Attitudes toward cyber security are maturing, but the risks are far from receding. In the ongoing push to digitize operations and exploit the latest technologies, organizations are increasingly exposed to the hazards of doing business in the Information Age.
It doesn't help that the scope of cyber threats are evolving. A scan of the headlines is all it takes to find news of high-profile data breaches, wire transfer frauds, ransomware attacks, insider hacks, and state-sponsored cyber attacks – all of which are growing bigger and bolder. And with financial systems becoming more sophisticated and connected, cyber security needs to be high on the agendas of Audit Committee.
The good news is that Audit Committees are not backing down. They are becoming more knowledgeable about the threats at their door and the risks they pose to organization's finances, reputation, and long-term health. More and more, they're challenging management to take stock of their "digital crown jewels" and take action to protect them – be it through internal measures like encrypted computers, stronger password protocols, or workforce training; or external measures like stronger controls and more holistic cyber risk management strategies.
It bears repeating that cyber security is far more than an information technology (IT) problem. Today's cyber threat actors have numerous motives, be it to sell stolen data, disrupt operations, topple their competition, or make a political message. At the same time, the risks of insider attacks and third-party vulnerabilities are not abating.
No entity is immune to the risks of cyber security. And indeed, virtual criminals and fraudsters are just as likely to target second and third-tier organizations as they do big brands, with the assumption that these smaller companies may not be as prepared to weather an attack or as quick to recover from one. Herein, the onus is on the Audit Committee to continue championing cyber security at the boardroom table – both to safeguard the financial function and stay out of the headlines.
Cyber security is as much a business issue as it is an IT problem. That means everyone in the boardroom, including the Audit Committee, has a part to play in identifying where the organization is most vulnerable and taking the necessary actions.
John Heaton, Partner, Cyber Security Advisory Services, KPMG in Canada
Looking for more insight? Read the next article in our Accelerate series: