Cyber and the CFO - A report by ACCA and CAANZ together with Macquarie University and Optus - Chartered Accountants
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cyber and
the CFO
A report by ACCA and CAANZ together with Macquarie University and Optus
About ACCA About the Optus
ACCA (the Association of Chartered Certified Accountants)
is the global body for professional accountants, offering
Macquarie University
business-relevant, first-choice qualifications to people of
application, ability and ambition around the world who seek Cyber Security Hub
a rewarding career in accountancy, finance and management. Launched in 2016, the Optus Macquarie University Cyber
ACCA supports its 208,000 members and 503,000 students Security Hub is an exciting collaboration between Macquarie
in 179 countries, helping them to develop successful careers University and Optus. This AUD10 million joint investment is the
in accounting and business, with the skills required by first initiative of its kind in Australia addressing this profoundly
employers. ACCA works through a network of 104 offices multifaceted challenge that is cyber security by linking academics
and centres and more than 7,300 Approved Employers in information security, corporate governance, financial risk,
worldwide, who provide high standards of employee learning criminology, intelligence, law and psychology together with
and development. Through its public interest remit, ACCA cyber security experts from industry and government.
promotes appropriate regulation of accounting and conducts The Cyber Security Hub forms a network of academic, business
relevant research to ensure accountancy continues to grow in and government leaders:
reputation and influence.
• Providing expertise and leadership in cyber security
ACCA is currently introducing major innovations to its flagship regarding technology, governance, policies and
qualification to ensure its members and future members human factors;
continue to be the most valued, up to date and sought-after • Offering a platform for exchange between academics and
accountancy professionals globally. practitioners from business and government;
Founded in 1904, ACCA has consistently held unique • Conducting cross-cutting research across several disciplines
core values: opportunity, diversity, innovation, integrity in the field of privacy, cyber physical systems security, secure
and accountability. artificial intelligence and human-centric security;
• Training the next generation of cyber security specialists as
More information is here: well as raising awareness among our leaders and developing
www.accaglobal.com the skills of the existing workforce.
About CA ANZ About Optus
Chartered Accountants Australia and New Zealand Chartered At Optus, we’re passionate about creating compelling customer
Accountants Australia and New Zealand is a professional body and employee experiences, and bringing to life the spaces and
comprised of over 120,000 diverse, talented and financially things that make this possible.
astute members who utilise their skills every day to make a
It’s about empowering our customers to thrive in an age of
difference for businesses the world over. Members are known
unprecedented digital disruption. And it's why Optus is trusted
for their professional integrity, principled judgment, financial
by thousands of Australian organisations who value a partner
discipline and a forward-looking approach to business which
that understands the full breadth of managed technology and
contributes to the prosperity of our nations. We focus on the
services – from applications, security, cloud-led ICT, to
education and lifelong learning of our members, and engage
collaboration and contact centres. All underpinned by our smart
in advocacy and thought leadership in areas of public interest
and secure network.
that impact the economy and domestic and international
markets. We are a member of the International Federation Backed by the international strength of the Singtel group and
of Accountants, and are connected globally through the the power of our mobile, fixed and satellite networks, regional
800,000-strong Global Accounting Alliance and Chartered strength and local expertise, Optus Business brings together
Accountants Worldwide which brings together leading Institutes best of breed partners to create the solution that’s right for
in Australia, England and Wales, Ireland, New Zealand, Australian organisations.
Scotland and South Africa to support and promote over
No longer is it about products and services, but a connected
320,000 Chartered Accountants in more than 180 countries.
digital experience that empowers people to do more.
We also have a strategic alliance with the Association of
Chartered Certified Accountants.
© The Association of Chartered Certified Accountants, May 2019
Cyber and the CFO
About this report
In October 2018, ACCA and CA ANZ, together with Macquarie
University and Optus, conducted a survey among their members
globally to seek their views on cyber security and its implications
for the finance function.
This report shares the results of the global survey and draws
insights from several interviews conducted as part of the research.
Over 1,500 survey responses were gathered from a broad range
of sectors, as follows.
Employees Sector Role
n 0 - 9 employees, 7% n Public practice (accountancy firm / n Chief Financial Officer (CFO) / Finance
n 10 - 49 employees, 12% SMP/ sole practitioner), 13% Director, 10%
n 50 - 249 employees, 17% n Public sector (including n Chief Operating Officer (COO), 1%
government), 17% n Director / Executive / Partner, 6%
n 250 - 1,000 employees, 22%
n Financial services (including banks n Accountant / Financial Accountant /
n 1,001 - 2,500 employees, 11% or insurance companies), 17% Management Accountant, 31%
n 2,501 - 5,000 employees, 9% n Not-for-profit, 7% n Internal Auditor, 9%
n 5,000 + employees, 21% n Corporate sector (including n Financial Controller, 9%
industry and commerce), 39%
n Sole practitioner / self-employed, 1%
n Other, 7%
n Other, 33%
Acknowledgements
ACCA, CA ANZ, Macquarie University and Optus would like to thank all
individuals and organisations that have contributed to producing this report.
Foreword
Finance professionals need to understand and play their full role in managing cyber risk in their
organisations. Weakness in cyber security is a significant business risk across all organisations.
The level of threat evolves and changes as technology changes. Organisations are, however,
increasingly connected and this too transforms the risk profile.
Yet, cyber security is not seen as a business risk; we seem also about being able to manage effectively the consequences
content to leave it to a focused group of professionals who of a successful attack – consequences that can be measured in
have strong technical ability but may not have the financial reputational damage and fines. Some of these instances are
awareness necessary for evaluating the potential consequences more visible than others as media attention focuses on data
of a security breach. It cannot be left to the information privacy issues and the majority probably get less publicity but
technology professionals alone. still affect supply chains and confidence.
Finance professionals need to take advantage of the education The finance community cannot ignore cyber risk. It is a complex
programmes available to them to ensure that they have enough issue but one that finance professionals need to become very
up-to-date technical knowledge. They are not required to be familiar with.
experts; rather, they need to be sufficiently competent in this
area to assess and manage the level of risk. They need to be This report sets out the case for this and contextualises many of
able to evaluate the investment case and to support the the cyber risks, some much less known than others but equally
necessary prevention activities. It is however not just about plausible and potentially even more devastating for organisations.
prevention, because failure here is potentially inevitable. It is
Helen Brand Rick Ellis Professor David Wilkinson Stuart Mort
Chief Executive Chief Executive Deputy Vice-Chancellor Chief Technology Officer
ACCA CA ANZ (Corporate Engagement Cyber Security & ICT Solutions
and Advancement) Optus Business
Macquarie University
4
Contents Executive summary 6 1. Why does cyber risk management matter? 7 1.1 A financial and operational risk 7 1.2 Effective cyber risk management and governance 7 1.3 Size does not matter 8 1.4 This report 8 2. Cyber and the CFO 9 2.1 Cyber security – the state of play 9 2.2 How significant a risk? 12 2.3 Responsibility and accountability 14 2.4 Cyber risk and governance 16 2.5 Data management 17 2.6 Cyber-attacks 17 2.7 Response and remediation 20 3. What is the cyber threat? 22 3.1 Leaving it to IT is not enough 22 3.2 Nature of the threat 24 3.3 The unknown threat 25 3.4 Third-party risks 26 4. Governance 30 4.1 Importance of cyber risk governance 30 4.2 The approach to governance 31 4.3 Cyber risk assessment 33 4.4 Cyber resilience 33 5. Protect, restore, recover 34 5.1 Identify 34 5.2 Protect 35 5.3 Restore 37 5.4 Response 37 5.5 Learning the lessons 37 6. Managing cyber threats 39 6.1 Stages of a cyber-attack 39 6.2 The threats that we ‘know’ 41 6.3 The threats that we might not know 51 6.4 The connected world 53 6.5 The human element 53 6.6 Towards the quantification of cyber risk 56 7. Practical actions 57 7.1 At the level of the board 57 7.2 For CFOs and finance teams 57 7.3 Key operating procedures for organisations 58 7.4 Key messages for individuals 58 8. Conclusion 59 References 60 Acknowledgements 62
Executive
summary
Cyber risk is one of the most talked-about business risks. In our increasingly disrupted world
it is at the forefront of our minds.
There are frequent major news stories members conducted by ACCA and CA One thing that can be said about the
about the theft of personal data from ANZ showed that 54% of them were cyber threat is that it is evolving.
large organisations. There is continued either not aware of whether their Chapter 6 of the report provides an
debate about the use of our data by organisation had suffered an attack or overview of the threats. Understanding
social media organisations and how this thought that they had not been. these is an important step in ensuring
should be regulated (and whether that an organisation understands cyber
regulation itself can keep pace with the Many see cyber security as somebody risk and has an appropriate level of
evolving technology). Many cyber-attacks else’s problem, and one that does not cyber governance.
go unreported but can be just as have financial implications. This may in
significant to the organisations and part be owing to a reliance on IT Being prepared for the inevitable attack
individuals affected by them. specialists to provide a level of technical is essential. But it is not only a question
and operational assurance. In a fast- of mitigating the attack, it is also one
Yet how many of us really understand the moving and interconnected world this is of leading the way out of the aftermath.
nature of the risk and the full business no longer the case. The traditional Successful organisations recognise the
implications of it? From the results of boundary of the organisation represented need to maintain contact with customers
a survey conducted by ACCA and CA by the firewall is being replaced by one and suppliers in the hours, rather than
ANZ, it appears that the answer for where authenticating the user is more the days, ahead.
most members is ‘few’. Yet it is a risk important. The weakest link may well be
that has significant financial and in the connected supply chain, yet our The finance community cannot stand
reputational implications. survey results suggest that many do not by and leave the issue to other people.
take an active role in addressing this risk. It is a significant business-wide risk. It
One estimate of the cost of cyber-crime should be treated as such and regularly
globally is that it will reach US$6 trillion by As organisations increasingly integrate appraised and acted upon. As individuals,
2021 (Cyber Ventures 2018). Regulators supply chains, in a ‘24/7’ world our we need to take personal steps to ensure
are increasingly taking a tougher stance responses to actions and reputational that we are fully aware of the threat –
on organisations that fail to address the damage are also a significant factor. organisations need to do more than
risk adequately, whether through penalties This can affect share prices and isolated activities to address these issues,
imposed after data theft or through other company valuations. It is also an issue as outlined in this report. This starts with
compliance requirements. As finance for mergers and acquisitions as well as strong governance involving educating
professionals we need to be aware of for day-to-day trading. individuals who would otherwise be too
these impacts (Clifford Chance, 2018). passive in their reactions and would
This report considers the level of thereby expose the organisation to
Organisations frequently comment that understanding of these risks by the significant financial risk. It also includes
cyber security is one of the most members of the two bodies and having robust plans for managing, and
significant threats that they face, yet the contrasts this with the level of risk that recovering from, the inevitable.
respondents to the survey of their organisations face.
6
1. Why does cyber
risk management
matter?
1.1 A FINANCIAL AND view cyber security only through their own point through which data flows in an
OPERATIONAL RISK professional lenses, then the most organisation, and is reported on; it is also
significant threats may not be addressed. responsible for some of the most
One prediction, by Cyber Ventures,
sensitive and valuable data the
estimates that cyber-crime will cost the Cyber-attackers can target many areas of organisation possesses. The CFO will play
global economy US$6 trillion annually by an organisation, but the dangers are a key role in identifying the information
2021, an increase from the 2015 estimate ultimately measured in financial terms: that it is most important to protect.
of US$3 trillion (Cyber Ventures 2018). CFOs cannot ignore cyber security simply
This makes cyber-crime more lucrative because it is a complex issue outside 1.2 EFFECTIVE CYBER RISK
than the total estimated global trade in their area of expertise. MANAGEMENT AND GOVERNANCE
all major illegal drugs combined. For
businesses, cyber-crime represents a Indeed, it is only with the CFO’s help that The CFO should also be able to
significant, and potentially costly, threat. the organisation can quantify and manage participate fully in a robust discussion
The cost of cyber-crime includes a variety the risk of a cyber-attack – even though about cyber security with the board,
of techniques including the destruction of the CFO may not be responsible in the the wider organisation and outside
data, monetary loss, lost production, theft organisation itself it is through their wider stakeholders, and to position it as a
of personal and financial data, costs of network of relationships with customers, business and commercial risk to be
recovery after an attack and reputational suppliers and other stakeholders that mitigated by a range of measures, not all
damage. In its 2018 Data Breach they have a role to play. The CFO has the of which are technological. Finance also
Investigations Report, Verizon suggested skills and the oversight to be able to take has the skills to oversee audit, inventory,
that, of the over 53,000 security incidents a much broader and longer-term view of testing and compliance, and will take the
that it had analysed, 76% of the breaches the financial impact of an attack, looking lead in the assessment and underwriting
were financially motivated (Verizon 2018). beyond the immediate issues of data loss of cyber insurance.
and operational disturbance to
It is vital that the Chief Financial Officer reputational and regulatory losses and CFOs need to use their existing role in
(CFO) plays a leading, if not the leading, the effect on shareholder value. the organisation to promote cyber-
role in cyber security, especially in smaller security: the CFO and the finance
organisations. It is no longer permissible As the cost of defending the organisation department are highly trusted and
to be a bystander or simply to delegate against cyber-attacks mounts, it is only by experienced in explaining the business
responsibility to others. And it is quantifying both the cyber risk and the logic behind the financial restrictions and
potentially disastrous for the finance team organisation’s risk appetite that the Chief controls they implement.
to be ignorant of the cyber risk and of Executive Officer (CEO), together with
their organisation’s ability to respond. members of the board, can ensure that In the event of an attack, the CFO will
resources are deployed effectively. naturally be one of those who are
While it is encouraging that boards now expected to provide accurate assessments
see cyber security as a significant business The CFO is one of the natural custodians of the potential damage and lead both
risk, there is a danger that this perception of data, and increasingly responsible for internal and external actions and
may be interpreted differently across the assessing its value and managing its communications to relevant stakeholders.
organisation. If IT, operations and finance lifecycle. Finance is not only the natural
7
Cyber and the CFO | 1. Why does cyber risk management matter?
Cyber security is not just an
issue for the IT department.
It is a business risk that
affects everybody.
And finance is in the front line of attack. aware of the impact of cyber risk. Our • the impact of cyber-attacks (section
Not only is financial data under attack but survey showed no area for complacency. 2.6), and
cyber-attackers will also target the finance • our response (section 2.7).
department and personnel directly in Supply chains are becoming more
their attempts to steal and defraud. CFOs complex and the demands placed upon Chapters 3 to 5 consider how we manage
need to engage with IT to ensure that small and medium-sized enterprises by the cyber risk in organisations and the
their own vulnerabilities are both others in the supply chain mean that they role that finance should be playing in this.
understood and addressed. too need to have an appropriate level of
cyber protection. It is frequently seen as a In Chapter 6 considers a number of the
Cyber security can seem like a daunting burden that is placed upon them yet is elements of the cyber risk, it:
task: the technologies of both defence now essential for conducting business.
• explains the lifecycle of a cyber-attack
and attack can be complex and the jargon
Smaller entities face their own issues in (section 6.1);
can be impenetrable. But the threat only
exists in a wider context of human maintaining effective cyber security. As the • considers the nature of the threats that
behaviour and corporate culture. CFOs nature of the threat continues to evolve, organisations currently know that they
do not need to become technical experts keeping up with the extent of the threat face (section 6.2) and those that are
in cyber-attacks and their prevention, but and the increasing level of complexity of emerging (section 6.3);
they will serve their organisations best by attacks can be challenging from a resource
• discusses risks arising from those with
being fully aware of the range of cyber and a cost perspective. Yet, to fail to do
whom we interact as we live in a
threats and promoting cyber security. so may preclude the organisation from
connected world where these contacts
obtaining contracts. Collaboration and
can also put us at risk (section 6.4);
Cyber security is not just an issue for the use of available resources, such as those
IT department. It is a business risk that provided by national authorities, are key • considers the overarching human
affects everybody. This fundamental issue to addressing this for these entities. aspect of cyber risk (section 6.5), and
is considered in Chapter 3, section 3.1. • explores attempts to quantify cyber
Before considering the nature of the risk, in 1.4 THIS REPORT risk (section 6.6).
Chapter 2 we review the results of a survey
In Chapter 2 of this report we consider
undertaken in late 2018 of ACCA and CA Throughout the report we refer to
how those in the finance community
ANZ members and their attitudes to cyber guidance and standards available from
assess their level of understanding of:
risk and understanding of cyber threats. governments and other organisations.
• the business impact of cyber (sections Reference is made to ISO/IEC 27001 in
1.3 SIZE DOES NOT MATTER 2.1 and 2.2); Chapter 3, section 3.4 together with SOC
It would be wrong to assume that only • where the responsibility and (Service Organisation Control report) 2
larger organisations are affected by accountability lie (section 2.3); and SOC 3 standards.
cyber-crime. The balance is shifting in that • the relationship of cyber risk and Chapter 7 provides a summary of key
organisations of any size are vulnerable as governance (section 2.4); practical actions for each of the board,
the threat profile evolves. Whether your
• the importance of data management finance teams and users.
organisation is large or small, a sole trader
(section 2.5);
or a large multinational, you need to be
8
2. Cyber
and the CFO
2.1 CYBER SECURITY – THE STATE customers and the immediate 10% drop The survey
OF PLAY in its share price and subsequent decline, In our survey of over 1,500 ACCA and CA
leading to an eventual loss (as of March ANZ members in late 2018, those that had
While many CFOs will comment that they
2019) of two-thirds of its pre-breach been attacked reported an immediate
are aware of the level of cyber risk likely
market capitalisation: more than £2bn. increase in both their awareness of the
to occur, our research suggests that CFOs
issues and their investment in
need to be much more proactive. Cyber The immediate cost of the data breach at countermeasures: it is clearly preferable to
security is not just an issue of protecting the Starwood division of Marriot in 2018 learn and take action before having to deal
assets, updating software and ensuring has been estimated by catastrophe risk with the consequences of a security breach.
that you have up-to-date virus protection modelling firm AIR Worldwide at between
installed, it is increasingly a business issue US$200m and US$600m (AIR Worldwide Consequently, CFOs and finance leaders
in its own right, one that can lead to 2018) but this only covers first- and need to increase their awareness of the
significant reputational damage or third-party losses such as notification costs, threat that cyber security failure poses to
financial loss if an organisation is not forensics, credit monitoring, or replacement their organisations and redefine their own
prepared for the inevitable eventuality – of credit cards. It does not include costs role in the management of cyber security
a successful attack. related to fines, reputational loss, business as a strategic business risk. Our research
interruption, and loss of shareholder suggests that too many either see cyber
Financial and reputational implications
value or increased insurance charges. security as an operational or IT issue or
When TalkTalk, a UK telecommunications
and internet service provider, was attacked
in 2015 the immediate impacts were
widely reported: 157,000 personal details FIGURE 2.1: In your role, do you have any involvement in the management of cyber
were stolen. The estimated cost to TalkTalk security in your organisation? For example, working with sensitive data, or involvement
was £77m, including a £400,000 fine levied in setting policy in this area
by the UK Information Commissioner 60%
(Lyons 2018). Commenting on this case,
58%
the UK Information Commissioner,
50%
Elizabeth Denham, said: ‘TalkTalk's failure
to implement the most basic cyber
security measures allowed hackers to 40%
penetrate TalkTalk's systems with ease.
Yes, hacking is wrong, but that is not an 30%
excuse for companies to abdicate [from]
their security obligations. TalkTalk should
20% 22%
and could have done more to safeguard 20%
its customer information. It did not and
we have taken action.’ 10%
Less widely reported in this case were the 0%
company’s subsequent loss of 90,000 Yes, some Yes, a great deal None
9
Cyber and the CFO | 2. Cyber and the CFO
57%
of respondents sees cyber as
either their most important
or a ‘top 5’ business risk
simply do not know enough about While most respondents (57%, Figure seeing it as either their most important
how cyber-crime might affect their 2.2a) saw cyber as either their most risk or at least as one of their top five
organisation, the threat level, or how it important or a ‘top 5’ business risk, only risks: Figure 2.2b); with the public sector
is currently managed. IT professionals 11% said it was the most significant risk at 52% and the corporate sector at 54%
have a role to play and their expertise to their business. More worrying were being slightly lower.
is essential but is not the full story. the 7% who said they simply did not
know where to rank cyber threats and It is noteworthy that more respondents
For example, while over half of those who the 2% who thought it posed no risk at in Pakistan than in any other country
responded to our survey said they had all. In comparison, large businesses surveyed see it as the most significant
‘some’ involvement in cyber security tended to place a higher priority on business risk, whereas overall its
(58%, Figure 2.1), they were more likely to cyber risks (8% overall in comparison significance as a ‘top five’ business risk was
say they had ‘none’ (22%) than ‘a great to 5% for small businesses – defined lower than in the other major respondent
deal’ (20%). Those in smaller companies for the purposes of this survey as having countries (Figure 2.2c). Overall in all
were more likely to be more involved and less than 250 employees). countries surveyed, more respondents
less likely not to be involved at all. Do ranked cyber risk in their top five business
large organisations, with their ability to When comparisons are made across risks than ranked it lower than that.
multiply ‘Chief Xxx Officer’ (CxO) titles, industry groups, rather unsurprisingly
encourage a dangerous silo mentality the financial services sector sees cyber Smaller businesses also seem marginally
around cyber security issues? as a more significant business risk (67% less concerned or aware about security
FIGURE 2.2a: How does cyber security rank as a business risk in your organisation?
50%
46%
40%
30%
20%
19%
15%
10%
11%
2% 7%
0%
The most significant In top 5 business risks In top 10 business risks A business risk None Don't know
business risk but not top 5 but not in our top 10
10Cyber and the CFO | 2. Cyber and the CFO
FIGURE 2.2b: How does cyber security rank as a business risk in your organisation? Analysis by sector
60%
n P ublic practice (accountancy firm / SMP/ sole practitioner)
56% n Public sector (including government)
50% n Financial services (including banks or insurance companies)
49% n Not-for-profit
45% 45% n Corporate sector (including industry and commerce)
40% 41%
30%
20% 23%
19% 20%
16% 17% 17% 18%
10% 13% 13% 14%
11% 11% 10%
9% 8% 9%
2% 1% 2% 1% 6% 7% 7% 6%
0%
The most significant In top 5 business risks In top 10 business risks A business risk None Don't know
business risk but not top 5 but not in our top 10
FIGURE 2.2c: How does cyber security rank as a business risk in your organisation? Analysis by geography
60%
n Australia / NZ
n UK
n Singapore
50%
52%
n China
51%
50%
49%
n SAR Hong Kong
47%
n Pakistan
40% Malaysia
42%
n
Rep. Ireland
39%
n
30%
29%
28%
25%
23%
20%
21%
20%
20%
19%
19%
17%
17%
15%
15%
14%
14%
14%
14%
14%
10%
12%
11%
10%
10%
9%
9%
9%
4%
8%
8%
8%
2%
6%
6%
6%
1%
5%
5%
0%
The most significant In top 5 business risks In top 10 business risks A business risk None Don't know
business risk but not top 5 but not in our top 10
FIGURE 2.2d: How does cyber risk rank as a business risk in your organisation? Analysis by organisation size
50%
49% n Small / medium n Large
40% 42%
30%
20%
21% 20%
18%
10%
11% 12%
10%
8%
2% 1% 5%
0%
The most significant In top 5 business risks In top 10 business risks A business risk None Don't know
business risk but not top 5 but not in our top 10
11Cyber and the CFO | 2. Cyber and the CFO
68%
of financial services sector
respondents rated their cyber
risk as very high or high
(Figure 2.2d), even though they are as Financial services sector respondents organisations in the UK and Ireland,
vulnerable as larger firms to both an rated their cyber risk as greater than other together with Australia (countries that
attack and its consequences. Cyber industry groups, with 68% placing the risk have implemented enhanced data
criminals are no longer respecters of as very high or high compared with 46% protection legislation from 2018), have a
organisational size and may well look to in the not-for-profit sector and 44% for higher than average appreciation of the
find a weaker link in the supply chain as a the corporate sector. This is probably, in level of cyber risk to their organisation.
way of accessing larger organisations. part, because the regulators in this sector
emphasise this risk (as discussed in the Our survey results indicate that larger
Having understood that for many World Bank’s brief Cybersecurity, Cyber organisations perceive themselves as
organisations cyber represents a Risk and Financial Sector Regulation and more threatened than smaller ones
significant business risk, are we able to Supervision (World Bank 2018) in relation (Figure 2.3d).
determine the relative size of that risk? to the financial sector).
If we perceive that cyber is a significant
2.2 HOW SIGNIFICANT A RISK? A geographic analysis (Figure 2.3c) of business risk, where do the responsibility
the same question suggested that and accountability in the organisation lie?
Figure 2.3a suggests that CFOs are
thinking of the risk too much in terms of
their organisation’s level of commercial
involvement with technology and data
and less about their operational exposure FIGURE 2.3a: How significant a risk or not is cyber security to your organisation?
through the back office. A fraudulent 35%
payment to a non-existent supplier is as 35%
33%
devastating to a high street shop as to 30%
an online retailer.
25%
An attack is inevitable. CFOs need to
understand that the threat is constant: 20%
attackers, often automated, are
constantly testing the defences of 18%
15%
businesses large and small. CFOs also
need to consider that they may have 10% 12%
already been attacked and not know.
The defence perimeter is changing. 5%
In the connected world the perimeter is 2%
the device and user and not the physical 0%
network. This dramatically changes the 5 – Very high risk 4 – High risk 3 – Moderate risk 2 – Low risk 1 – Very low risk
nature of the risk that organisations face
and how they manage it.
12Cyber and the CFO | 2. Cyber and the CFO
FIGURE 2.3b: How significant a risk or not is cyber security to your organisation? Analysis by sector
50%
n Public practice (accountancy firm / SMP/ sole practitioner)
n Public sector (including government)
44% Financial services (including banks or insurance companies)
40% 42% 42% n
n Not-for-profit
38%
36% 35% n Corporate sector (including industry and commerce)
34% 34%
30%
30%
29%
23%
20% 21%
15%
14%
10% 12% 12%
8% 8%
7% 7%
2% 1% 1%
3%
0%
5 – Very high risk 4 – High risk 3 – Moderate risk 2 – Low risk 1 – Very low risk
FIGURE 2.3c: How significant a risk or not is cyber security to your organisation? Analysis by geography
50%
n Australia / NZ
n UK
48%
47%
47%
n Singapore
44%
44%
40% n China
n SAR Hong Kong
40%
40%
n Pakistan
37%
n Malaysia
35%
35%
34%
34%
30% n Rep. Ireland
29%
29%
20%
22%
21%
20%
19%
16%
16%
15%
15%
14%
13%
10%
12%
11%
11%
10%
10%
10%
9%
4%
4%
2%
6%
1%
0%
5 – Very high risk 4 – High risk 3 – Moderate risk 2 – Low risk 1 – Very low risk
FIGURE 2.3d: How significant a risk or not is cyber security to your organisation? Analysis by organisation size
50%
n Small / medium n Large
40% 42%
38%
30%
31%
28%
20% 23%
15%
10% 12%
8%
2% 1%
0%
5 – Very high risk 4 – High risk 3 – Moderate risk 2 – Low risk 1 – Very low risk
13Cyber and the CFO | 2. Cyber and the CFO
10%
of respondents did not
know who had day-to-day
responsibility for cyber security
2.3 RESPONSIBILITY AND This should not absolve the finance team The responses, when analysed by
ACCOUNTABILITY from involvement. You cannot avoid organisational size, revealed that for a
responsibility for the risk by delegating, smaller organisation, somewhat
The survey responses indicated that the
and it falls to the CFO to take the broader unsurprisingly, there was a tendency for the
strategic direction for cyber security is
view of cyber security as a commercial CEO to have overall accountability (Figure
overwhelmingly set by the IT community
and business-wide risk rather than as a 2.4b). Respondents were asked to consider
(a combination of Chief Information
technical issue. In many organisations IT who had day-to-day responsibility, and for
Security Officer (CISO), Chief Information
reports into finance and fulfils a more smaller organisations this shifted to the IT
Officer (CIO), IT manager, Chief Data
supportive and operational role, so it is manager. From both perspectives,
Officer (CDO)) or the CEO as an
vital that CFOs set the strategy. ultimate accountability and day-to-day
individual. In only 8% of respondent
responsibility, the finance leadership did
organisations (Figure 2.4a) did While over half of respondents said they not consider it to be their issue.
accountability rest with the CFO. In larger were fully aware of who had day-to-day
organisations it was much more likely to responsibility for cyber security, 30% said In helping to manage the risk, finance
be a C-suite responsibility, and usually they only thought they knew and 10% leaders need to help ensure that the
that of the CEO (28%), than in smaller said they did not know. What might this organisation has sufficient resources
organisations, where it tended to devolve mean in the immediate aftermath of a devoted to managing the risk. This is a
to the CISO or CIO. Day-to-day breach? Often accountability spreads in question not only of the physical equipment
accountability rested, as you might organisations in such situations. and hardware but also of the technical skills
expect, with the IT manager, CISO or CIO. of the individuals. In many economies there
FIGURE 2.4a: Who sets the strategic direction (i.e. has ultimate accountability) for cyber security issues in your organisation?
Please select the option that most closely fits your organisation
30%
28%
25%
20%
18%
15%
13%
10% 11%
8%
5% 6% 6%
2% 2% 4% 1%
0%
Chief Executive Chief Operating Chief Financial Chief Information Chief Information IT manager Chief Data Officer Accountability Other None Don't know
Officer Officer Officer Security Officer Officer (or equivalent) rests with external
(or equivalent) (or equivalent) (or equivalent) (or equivalent) (or equivalent) third party
14Cyber and the CFO | 2. Cyber and the CFO
FIGURE 2.4b: Who sets the strategic direction (i.e. has ultimate accountability) for cyber security issues in your organisation?
Please select the option that most closely fits your organisation. Analysis by organisation size
40%
n Small / medium n Large
35% 36%
30%
25%
25%
24%
20%
15%
15% 15%
10% 11%
9%
8%
5% 7% 7% 7% 7%
6%
5% 2% 2% 4% 1% 2% 4%
3%
0%
Chief Executive Chief Operating Chief Financial Chief Information Chief Information IT manager Chief Data Officer Accountability Other None Don't know
Officer Officer Officer Security Officer Officer (or equivalent) rests with external
(or equivalent) (or equivalent) (or equivalent) (or equivalent) (or equivalent) third party
FIGURE 2.4c: Who is accountable (i.e. at board or executive level) on a day-to-day basis for cyber security issues in your organisation?
Analysis by organisation size
30%
n Small / medium n Large
27%
25%
25%
22%
20% 21%
15% 16%
14%
10% 11%
8%
7% 7% 7%
5% 6% 6%
5% 5%
4%
3% 1% 1%
2% 2%
0%
Chief Executive Chief Operating Chief Financial Chief Information Chief Information IT manager Chief Data Officer Accountability Other None Don't know
Officer Officer Officer Security Officer Officer (or equivalent) rests with external
(or equivalent) (or equivalent) (or equivalent) (or equivalent) (or equivalent) third party
FIGURE 2.5: And are you aware of who has day-to-day responsibility at an operational level for cyber security in your organisation?
50%
50%
40%
30%
30%
20%
10%
10%
7% 3%
0%
I fulfil that role Yes, I am fully aware Yes, I think I know who has responsibility Nobody has responsibility I don’t know who has responsibility
15Cyber and the CFO | 2. Cyber and the CFO
41%
of respondents said that they
had governance policies but
that they could be improved
are shortages of appropriately skilled cyber
FIGURE 2.6a: In your opinion, does your organisation have sufficient governance
security professionals, but this cannot be
processes over cyber security in place, such as information and guidance, staff training
an excuse for not investing in and
and hiring policies?
deploying the necessary resources, either
50%
in-house or hired in. Section 2.4 below
outlines the potential responses to this.
40%
Given the level of risk to the organisation 41%
and the part of the organisation in which 35%
the accountability lies, do our survey 30%
respondents believe that there is enough
governance in the organisation over the 20%
risk? What is the role that finance needs
to play in this?
10% 14%
2.4 CYBER RISK AND GOVERNANCE
5% 5%
Finance has a key role to play in the 0%
Yes, I consider that Yes, I consider that we We have informal We do not have any I am not aware of our
assessment and governance of risks we do have sufficient do have governance governance processes governance processes governance processes
across the organisation. Cyber is one of governance processes processes, however these
these risks, but it should be one of those could be improved
upon which finance has a strong input,
given the potential for monetary loss.
FIGURE 2.6b: In your opinion, does your organisation have sufficient governance
Although 35% of respondents (Figure 2.6a)
processes over cyber security in place, such as information and guidance, staff training
said that they had adequate governance
and hiring policies?
policies, 41% said that they had
50%
governance policies but that they could n Small / medium n Large
be improved. Larger companies (Figure
2.6b) were far more likely to have policies 40% 43%
41%
and consider they were sufficient – as we 39%
shall see this may reflect a false sense of
30%
security. As a matter of fact 14% said
governance policies were only informal, 26%
while 10% said either that they were not 20%
21%
aware of any or did not have any, which
must surely amount to the same thing.
10%
10%
Chapter 4 considers the implications of 8% 3%
6%
cyber risks on the governance and risk 4%
0%
management of the organisation. Yes, I consider that Yes, I consider that we We have informal We do not have any I am not aware of our
we do have sufficient do have governance governance processes governance processes governance processes
governance processes processes, however these
could be improved
16Cyber and the CFO | 2. Cyber and the CFO
51%
of respondents assessed that their
personal knowledge of cyber risks
was for the most part average
2.5 DATA MANAGEMENT
FIGURE 2.7: What controls are in place to protect the privacy of the data that you hold
Fraudulent data access is a significant risk in your organisation? Please answer to the best of your knowledge.
for many organisations. In the survey, the 60%
respondents were asked how they 59% n Small / medium n Large
protected the privacy of those whose 50%
data they held. Their responses indicated
that sensitive data is generally protected 45%
40%
41%
by access controls (such as user IDs)
rather than systematic encryption (where 30%
data is encoded using a program to
encode and decode the data), with small 20% 22%
companies more likely to use encryption
(Figure 2.7). 10%
4% 11% 11% 4%
Having established the extent of the risk, 1% 1%
0%
had organisations been attacked and were Sensitive data is Access to sensitive Sensitive data is I am unsure about There are no such controls
our survey respondents aware of this? systemactically data is restricted but held and managed the controls used
encrypted the data is not encrypted by third parties
2.6 CYBER-ATTACKS
Our survey respondents assessed that
their personal knowledge of cyber risks FIGURE 2.8a: How would you describe your personal level of knowledge of the cyber
was for the most part average (51%, risks faced by your organisation?
Figure 2.8a) with 35% saying ‘high’ or ‘very 60%
high’. This implies a strong awareness of
the risk among the finance community;
50%
in fact, this may not be matched by a 51%
detailed understanding of the types of
threat as discussed in Chapter 3. 40%
30%
29%
20%
10% 12%
6% 2%
0%
5 – Very high 4 – High 3 – Average 2 – Low 1 – Very low
17Cyber and the CFO | 2. Cyber and the CFO
54%
of respondents believe that
they have either never been
the victim of a detected
cyber-attack or that they did
not know whether they had
FIGURE 2.8b: How would you describe your personal level of knowledge of the cyber risks faced by your organisation?
Analysis by geography.
80%
n Australia / NZ
n UK
70% n Singapore
n China
n SAR Hong Kong
64%
60%
n Pakistan
n Malaysia
56%
54%
50%
53%
n Rep. Ireland
52%
50%
49%
40%
43%
35%
34%
30%
31%
20%
22%
21%
21%
20%
19%
18%
17%
17%
16%
15%
7%
10%
12%
4%
4%
4%
4%
4%
11%
11%
3%
3%
10%
2%
2%
2%
2%
1%
8%
0%
5 – Very high 4 – High 3 – Average 2 – Low 1 – Very low
FIGURE 2.9: To the best of your knowledge, when was your organisation last the subject of a detected cyber-attack?
35%
33%
30%
25%
20% 21%
15%
10%
10% 10%
9%
5% 7%
5%
4% 1%
0%
In the last month In the last In the last In the last year In the last In the last Other Never Don’t know
three months six months two years five years
18Cyber and the CFO | 2. Cyber and the CFO
CFOs need to
understand that their
organisations are under
attack all the time.
This seems like an overstatement when greater awareness of the implications and not be devastating. Nonetheless, most
you consider that most respondents (54%, increased investment on prevention organisations end up suffering avoidable
Figure 2.9) believe that they have either (Figure 2.10). CFOs reported suffering losses and then putting in place measures
never been the victim of a detected harm from lost revenue, fines and that should have been implemented
cyber-attack or that they did not know reputational loss, although a significant beforehand. As we shall see (Chapter 5,
whether they had. CFOs need to number said they had achieved section 5.5) many organisations take out
understand that their organisations are reputational improvement through cyber insurance only after an attack, and
under attack all the time, and that it is vital managing the attack effectively. Clearly, if the premiums reflect this.
that they are kept informed about this. you accept that a cyber-attack is
inevitable and are prepared to respond Having suffered an attack, were
For those whose organisations had been appropriately, the consequences need organisations prepared for the aftermath?
attacked, the overwhelming impact was
FIGURE 2.10: What implications or impacts did the detected cyber-attack have on your organisation?
30%
28%
25%
20%
15% 17%
10%
9%
8%
5% 7% 7%
6%
2%
3% 1% 3%
0%
Financial impact Financial impact Reputational loss Reputational Greater Increased Recruitment of Revision to We do not Other Don't know
from lost from fines improvement awareness of investment in and additional talent HR policies have a plan
revenue from regulators from managing the implications / or expenditure to manage risk
effectively on prevention
19Cyber and the CFO | 2. Cyber and the CFO
68%
of respondents don't have
an absolute up-to-date
remediation plan
2.7 RESPONSE AND REMEDIATION
FIGURE 2.11: Does your organisation have a remediation plan in place (one enacted
Given the inevitability of a cyber-attack, to enable an organisation to recover after an event), to manage the impact of a
how you respond is just as important as successful cyber-attack?
how well you protect yourself, if not more 35%
so. Taking the wrong action after an
attack can increase the damage or even 30% 32%
be more damaging than the attack itself,
25%
whether through inflicting further damage
on systems or increasing the reputational 20%
damage by poor communication. 19%
18%
15%
Despite this, only 32% (Figure 2.11) of
13%
respondents said they have a remediation 10%
plan that they update and test frequently: 9%
47% were either unsure, do not have such 5% 7%
2%
a plan, do not test or simply do not know
0%
whether one exists. Yes and we Yes and we update Yes, but we do I am unsure as We do not Other Don’t know
update and test and test it, but not update it to whether we have a plan
it regularly infrequently or test it have a plan
FIGURE 2.12: Does your organisation’s remediation plan include some or all of the following elements?
50%
46%
40%
30% 32% 31%
27%
20%
21% 22%
10%
10%
1% 6%
0%
Software and Escrow agreements Manual recovery Communication, Communication, Communication Infrastructure and Other elements Don’t know
hardware recovery related to software procedures including social media including social media with regulators system changes
strategy for customers strategy for staff
and suppliers
20Cyber and the CFO | 2. Cyber and the CFO
83%
of respondents have no
cyber insurance in place
Again, large companies are leading good
FIGURE 2.13: Does your organisation have cyber insurance?
practice that should be commonplace
across all organisations. Even so, the 50%
remediation measures focused very much
on recovery procedures, with 44%
40%
communication being a much lower
priority, especially for smaller companies.
30%
These results suggest that, for many of
29%
our respondents, remediation after an
attack is probably analogous to the 20%
disaster recovery plan of the late 1990s
rather than a plan that encompasses the 17%
far broader range of threats that the 10%
connected world brings with it. 10%
One form of protection is cyber insurance, 0%
Yes It is in consideration No Don’t know
but only a small minority 17% (Figure 2.13) or discussion
had (or knew they had) cyber insurance.
Chapter 5 reviews recovery and restoration
activities after a successful cyber-attack.
Before this, Chapter 3 considers the FIGURE 2.13a: Does your organisation have cyber insurance? Analysis by business size
nature of the cyber threat and Chapter 4 60%
looks at the governance of this threat. n Small / medium n Large
50% 52%
40% 43%
30%
31%
20%
21%
19%
10% 14%
12%
8%
0%
Yes It is in consideration No Don’t know
or discussion
213. What is the
cyber threat?
How much do we understand about the cyber threat? It is talked about it a lot but it seems from
the survey results that the overall level of awareness among finance professionals is relatively low.
This chapter reviews the level of threat 3.1 LEAVING IT TO IT IS NOT ENOUGH Unless the business engages with IT and
and how it continues to evolve. Perhaps, articulates the true nature of the risk – and
The impacts of a cyber-breach will be
for finance professionals, this is one of the the organisation’s risk appetite – there is
experienced across the organisation. It is
most significant challenges. Its changing a danger that IT will protect the wrong
not just a technology issue. While IT
nature means that it cannot be contained assets or waste resources protecting
teams may be part of the solution, they
once and for all. Therefore, it requires assets exposed to little or no threat.
are not the owners of it. It needs to be a
effort and investment to remain up to
cross-organisational activity, not just a Cyber security is a commercial risk and
date and focused.
technical remedy. responsibility for managing it cannot be
Chapter 6 considers some of the individual outsourced or delegated. Managing
Cyber-attacks can disrupt operations
threats in detail to provide a context. cyber risk means that CFOs will need to
such as train and flight operations, shut
engage closely with IT professionals and
down manufacturing, reveal intellectual
develop a common language, rather than
property and strategies to rivals, and
seeing them as ‘the techies around the
leak market-sensitive or personally
corner’. As we shall see (in Chapter 6),
damaging information.
while the language of cyber threats can
While one might expect IT to be seem arcane, the threats are very real, as
reasonably abreast of the current threat are the consequences. Even if they do not
landscape, it is unreasonable to expect become cyber security experts, CFOs
them to show an equal understanding of need to ensure they are not managing
the risk landscape as they pertain to each only the risks they understand.
business and each part of the business.
22Cyber and the CFO | 3. What is the cyber threat?
CASE STUDY:
Manage the risk,
not just the data:
do not assume that
IT has it in hand
Despite considering herself well Fortunately, much of her data had been
versed in the risks, and having emailed to colleagues and could be
undergone all the mandatory training, reconstructed from email folders that had
this director of finance downloaded been backed up. But considerable
malware – ransomware – that locked amounts of data were lost.
her PC and denied access to a range The director of finance does not entirely
of key financial data. blame IT for this: while they were
On contacting IT to help her recover managing data, she should have been
from the situation, she was surprised to managing risk, as only she understood the
find that her hard drive was not, as she relative importance of the financial data
had assumed, automatically and fully she handled. But she also argued that IT
backed up by the IT department. IT had saw cyber security as a mundane task
provided shared folders for data backup, compared with exploring new technology.
but – ironically – she had not considered IT now reports to the CFO: while this may
these a secure place to store sensitive not appropriate for all organisations, she
data such as payroll. maintains that this is right for hers.
Key lessons:
Cyber criminals can catch even the most well-prepared and aware individuals, and
successful attacks occur even in well-resourced organisations. You have to assume
an attack will occur and be prepared for the consequences.
Your understanding of what is critical data may differ from the IT department’s
– discuss what needs to be backed up and why: changes in the IT environment may
change how your data is handled and backed up.
Finance and IT need to work together and not assume that the other ‘has it in hand’.
23Cyber and the CFO | 3. What is the cyber threat?
The need to constantly
reappraise the threat
level is paramount.
3.2 NATURE OF THE THREAT and it is important that the leaders of the types of risk, and form an important
finance community are sufficiently source of information.
The survey respondents were aware of
educated to appreciate how cyber threats
the major threats (Figure 3.1): data theft, The systematic differences between big
are evolving. The need to reappraise the
malware and web application attacks, but and small companies suggest that cyber
threat level constantly to ensure that the
less aware of the emerging threats of security is as much a matter of resources
organisation is addressing the current
Denial of Service (DoS), Internet of Things as perception. Smaller companies either
suite of risks is paramount.
and Cloud attacks (Figure 3.2). (These think they are not on criminals’ radar or
threats are discussed in Chapter 6). In addition, continuing professional have not thought hard enough about the
development (CPD) programmes offer risk cyber threats poses to their business.
Each of these further threats has a
updates to finance professionals on the
commercial impact on an organisation
FIGURE 3.1: Which of these issues in relation to cyber security attacks do you recognise as applicable to your organisation?
Select all that apply
80%
70%
69%
60% 64% 64%
50%
51%
40% 44%
42%
30% 33%
31% 31%
29%
20%
10% 15%
0%
0%
Unmanaged Internet Distributed Data theft Exploitation Digital Malware Web application Phishing or Stringent None of these Don't know
use of external of Things denial of service of existing transformation attacks smart / spear global data are applicable
technology, such and smart vulnerabilities phishing regulations
as cloud services appliances
24Cyber and the CFO | 3. What is the cyber threat?
Resilience planning is so
important because you
do not know when and
how an attack will occur.
FIGURE 3.2: Which of these emerging forms of cyber security attack do you consider your organisation to be vulnerable to?
Select all that apply
40%
35% 36% 36%
30%
25% 28%
24%
20%
19%
15% 18%
16% 16%
15%
14%
10%
5%
1% 4%
0%
Dark web Embedded Distributed Man-in-the- Drive-by SQL injection Eavesdropping Ransomware Cryptojacking Other None of these Don't know
sale of data code denial of service middle attack malware are applicable
3.3 THE UNKNOWN THREAT While CFOs show a reasonable awareness Guarding against ‘unknown unknowns’ is
of the threats that have surfaced they are never easy, but knowing that there is much
The cyber risk is constantly changing and
not necessarily aware of the evolving risk you do not know cautions against making
in unpredictable ways that are not always
landscape (see Chapter 6) and the assumptions that leave you vulnerable:
well publicised: it differs from other risks
damage that new threats can cause that cyber security is primarily a privacy
that the board has to deal with and can
before the cyber security profession is issue, that attackers are motivated by
never be completely mitigated. And it is
aware of them: so-called ‘zero-day financial gain, that the mode of attack is
just as hard for regulators to cope with this,
exploits’ (see Chapter 6, section 6.2) purely technological. As we shall see, new
so compliance can never offer more than a
wreak havoc before the professionals attackers are emerging all the time with a
bare minimum of protection. Organisations
have even worked out how the attack has variety of motives, the human element
need to ensure that they reappraise the
taken place. This is why resilience can be as much a weakness as poor
nature and the extent of the threat on a
planning (see Chapter 4, section 4.4) is so technology, and the damage wrought by
regular basis. The frequency will be
important – you do not know when and cyber-attacks goes far beyond the
determined by the nature of the
how an attack will occur. compromise of personal details.
organisation and the industry in which it
operates. Nonetheless, to conclude that
these plans do not need updating is not
effectively managing the risk.
25Cyber and the CFO | 3. What is the cyber threat?
Organisations should not
assume that their cloud
provider will necessarily
provide an effective level
of security.
3.4 THIRD-PARTY RISKS Organisations need to understand where Organisations need to be more proactive
their data is stored, how it is protected in assessing their supply chain: placing
Cloud computing
and how this is assured. reliance on certifications may not be the
Business processes are also now highly
whole or even the right answer. Auditing
integrated between organisations Standards such as the Systems and and advising – just as you audit and
through managed services such as Organization Controls Guides, SOC 2 and advise yourself – are key. Just as we live in
Software as a Service (commonly known SOC 3, published by the American a more connected world so we need to
as SaaS) and cloud systems. Research Institute of Certified Public Accountants be more collaborative with other
conducted by McAfee shows that one in (AICPA), can provide a level of assurance stakeholders: organisations that help
four respondents to a 2018 survey over the cloud environment. These reports others will also help themselves.
reported a data theft from the public can also be used to provide assurance to
cloud and one in five had experienced an third parties with whom you interact. Our survey respondents were asked if
advanced attack on their public cloud they undertook assessments or audits of
infrastructure (McAfee 2018). In 2019, the UK’s National Cyber Security the cyber security vulnerabilities in their
Centre (NCSC) highlighted that a large supply chain. Only 19% of the respondents
Cloud is a double-edged sword: you lose number of organisations leave data (Figure 3.3a) said that they undertook
the possibility of control and assurance unprotected in cloud storage locations these activities; which reduced to 11% for
over ‘en-premises’ data centres and such as Amazon S3 (NCSC 2019). smaller organisations (Figure 3.3b).
procedures, and instead enter into a Information needs to be protected even if
contractual relationship. The risk is not it is stored for short periods of time. Standards such as ISO/IEC 27001 can be
outsourced and neither is the reputational used as frameworks of leading practice
impact. Despite this, for many smaller The Australian Cyber Security Centre when conducting audits and reviews of
businesses data in the cloud may be safer updated its guidance in January 2019 – the supply chain. This standard is based
and better managed than if stored locally. Cloud Computing Security Considerations on a set of common principles that were
(Australian Cyber Security Centre 2019a) first developed as a British Standard in
But these benefits depend on integration – to take account of this evolving threat. 1995. The standard provides examples of
of systems and sharing data with suppliers,
114 controls that can be implemented
and attackers may compromise weak Supply chains
across 35 control categories.
security at a supplier or service provider, Integrated supply chains improve
who may lack the in-house resources of speed and efficiency and enable Organisations can also be certified to be in
their clients. From late 2016, Operation companies to ensure more easily that compliance with one of three levels of the
Cloud Hopper attacked IT managed- their suppliers comply with quality and standard. While this can provide evidence
service providers to gain access to data regulatory requirements. of policy and intention, it may not indicate
and networks of customers in a variety of that a given practice is being followed.
sectors in 15 countries (PwC 2017). The weakest link for an organisation may
be outside its direct control or even in a NIST (the US National Institute of
When assessing the move to the cloud, different country: organisations that still Standards and Technology, a department
organisations should not assume that think in terms of ‘perimeter security’ need of the US Department of Commerce)
their cloud provider will necessarily to think more deeply about where that produces a Cyber Security framework that
provide an effective level of security. perimeter is and who is guarding it. can be used for similar purposes.
26You can also read
