Navigating the FY24 Cybercrime Landscape

As the frequency and sophistication of cyberattacks continues to grow in Australia, CFOs need to collaborate with the right partners in threat intelligence. Palo Alto Networks’ Vice President and Regional Chief Security Officer for Asia Pacific & Japan, Sean Duca, and CTO Riccardo Galbiati share strategies to identify and mitigate emerging cyber threats.

Cyberattacks can inflict a variety of damage on an unsuspecting organisation, with data breaches causing everything from financial loss to staff stress and long-term reputational damage. For a CFO, the risks are immense.

“Until recently, there was a perception that Australian businesses were not targeted to the extent that our US counterparts were,” says Galbiati.

“But the last six months have demonstrated that some of the biggest data breaches in history are occurring in Australia, with millions of customers’ details stolen. We are now seeing a huge effort to catch up.”

The Australian Cyber Security Centre (ACSC) received over 76,000 cybercrime reports in 2021-22, representing an increase of nearly 13% from the previous financial year, according to the Annual Cyber Threat Report 2022. This is the equivalent of one attack every seven minutes.

“There is a rise in the average cost per cybercrime report to over $39,000 for small businesses, $88,000 for medium businesses, and over $62,000 for large businesses. An average increase of 14%,” states ACSC’s report.

While the government is developing new legislative frameworks to protect privacy and impose significant penalties, businesses are focused on creating robust defences that will meet their obligations in terms of regulatory compliance.

“Companies are now at material risk of flow-on class claims arising from a cyber incident as plaintiff law firms and litigation funders have turned their attention to cyber incidents,” states a July 2023 update by legal firm Herbert Smith Freehills.

“Shareholder class actions are now another area of exposure for companies. The recent one brought against a major Australian health insurance provider shows this risk is no longer theoretical.”

Growing risks

According to Galbiati, financial and institutional services have the highest degrees of cybersecurity maturity because they have been aware of the risks for many years, while healthcare and telcos are rapidly closing the gap.

“There is quite a divide among different industries in implementing best practices around cybersecurity controls,” says Galbiati. “It is only now that small and medium businesses and the everyday citizen are realising the full impacts of a cybersecurity event on themselves personally.”

The CFO has a crucial role in protecting their organisation from the potentially catastrophic impact of a cyberattack.

Protect the crown jewels

“The CFO needs to be in lockstep with the CIO or CSO. They need to take a strategic approach to risk management that recognises that cybercrime is a business risk just like financial risk,” says Duca.

A balance must be struck between the investment made to protect against a specific risk, and the potential fallout that would occur if it were to eventuate. Spending too big a sum on a negligible risk needs to make better business sense, and vice versa. It is important to recognize that a blanket approach to guarding against every risk is impractical. Priorities must be clear.

“The last six months have demonstrated that some of the biggest data breaches in history are occurring in Australia, with millions of customers’ details stolen.”

Palo Alto Networks APAC CTO, Riccardo Galbiati

It’s about understanding your organisation’s ‘crown jewels’. What are the things that propel the business forward? If we look at a high-tech company like Palo Alto Networks, an example of its crown jewels is its source code repository. A CFO should be asking questions like: Who’s got access to it? Where is it located? How is it protected?

“Our CFO would likely say that our ERP system is also a crown jewel because it is core to our business operations’,” says Duca. “If the business goes down following a cyberattack, there’s an actual consequential dollar amount it will lose every hour.”

Technology can help to mitigate the risk, as can providing extra training to staff on topics such as phishing scams.

“A CFO is well placed to think about whether the right technology investment has been factored into the budget because they have a functional lens on the business,” says Galbiati.

CFOs can ensure a successful collaboration between finance, IT and other departments by taking a cross functional approach to create a culture of cybersecurity.

A new era of risk for data

When physical records of customer data were held in the past, data per se was not a liability. In fact, most businesses were of the view that the more data they collected, the better. The digitization of businesses has led to greater efficiencies while simultaneously creating unprecedented levels of risk.

“Some businesses haven’t updated their views on the risks and rewards of collecting data,” says Duca. “For instance, some coffee shops collect customers’ birth dates just to offer a free coffee on their birthdays. This approach may not be appropriate given the risks involved.”

In 2023, superfluous data is more of a liability than an asset. If it doesn’t add value, it should not be retained.

“In Australia, we’re prone to bushfires. We do backburning to mitigate      that risk before the bushfire season begins. Apply the concept of backburning to your organisation’s data. If the data is no longer providing any intrinsic value to moving the business forward, then you should be getting rid of it.”

Top 4 Cybersecurity questions every CFO must be asking:

●        Ensure you understand the organisation’s threats and align your strategy with the CISO. Be prepared for questions from the CEO and board about security; How secure are we? there’s no simple ‘yes’ or ‘no’, but rather varying degrees of risk and cybersecurity maturity.              

●        Prompt everyone in the organisation to consider key questions: Are we prepared for a cybersecurity attack? Do we have the appropriate people, processes, and technology to handle specific types of attacks? And do we review our incident response plan and run simulated attacks every three to six months?

●        Are there adequate protections in place around the confidentiality of data? Are third parties protecting the integrity of it as well? The reputational fallout from customers in the event of a breach will be no less damaging.

●        When investing in cybersecurity, assess it from a business value perspective. If you’re using 100 different tools requiring 200 people to be trained, consider the additional costs. Are they justifiable given the potential risks? A more effective strategy could be consolidating tools to simplify your security measure.