Financial news

By Camélia Radu and Nadia Smaili

Following the changes the pandemic has brought about in the business world, organizations have significantly increased their use of data and the internet. This, in turn, has increased the prevalence of cyberattacks and cybersecurity risks.

Accounting firm PricewaterhouseCoopers recently released a report estimating that about 62 per cent of Canadian organizations were impacted by ransomware incidents and attacks in 2021.

Since these risks have crucial implications for companies and their investors and clients, cybersecurity spending saw a major increase. Global cybersecurity spending grew to more than $120 billion in 2017 from $3.5 billion in 2004.

The Center for Strategic and International Studies estimates that malicious cyber activity costs the world $945 billion annually, while Cybersecurity Ventures estimates that global cybercrime costs could increase to $10.5 trillion by 2025.

As a result, investors, clients, suppliers and employees are demanding better management and protection of corporate data, along with better cybersecurity accountability and transparency to mitigate increased cyber risks.

In an article soon to be published in the Journal of Management and Governance, we argue that better cybersecurity and data protection can be achieved through a formal program put together after a careful auditing process. We outline the objectives of such a program below.

A shared responsibility

The responsibility of cybersecurity management no longer falls just on the shoulders of IT departments, but is now the responsiblity of the entire business. We argue that all firm departments should be involved in cybersecurity programming and planning.

Management and directors should be directly involved in carrying out best practices to mitigate cybersecurity risk. Firm managers should lead by example by embedding security throughout their company’s operations and responding rapidly to cyber threats as they arise.

Corporate board members should ensure the necessary cybersecurity protections are in place for their companies, and approve and review the cybersecurity governance and data protection program regularly.

At the very least, every board should have one cyber expert with proven, up-to-date credentials on its panel. This will lead to better protection for company investors, clients, suppliers and employees.

Auditing is the first step

The first step in creating such a program is to assess the current effectiveness of an organization’s cybersecurity risks and data management through a program like the Canadian government’s Cyber Security Audit Program or one of the U.S. government’s auditing resources. These publicly available tools help auditors assess the cybersecurity of their organizations.

As part of the audit, businesses should also hire third-party hackers to test the security of their systems through a penetration test. Hackers bring a unique insight to the audit process, and are capable of finding gaps that security professionals might overlook.

During a penetration test, hired white- or grey-hat hackers carry out an authorized cyberattack to try and find vulnerabilities in a business’s cybersecurity defences. Once detected, businesses can tighten their security to prevent these vulnerabilities from being exploited.

This assessment would provide businesses with a road map for creating a cybersecurity action plan to ensure the protection of sensitive information systems, and the data and privacy of a company’s employees, investors and clients.

Creating the program

A comprehensive cybersecurity and data protection plan should cover a wide variety of areas, including the creation and safeguarding of passwords, remote and restricted access, email encryption, social media, anti-virus measures, contingency plans, data breach responses and training programs.

Crucially, it would also involve the creation of an IT disaster recovery and emergency plan. Businesses must be prepared for any number of disasters, including power outages and cyberattacks, and be able to act accordingly to recover any lost data.

We also recommend that companies create a whistleblowing policy, since 42 per cent of occupational fraud is reported through tips and more than half of those tips come from employees. A good whistleblower policy will include a hotline for complaints and ensure confidentiality and protection for all whistleblowers.

Ultimately, a high quality cybersecurity and data protection program will help firms adjust their management protocols and be better prepared for future cybersecurity risks. The internet is only becoming more and more integral to business operations as the years pass. If companies want to stay abreast of new technological developments, they will need to make cybersecurity central to their organizations.

This article was originally published in The Conversation on 23 November 2021. It can be accessed here: https://theconversation.com/a-unified-cybersecurity-strategy-is-the-key-to-protecting-businesses-182405

About the Authors

Camélia Radu is Associate Professor of Accounting at the Ecole des sciences de gestion (ESG), University of Quebec at Montreal (UQAM). She holds a PhD in Business Administration (Accounting) from HEC in Montreal, Canada. She teaches undergraduate advanced financial accounting, graduate research methodology and corporate disclosure courses. Her research focuses on governance, cybersecurity and corporate disclosure. Her articles have been published in academic journals such as Journal of Business Ethics, Business Strategy and the Environment, Journal of Cleaner Production, and Journal of Management and Governance. She holds a director position on several boards, including NPOs and Caisse Desjardins de l’Administration et des Services publics.

Nadia Smaili has been a professor at UQAM’s Accounting department since 2007. Her research interests mainly revolve around governance, the fight against fraud, and objectionable and unethical acts. She has published on these themes and has created training programs that help promote ethical practices.