Deloitte: Five Essentials in Winning War Against Cyber Crime

The increasing frequency and cost of cyber crime is “enough to rattle even the most steadfast” chief financial officers (CFOs) says Deloitte, which adds that ‘five realities’ must be accepted if the war against criminals is to be won.

“According to the Ponemon Institute’s 2014 Cost of Breach: Global Analysis study, the average total cost for a data breach is now US$3.5m globally; up 15% from last year. In addition, the survey found a company’s probability of a material breach involving 10,000 records or more stands at 22% over the next 24 months,” the group reports.

According to Deloitte, the five realities for CFOs are:

  1. Your information network will be compromised: Inevitably, you will be attacked. If you operate an information network, you will not get to a point of zero risk. You need to accept it.
  2. Physical security and cyber security are increasingly linked: Typically, the physical security domain and the cyber security domain have been viewed separately. That is no longer the case. While threats like espionage, intellectual property theft, fraud, counterfeiting and terrorism may involve cyber breaches, they potentially can begin by physical access. In a common example, certain administrators may have full control over a system such as payroll, customer data or billing. Armed with that access, those employees or contractors might pay themselves with false invoices, approve loans with special rates, or copy customer credit-card data and employee files that contain sensitive information such as social security numbers, with the purpose of selling the data, creating identity theft, embezzlement or other fraud.
  3. Cyber damages go beyond monetary: While the average cost of a data breach may be well documented, the long-term effects on corporate reputation and brand significantly add to the toll. Breaches of customer data can lead to a breakdown in trust that could inevitably hurt the top line; one reason for several payment networks to demand that retailers move to new payment cards that store information on computer chips rather than on traditional magnetic stripes. Many companies are now considering cyber insurance to limit excessive damages.
  4. Everything can’t be protected equally: Ask yourself: “What and where are the crown jewels in my organisation?”, meaning what data is crucial to running the organization and what databases, if compromised, could put it out of business? Not every piece of information, after all, is equally important. To a retailer, for example, customer credit-card data and employee ID numbers are crucial, as is logistics information related to supply chains. By making a hierarchy of data customised to your company and industry, CFOs can also make better decisions on how to prioritise protective controls and other aspects of cyber spend.
  5. Your walls are probably high enough: Companies continue to invest heavily in the protection side of cyber security with more firewalls and more intrusion-detection systems. Yet, most wall-building may be about as high as it needs to be. Given that hackers have likely already infiltrated, companies should focus more on the detection side to increase their vigilance against attacks and on recovery after the fact. While the formula is different for every company, of the typical IT cyber-risk spend, 30% might be allocated to wall-building, 50% to detection, and another 20% to resilience preparation.



Related reading