Information Security Survey (GISS) revealed in 2020 that 59% of senior leaders at almost 1,300 organisations interviewed had faced a "material or significant incident in the past 12 months". And that was before the coronavirus and mass home working. The survey found that 48% of boards expected a cyberattack or data breach to more than moderately affect their organisation in the next 12 months.

Yet EY also found that only 20% of boards were extremely confident that the "cybersecurity risks and mitigation measures presented to them can protect the organisation from major cyberattacks." And worryingly, 7% of respondents to the GISS said that cybersecurity was never on the board's agenda, while only 29% said it was on the agenda on a quarterly basis. Facts and figures abound, but one thing is clear: Although they may be more aware of the risks now, most boards were not up to speed on cybersecurity before COVID-19.

This is a problem because the board has a key role to play in a company's cybersecurity. Boards help manage risk, regulation, investment, and governance — and cybersecurity has an impact on all four. In an interview, Kanika Seth, EY EMEIA financial services cybersecurity leader, said: "Companies are outsourcing a lot of their cybersecurity needs, but you can't outsource risk — responsibility ultimately sits with you. This is a global threat that crosses jurisdictional boundaries. Companies need to stop looking inwards and locally, and boards need to be better equipped to support management."

Merle Maigre, former director of NATO's Cooperative Cyber Defence Centre of Excellence, argued that "while it is a good sign that so many companies have a chief information security officer [CISO], that CISO has to have a meaningful relationship with the board". That is where it gets tricky. According to EY's findings, only 48% of the respondents felt that "their board and executive management team have the understanding they need to fully evaluate cyber risk and the measures it is taking to defend itself".

So how can boards learn more about cybersecurity and adjust to new risks? And how can executives charged with cybersecurity bring the board along with them? The answer is threefold.

Budget

Ultimately, much of an organisation's ability to handle cyberattacks will come down to investment in IT security.

"There are three types of cyberattack — theft, subversion, and sabotage. And they are all increasing," Maigre said. She explained that one growing trend is for hackers to use ransomware to steal information that is not valuable to them per se but is valuable to the organisation, demand a ransom for that information, take the ransom, and then sell or leak the data anyway. Cybersecurity research company Cybersecurity Ventures predicted that ransomware attacks would occur every two seconds by 2031 (compared with every 11 seconds in 2021), with a total attendant cost of around $265 billion. "Hacking is becoming more complex, more common, and more professional," Maigre said. "It is looking pretty bleak for those small and medium-sized organisations which feel like they do not have the resources to invest in IT security — and by degree bleak for those larger organisations with these companies in their supply chain."

Budgeting needs to be driven by more than image concerns and regulation. The GISS suggests that organisations should budget for cybersecurity in a different way than they have in the past. "We've recommended that arguments focused around value creation and transformation, not just value protection and recovery, will resolve some of the tensions between the CISO and the board," Seth said.

Instead of focusing on how not to be the subject of a cyberattack, or how cybersecurity is essential for customer trust, the value-creation argument allows organisations to invest in new technologies that enhance outcomes for customers and clients — for example, in healthcare, where connecting highly valuable and sensitive patient data can lead to substantially better patient outcomes and increased operational efficiencies.

Educate

According to Maigre, one of the best ways that executives can help the board understand the fundamental importance of cybersecurity is to test board members' own online security. Maigre said that a session in which they are asked about the security of their passwords, the types of things they post online, and the apps and services they use can be very helpful. This has two benefits, she said. First, it helps illustrate the type and depth of work that needs doing and shows that insecure practices can be commonplace. Second, it secures the communications of board members, who are themselves prominent targets for attackers because they often possess sensitive information.

Another key way that executives can educate the board on cybersecurity is to hire experts to speak with them in their various subcommittees. "The job of the board is to probe management's strategies, but if they're not equipped to do so, then that querying role becomes impossible," Seth said. Maigre advocated having a cyber expert on the board itself — and there is evidence to suggest that, in the US at least, companies are looking to hire such experts.

Test

Testing can also help educate the board, demonstrate the need for additional budget, and increase security. Maigre said that "as well as highlighting security needs, war games and tabletop exercises can help to build meaningful relationships with board members, as well as helping them to understand that they have a key role to play".

Maigre recommended that companies take a two-step approach to testing. "First, the company needs to threat-model and undertake technical exercises," she said. "The board, along with key IT personnel, [needs] to explore potential risks from known adversaries. This means acting with as much fidelity as possible." The threat-modelling stage involves simulating attacks from start to finish, and cycling through response and mitigation options using red (attack) and blue (defence) teams. The board should be present for big technical exercises.

"Technical exercises should be followed by tabletop exercises" in which organisations discuss the outcome of simulations and examine their response, Maigre said. "Tabletop exercises should look at four areas," she said. "First, time — how much time is needed to make decisions in the event of an attack? Second, transparency — how much of what has happened would you reveal to stakeholders and when? Third, authority — who are the key decision-makers, and under what circumstances can or should you delegate or escalate certain tasks? Fourth, based on the results of the first three steps, is our current response framework useful?"

Throughout these discussions the board should be asking questions about the likelihood of attacks, the impact of information sharing with stakeholders, and where key responsibilities lie. "Many companies are equipped with the technology to respond to a cyberattack, but they can fail on governance," Maigre said. That is where an engaged board can make a difference.

Ultimately, Seth said, this is an area that is only going to grow in importance. "Attacks are increasing, ransomware is growing in sophistication, and there is a lot of regulation coming. Companies cannot be ready for a cyberattack if the board is not ready, too. It's as simple as that." Maigre agreed and added: "The board has to understand that these are no longer rogue individuals out for a quick payday. They are criminal enterprises — businesses in their own right. Cybercrime is big-game hunting now, and you need to be prepared."

Felicity Hawksley is a freelance writer based in the UK. To comment on this article or to suggest an idea for another article, contact Oliver Rowe at Oliver.Rowe@aicpa-cima.com.

Cybersecurity Applications Certificate + Unlimited CPE

Empower yourself to implement a sound cybersecurity risk management programme that will help your organisation avoid cyberattacks and recover quickly when they do occur.

BUNDLE

Cybersecurity Practical Applications Certificate Program

Empower yourself to implement a sound cybersecurity risk management programme that will help your organisation avoid cyberattacks and recover quickly when they do occur.

COURSE

Cybersecurity Risk Management

Covers key cybersecurity policies, controls, and procedures as part of a cybersecurity risk management programme.

Find this course in the AICPA store and the CGMA store.

COURSE

Reporting on an Entity's Cybersecurity Risk Management Program and Controls: Attestation Guide

When you're examining a cybersecurity risk management programme and its controls, look to this authoritative guide for interpretive guidance. Includes a framework for providing stakeholders with useful, credible information about the effectiveness of an entity's cybersecurity efforts.

PUBLICATION