How management accountants
can lead the way
Learn the scale
Why all management accountants
must read this
There is a serious danger that management accountants might see cybersecurity as a technical matter best left to IT professionals.
However, the scale of the risk involved — and their suitability for the role — makes it imperative that management accountants play an active role.
With the scale of big data growing exponentially, computer crime such as hacking, malicious code, viruses, data theft and fraud will grow rapidly too.
“Cybercrime is the greatest threat to every company in the world, and one of the biggest problems with mankind.”
- Steve Morgan, Cybersecurity Ventures,
7 December 2018
The potential to derail, disrupt, devastate
The World Economic Forum (WEF) publishes a global risk report in January each year. In 2019, cybercrime featured under three headings: technical, economic and geopolitical.
Cyber risks are technical in that they relate to the use of information technology and digital data.
A large-scale cyberattack can cause massive economic damage, geopolitical tensions and
widespread loss of trust in the internet.
Are you confident that you and your organisation are well-protected against cybercrime?
- Very confident
- Fairly confident
- Not confident at all
- Don’t know
The weakest link
Blurred boundaries and data security:
the threats and opportunities
The boundaries of a business are becoming blurred as it interacts with customers and suppliers across the digital ecosystem.
Many unseen symbiotic relationships between separate businesses are involved in delivering a product
Go with the flow
For example, when a customer orders a branded product from a retailer’s website, it might be:
- Shipped directly from the retailer’s warehouse and delivered in its van
- Shipped directly from a distant manufacturer under contract to the brand owner
- Shipped from the retailer’s supplier or warehouse operator
- Delivered to the customer’s door by a logistics company or the postal service.
Much of this is invisible to the customer — their relationship is with brands they trust: the retailer and the product. But, to allow delivery by enabling businesses to co-operate, customer data must flow beyond the retailer’s boundary and across its digital ecosystem. This blurring of boundaries also makes them porous.
So, cybercriminals do not only attack a business itself. They can reach their target by working their way through third parties’ systems in the extended supply chain. This means any weak link is an important concern, making it vital for companies to evaluate the security of
“… customer data must flow beyond the retailer’s
boundary and across its
Trust and transparency
The European Union's General Data Protection Regulation (GDPR) was introduced in May 2018. Constant requests to give consent to cookies are alerting consumers to the fact that personal data is being collected.
Press coverage around scandals like the Facebook/Cambridge Analytica affair has made users more alert to data security issues. But, this doesn’t stop most people from clicking on consent buttons without reading the small print.
Customers are less comfortable when they have to key in personal data about themselves. And when the result of doing so is pop-up ads and unsolicited emails, their trust is diminished. This gives customer-facing businesses an opportunity to position themselves as being more trustworthy through:
- Having strong cybersecurity
- Being transparent about how they use data
- Taking care to handle customer data responsibly i
“… this doesn’t stop most people from clicking on consent buttons without reading the small print.”
Do you have the skills and training necessary to help protect your organisation against cybercrime?
- Yes, definitely
- Not really
- Don’t know
Prime threats are malicious worms,
viruses and ransomware
Opportunities for criminals are growing, thanks to the open nature of the internet and the increasing volumes of e-commerce. The main tools and techniques used by criminals are:
Malware (malicious software) that threatens a business’ ability to operate, including:
Standalone software that can take over control of business systems and equipment without the operators’ knowledge (Stuxnet, discovered in 2010, targets industrial control systems to alter PLC automated type tasks.)ii
A piece of code spread by an infected host file that can replicate itself and corrupt a computer’s system or delete data (In 2000, an email called ILOVEYOU, which distributed a virus, overwrote system files and personal files.)iii
Blocks users’ access to their files and demands that a ransom is paid to regain access to the files (In 2013, CryptoLocker encrypted users’ files and demanded a ransom before issuing a decryption key.)
Data theft and fraud
Cyberattacks are most often about infiltrating a business’s systems and gaining access to customer data to steal their bank details (or even their identity) and commit fraud. ‘Bad actors’ may use sophisticated hacking techniques. They can also just send scam emails, knowing people will be careless.
Dealing with ransomware
These tips for dealing with ransomware are primarily aimed at organisations and their employees, but some also apply to individual users:
- Make sure employees are aware of ransomware and of their critical roles in protecting the organisation’s data.
- Patch operating system, software, and firmware on digital devices (which may be made easier through a centralised patch-management system).
- Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
- Manage the use of privileged accounts — no users should be assigned administrative access unless absolutely needed and only use administrator accounts when necessary.
- Configure access controls, including file, directory, and network share permissions appropriately. If users only need to read specific information, they don’t need write-access to those files or directories.
- Disable macro scripts from office files transmitted over email.
- Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular internet browsers, compression/decompression programs).
- Back up data regularly and verify the integrity of those backups regularly.
- Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.
Source: FBI (Federal Bureau of Investigation), what we investigate – cybercrime
Recognise the risks to build trust
The Open Web Application Security Project (OWASP) is a community enabling organizations’ to develop, purchase and maintain trustworthy applications and APIs (application protocol interfaces).
The 'OWASP Top 10' is a report outlining the 10 most critical web application security risks. A glance at the risks will confirm the need to work side by side with IT professionals to counter sophisticated forms of cyberattack.
The OWASP Top 10, 2017
- Injection flaws: An attacker inputs data tricking the application/system to execute unintended commands
- Broken authentication: Incorrectly implemented authentication or session management allows an attacker to assume a user’s identity
- Sensitive data exposure: Some web applications and APIs don’t protect sensitive data properly, for example allowing attackers to access a credit card to commit fraud
- XML external entities (XXE): Some older or poorly configured XML (external mark-up language) processors allow an attacker to access files
- Broken access control: Restrictions on authenticated users’ access are not controlled
- Security misconfiguration: Data is put at risk through not patching or upgrading systems frameworks, dependencies or components
- Cross-site scripting (XSS) (on a web page): An attacker is allowed to execute scripts in the user’s browser and hijack sessions
- Insecure deserialization: Permits remote code execution or sensitive object manipulation on affected platforms
- Using components with known vulnerabilities: This can lead to serious data loss or server takeover
- Insufficient logging and monitoring: While breaches of security should be identified by internal monitoring and logging of activities, data breaches are often not spotted 120 days after they occurred.
Source: OWASP Top 10
Dangling the bait
Although the majority of cybercrime is committed externally, it is often unwittingly enabled by employees.
For example, leaders might fully intend that their business should treat its customers’ data responsibly, ensuring data policies are in full accordance with GDPR. However, without monitoring and accountability, well-intentioned employees might use customers’ data to achieve business objectives without always checking that customers are happy with their data being used this way.
Another example is ‘phishing’. A scam which dupes employees into thinking an email is from a trusted source. So they click on an infected link that downloads malware. ‘Whaling’ is a variation on phishing, which targets one big fish — often the CFO. Critically, the email might appear to come from the CEO or a regulator, looking like an urgent demand to pay a supplier or settle a fine.
Compromised business email accounts are currently the main cause of cyber insurance claims.iv
Phishing is a numbers game. Criminals send many emails at negligible cost and wait. Every now and then someone will be careless and bite the bait. Prevention is better than the cure — and a lot cheaper. The priority must be to cultivate a risk-aware, security-first culture.
“Most people see the hacker as the bad guy in a thriller movie, breaking in and causing havoc, but by far the number one greatest risk for an organisation is the insider problem. Sometimes that’s a malicious insider and sometimes it’s a good person doing stupid things.”v
— Larry Ponemon, chairman and founder of
the Ponemon Institute data protection and
cybersecurity research centre
What’s at risk
The assets you cannot afford
On the right is a list of what cybersecurity insurance covers, providing a good sense of what is at risk from cybercrime. This was published in 2015 by Lloyd’s of London in partnership with the Association of British Insurers (ABI) as part of a quick guide to cyber risk:
First-party insurance covers your business’s own assets. This may include:
- Loss or damage to digital assets such as data or software programmes
- Business interruption from network downtime
- Cyber extortion, where third parties threaten to damage or release data if money is not paid to them
- Customer notification expenses when there is a legal or regulatory requirement to notify them of a security or privacy breach
- Reputational damage arising from a breach of data that results in loss of intellectual property or customers
- Theft of money or digital assets through theft of equipment or electronic theft
Third-party insurance covers the assets of others, typically your customers.
This may include:
- Security and privacy breaches, and the investigation, defence costs and civil damages associated with them
- Multi-media liability, to cover investigation, defence costs and civil damages arising from defamation, breach of privacy or negligence in publication, in electronic, or print media
- Loss of third-party data, including payment of compensation to customers for denial of access, and failure of software or systems
Source: A Quick Guide to Cyber Risk, Lloyd’s in partnership with the ABI, 2015
Cyber essentials for your organisation
In the UK, if a business wants to bid for any central government contract that involves handling sensitive and personal information or providing certain technical products and services, it must hold a Cyber Essentials Certification.
Cyber essentials are:
- Use a firewall to secure your internet connection
- Choose the most secure settings for your devices and software
- Control who has access to your data and services
- Protect yourself against viruses and other malware
- Keep your devices and software up to date.
Source: National Cyber Security Centre, part of GCHQ
Here's how to manage your cyber risk
You must plan, prepare and respond.
As some cyberattacks will get through, cyber risk management must be as much about responding as about planning and preparing.
Good governance is essential. Executive buy-in, ideally an informed and involved CEO, is critical for a strong cyber security culture.
Compliance with external regulations and internal policies is important but requires monitoring and accountability.
Reconnaissance: Take a look at your business from the perspective of a potential attacker. Understand its weaknesses — including those in its supply chain and its digital ecosystem.
Invest in tools to increase visibility into all applications, data and devices and how they are connected.
Take out insurance.
Appoint a head of cyber and data security with sufficient resources and budget.
Give cyber-awareness training to everyone and carry out regular tests like phishing or fake invoices.
Test proactively, simulating attacks to ensure readiness.
Ensure antivirus software is up to date and that trusted software patches or updates are installed promptly.
Have pre-scripted responses ready, including for customers, staff, suppliers and the media.
Back up files securely and regularly.
Be prepared for the inevitable: from time to time, cyberattacks will get through.
Monitor activity to enable the prompt detection of risk events.
Refine the ability to track, document and measure impact.
Focus on rapid response to cybersecurity incidents — preventing all incidents is impossible.
Respond to any data breach in a timely,
cost-effective manner to restore and maintain customers’ trust.
Develop a corporate mindset that is open about mistakes, keen to learn and quick to make changes.
Here’s why you need to seize the opportunity now.
Many businesses are badly prepared for tackling cyber risks, and most executives are struggling to keep workforce skills up to date. vi
There is a close match between the core attributes and skills of management accountants and those of cybersecurity professionalsvii
(who are in short supply):
Management accountants aren’t expected to develop all the specialist expertise needed to become cybersecurity professionals. IT professionals have the skills to deliver IT solutions. But management accountants are better positioned to articulate the business’ needs and build the investment case. They also help to ensure that an implantation project is managed properly and the potential benefits
This close match between management accountants and IT professionals' skill sets enables them to play an important role in ensuring businesses address cyber risks. Through working closely with the AICPA, CIMA is well-positioned to help our members prepare for the digital age. That gives you the opportunity to learn more about digital technologies.
Do you feel enthusiastic about
the idea of working with IT
to tackle cybercrime?
- Very enthusiastic
- Quite enthusiastic
- Not enthusiastic at all
- Don’t know
Explore more cybersecurity resources
i The Deloitte Consumer Review, Consumer data under attack: The growing threat of cybercrime, Deloitte 2015
ii What is the Stuxnet Worm Computer Virus?, Lifewire, 2019
iii The 8 most famous computer viruses of all time, Norton UK Blog
iv Hiscox Cyber Readiness Report 2019, HISCOX 2019
v “Here’s how much cybercrime can cost your company”, Drew Adamek, FM Financial Management 3 May 2019
vi “Net Losses: estimating the global cost of cybercrime”, Centre for strategic and international studies and McAfee June 2014
vii “It’s not where you start–it’s how you finish, Addressing the cybersecurity skills gap with a new collar approach”, IBM Institute for Business Value 2017
Chartered Global Management
CGMA is the most widely held management accounting designation in the world. It distinguishes more than 150,000 accounting and finance professionals who have advanced proficiency in finance, operations, strategy and management. In the United States, the vast majority also are CPAs. The CGMA designation is underpinned by extensive global research to maintain the highest relevance with employers and develop competencies most in demand. CGMA designation holders qualify through rigorous education, exam and experience requirements. They must commit to lifelong education and adhere to a stringent code of ethical conduct. Businesses, governments and not-for-profits around the world trust CGMA designation holders to guide critical decisions that drive strong performance.
Association of International Certified
The Association of International Certified Professional Accountants (the Association) is the most influential body of professional accountants, combining the strengths of the American Institute of CPAs (AICPA) and the Chartered Institute of Management Accountants (CIMA) to power opportunity, trust and prosperity for people, businesses and economies worldwide. It represents 650,000 members and students in public and management accounting and advocates for the public interest and business sustainability on current and emerging issues. With broad reach, rigor and resources, the Association advances the reputation, employability and quality of CPAs, CGMA designation holders and accounting and finance professionals globally.
Peter Simons, BBS, MBA, FCMA, CGMA
Associate Technical Director of Research —
Head of Future of Finance Research
Association of International Certified
© 2019 Association of International Certified Professional Accountants.
All rights reserved. CGMA and Chartered Global Management Accountant are trademarks of the Association of International Certified Professional Accountants and are registered in the United States and other countries. The Globe Design is a trademark owned by the Association of International Certified Professional Accountants. 1905-30420
For information about obtaining permission to use this material other than for personal use, please email firstname.lastname@example.org. All other rights are hereby expressly reserved. The information provided in this publication is general and may not apply in a specific situation. Legal advice should always be sought before taking any legal action based on the information provided. Although the information provided is believed to be correct as of the publication date, be advised that this is a developing area. The Association, AICPA, and CIMA cannot accept responsibility for the consequences of its use for other purposes or other contexts.
The information and any opinions expressed in this material do not represent official pronouncements of or on behalf of the AICPA, CIMA, or the Association of International Certified Professional Accountants. This material is offered with the understanding that it does not constitute legal, accounting, or other professional services or advice. If legal advice or other expert assistance is required, the services of a competent professional should be sought.
The information contained herein is provided to assist the reader in developing a general understanding of the topics discussed but no attempt has been made to cover the subjects or issues exhaustively. While every attempt to verify the timeliness and accuracy of the information herein as of the date of issuance has been made, no guarantee is or can be given regarding the applicability of the information found within to any given set of facts and circumstances.