By Camelia Radu, Associate Professor in Accounting, Universite du Quebec a Montreal (UQAM) and Nadia Smaili, Professor in Accounting (forensic accounting), Universite du Quebec a Montreal (UQAM) – THE CONVERSATION
This article was originally published on The Conversation, an independent and nonprofit source of news, analysis and commentary from academic experts. Disclosure information is available on the original site.
Following the changes the pandemic has brought about in the business world, organizations have significantly increased their use of data and the internet. This, in turn, has increased the prevalence of cyberattacks and cybersecurity risks.
Accounting firm PricewaterhouseCoopers recently released a report estimating that about 62 per cent of Canadian organizations were impacted by ransomware incidents and attacks in 2021.
Since these risks have crucial implications for companies and their investors and clients, cybersecurity spending saw a major increase. Global cybersecurity spending grew to more than $120 billion in 2017 from $3.5 billion in 2004.
The Center for Strategic and International Studies estimates that malicious cyber activity costs the world $945 billion annually, while Cybersecurity Ventures estimates that global cybercrime costs could increase to $10.5 trillion by 2025.
As a result, investors, clients, suppliers and employees are demanding better management and protection of corporate data, along with better cybersecurity accountability and transparency to mitigate increased cyber risks.
In an article soon to be published in the Journal of Management and Governance, we argue that better cybersecurity and data protection can be achieved through a formal program put together after a careful auditing process. We outline the objectives of such a program below.
A shared responsibility
The responsibility of cybersecurity management no longer falls just on the shoulders of IT departments, but is now the responsibility of the entire business. We argue that all firm departments should be involved in cybersecurity programming and planning.
Management and directors should be directly involved in carrying out best practices to mitigate cybersecurity risk. Firm managers should lead by example by embedding security throughout their company’s operations and responding rapidly to cyber threats as they arise.
Corporate board members should ensure the necessary cybersecurity protections are in place for their companies, and approve and review the cybersecurity governance and data protection program regularly.
At the very least, every board should have one cyber expert with proven, up-to-date credentials on its panel. This will lead to better protection for company investors, clients, suppliers and employees.
Auditing is the first step
The first step in creating such a program is to assess the current effectiveness of an organization’s cybersecurity risks and data management through a program like the Canadian government’s Cyber Security Audit Program or one of the U.S. government’s auditing resources. These publicly available tools help auditors assess the cybersecurity of their organizations.
As part of the audit, businesses should also hire third-party hackers to test the security of their systems through a penetration test. Hackers bring a unique insight to the audit process, and are capable of finding gaps that security professionals might overlook.
During a penetration test, hired white- or grey-hat hackers carry out an authorized cyberattack to try and find vulnerabilities in a business’s cybersecurity defences. Once detected, businesses can tighten their security to prevent these vulnerabilities from being exploited.
This assessment would provide businesses with a road map for creating a cybersecurity action plan to ensure the protection of sensitive information systems, and the data and privacy of a company’s employees, investors and clients.
Creating the program
A comprehensive cybersecurity and data protection plan should cover a wide variety of areas, including the creation and safeguarding of passwords, remote and restricted access, email encryption, social media, anti-virus measures, contingency plans, data breach responses and training programs.
Crucially, it would also involve the creation of an IT disaster recovery and emergency plan. Businesses must be prepared for any number of disasters, including power outages and cyberattacks, and be able to act accordingly to recover any lost data.
We also recommend that companies create a whistleblowing policy, since 42 per cent of occupational fraud is reported through tips and more than half of those tips come from employees. A good whistleblower policy will include a hotline for complaints and ensure confidentiality and protection for all whistleblowers.
Ultimately, a high quality cybersecurity and data protection program will help firms adjust their management protocols and be better prepared for future cybersecurity risks. The internet is only becoming more and more integral to business operations as the years pass. If companies want to stay abreast of new technological developments, they will need to make cybersecurity central to their organizations.
Camelia Radu receives funding from CRSH and CPA Canada-CAAA.