The Tribune

In the first of a new series, Deloitte & Touche (Bahamas) Shavonne Smith urges companies to take prevention measures to the next level . . .

Given the constant cyberattacks on financial institutions and other high-profile businesses, many company Boards are likely to be asking their executive teams: “Could it happen to us?” Unfortunately, at many companies, the short answer may well be that it is happening now or, worse still, has already happened.

Although not all cyberattacks make headline news, they can hurt businesses in any number of ways. This is because hackers’ assaults range from ‘merely’ vandalising websites all the way to shutting down networks, stealing intellectual property and perpetrating fraud.

Statistics from Symantec placed the cost of global cybercrime at $114 billion annually, rising to $388 billion once ‘down time’ is factored in. And McAfee estimates that $1 trillion is spent globally on remediation.

Cyberattacks can deal a serious blow to a company’s brand and reputation, with potentially far-reaching consequences. For example, concerns over data security may prompt current and prospective customers to take their business elsewhere, while negative reactions among investors may even drive losses in market value.

As cyberthreats are both a relatively new - and constantly evolving - source of risk, many organisations may not be as effective at managing this as they are at managing risk in other areas. Statistics from previous years show that a significant percentage of data breaches are discovered not by the victimised company, but external parties, such as third-party fraud detection programs.

With likelihood, impact, and vulnerability from cyberattacks all on the rise, company directors have good reason to take their questions beyond “Could it happen to us?” to “How likely is it to happen to us, and what are we doing about it?” More formally, the central issues for Boards to consider are exposure and effectiveness: “What is our company’s level of exposure to cyberthreats? How effective is it at keeping that exposure to within acceptable limits?”

The challenge, though, is that putting questions in these high-level terms may not always elicit useful answers. Unless a company is already quite sophisticated in its cyberthreat risk management practices, it may not yet have the infrastructure and/or governance elements in place to support a meaningful dialogue between decision makers and those tasked with implementation/operation/protection of IT systems. For instance, leaders may not have agreed on risk definitions, risk tolerance or metrics specific to cyberthreat risks, or the company might lack the technological tools to effectively collect and report cyberthreat-related information.

• NB: The information in this series is based on the Deloitte white paper, ‘Risk intelligent governance in the age of cyberthreats’. For more information on Deloitte Bahamas Risk Advisory Services’ Cybersecurity offering, contact Lawrence Lewis, risk advisory services partner, at 1(242)302-4898 or llewis@deloitte.com, or Shavonne Smith, senior risk advisory services consultant, at 1(242)302-4880 or shasmith@deloitte.com.

Ms Smith holds a Master of Science (MSc) degree from Capitol College in Baltimore, Maryland, and specialises in information assurance and network security. She also holds the CISA designation (Certified Information Systems Auditor), and several Microsoft certifications.