Failure to plan effectively leads to a failure to respond effectively, says Peter Matthews
A hacker steals your customers’ data, sending your business into a tailspin. The phone rings off the hook, staff shoot questions and the media sniffs a scandal. What do you do?
It is natural for financial directors who are confronted with a tidal wave of panic and plummeting share value to offer reassurance to calm their board, appease the market, stem losses and restore a sense of control. However, if you miscalculate or understate the impacts, that reassurance may well come back to haunt you.
So, what’s the role of the FD in incident management and how can you avoid common mistakes?
Lead from the front
Historically, a common error was to treat cybersecurity as a tech issue. While technology provides the points of entry for a cyber incident, the costs and impacts fall on the business as a whole.
FDs, with their insight into financial mechanics and overall business objectives, are well placed to contribute to a cybersecurity strategy and incident management plan which is centred on minimising risk and ensuring business continuity.
Interestingly, a 2015 survey of financial executives by Grant Thornton found that just 4 per cent had an incident management plan in place. In the event of a hack, FDs should be prepared to take key decisions to manage risks as they emerge, protect data “crown jewels” and help to restore critical business functions.
Stress-test the plan
Regular drills will identify weaknesses in the incident management plan so that, cometh the hour, everyone knows their role, where they fit and they all work together well. Finance directors must be involved in these rehearsals. It would be a huge mistake to assemble a senior team who work together for the first time on the day of an attack. Robust testing will also ensure that the plan remains fit for purpose as the organisation changes.
Educate and raise awareness
A cybersecurity strategy should be embedded within the wider business strategy and supported by the whole organisation. The FD has an important part to play in getting the message across to staff and educating board members about data security from a financial risk perspective. They will also need to report to the board in the event of a serious incident.
Finance is a core target for phishing emails, including those with harmful, fake invoices attached. A common mistake is to use the system that has been compromised to forward such emails and report concerns. FDs, CEOs, CISOs and legal advisors should use secure methods of communication that are designed for business and conform to the highest standards in order to instigate the incident response without causing further damage.
Be clear and measured about the details of an attack. Don’t reveal every damaging element but ensure you are consistent and precise when speaking to staff and stakeholders. Remember that Yahoo! was fined £250,000 by UK regulators after failing to protect the data of UK account holders and for not discovering or disclosing the 2014 breach for more than two years. Under GDPR, the fine could well have been around £200 million.
A failure to plan effectively leads to a failure to respond effectively. The growing strategic role for FDs presents a huge opportunity to reframe cybersecurity in terms of wider business vulnerabilities, enabling directors of finance to devise a plan that helps protect the keys to their kingdom.
Peter Matthews is CEO of Metro Communications