Date posted: 8/02/2018 5 min read

Finance professionals step into leadership on cyber security

Deloitte Cyber Risk Advisor, Tommy Viljoen advises accountants to take control of cyber security to keep businesses safe.

In brief

  • Don’t leave cyber security to IT, accountants need to take responsibility too
  • Visibility over lack of cyber control will increase with mandatory breach notifications under the General Data Protection Regulation (GDPR) on 25 May 2018
  • Tommy Viljoen, Cyber Risk Advisor at Deloitte will speak at Accounting Conference Australia about cyber protection

Tommy Viljeon

Tommy Viljoen, Cyber Risk Advisor at Deloitte shares his expertise with Chartered Accountants ANZ about how he helps clients and government understand what they need from a cyber protection perspective.

It is clear that organisations and finance professionals need to take up the mantle on cyber security. Viljoen believes that “chartered accountants have lost their way” with regards to staying current on cyber security. So what can finance professionals do from a practical perspective to ensure they take on a leadership role on cyber controls? Awareness and education is a big factor.

While innovation in technology helps individuals and businesses to progress enormously, technology creates new avenues for risk. Cyber control needs to be introduced from the outset, alongside the introduction of new technology.

Viljoen compares the necessity of cyber control to the brakes and airbags in a car. You wouldn’t drive a car at speed if it doesn’t have brakes, so why would you drive your business forward without making provision for risks regarding cyber control?

How cyber threats affect finance professionals

Cyber threats are prevalent across all industries. They are increasingly having an effect on finance because these days a lot of financial crime is run online. “Criminal hackers find the ‘pot of gold’ by following the digital trail.”

The other problem, Viljoen explains, is that we are connecting everything, from financial systems to video conferencing systems and the Internet of Things. This leaves us more vulnerable, given hackers are always looking for clever ways to steal data. A case in point is an incident reported by the Economist in July 2017 where a North American casino (whose name wasn’t disclosed for security reasons) was hacked because their fish tank was connected to the Internet, allowing the tank to be remotely monitored and data to be stolen.

The traditional finance role is to ensure information is available to the right people and appropriately protected. Viljoen’s concern is that “the underlying obligation on protection has been passed by finance onto IT, to the detriment of what’s happening in organisations.” He’s critical of finance for not getting up to speed with the way business is done today and the kind of protection needed to ensure the business has appropriate security.

An important aspect of the role of a chartered accountant is to ensure a business is run in a controlled manner.  For example, a finance manager would know the impact on the business, the risk and what actions need to be taken if bank reconciliations hadn’t been performed. However, if the systems they’re relying on to do the bank reconciliations aren’t adequately controlled, from an access or patching point of view, the finance manager’s level of interest and knowledge drops significantly.

Viljoen comments that “IT don’t always have the context of what the systems do, and how important they are; business has that context”, so finance managers need to uphold those system controls to the same extent they uphold the bank reconciliation controls.

The high cost of hacking

CAs need to consider the knowledge and behaviour of staff from a cyber threat perspective, just as they would consider this from a finance perspective. They need to understand how to operate in today’s environment both at home and at work, because what you do at home can transfer to work.

“They need knowledge of what matters to them from an information asset perspective and how to control that from a higher level.” If all that fails they also need a crisis management plan that outlines how to react in a crisis situation, when the system’s been hacked, manipulated or destroyed.

Viljoen says this is really important, “in 2017 a number of organisations lost over hundreds of millions each when their financial systems were destroyed. The flow-on effect for them is astronomical.”

Impact of mandatory breach reporting and privacy regimes

As we move into the digital world greater demands are being made, particularly in Europe, by individuals and governments for rights regarding data. The General Data Protection Regulation (GDPR) to be implemented on 25 May 2018 means that Australian businesses of any size may need to comply with the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.

Viljoen says this regulation is being introduced because, “the governance of private information has been really poor”, and this is exemplified by the millions of data breaches occurring around the globe.

He suggests that Australia has been somewhat shielded from the extent of cyber breaches happening in Europe and the U.S. He believes when mandatory reporting of breaches comes into effect in Australia that there’ll be more visibility around breaches, and where adequate controls haven’t been in place. While over-reporting can cause people to become blasé, he predicts attitudes will change regardless.

“Breaches can severely damage reputations so increased visibility over them will affect organisations that rely on trust with their customers.” Viljoen says it comes back to how much you care about the relationship with your customer.

He cites an example about a travel company in Sydney that had a significant breach of card information a few years ago. If a U.S. card was used to make a purchase online, the cardholder was alerted of the breach and told to ask for a replacement card. However, for Australian card purchases there was no notification, because there is currently no legislation making it mandatory to notify users of breaches in this country.

To evolve and stay current in an increasingly digitised profession, cyber security needs to be top of mind for chartered accountants.

 “Accountants are at the forefront of keeping businesses safe. Only those who take up the challenge and responsibility for cyber will be in a position to do that.”