This week’s BVI Finance Breakfast Forum brought cybersecurity and business resiliency to the fore, with discussions highlighting how awareness and technology can help firms not only identify but minimize risk.
Felice Swapp, Chief Operating Officer at Harneys, and Ryan Geluk, Managing Director BDO British Virgin Islands led Tuesday’s forum with their presentation titled, ‘Cyber Security: Are you safe?’ Both are members of the Information Security System Association or ISSA. ISSA’s core purpose is to “promote a secure digital world.”
The duo asserted that BVI businesses, like those across the globe, are not immune to cyber threats.
Ms. Swapp remarked, “We are all at risk. The question is - how much risk are we willing to tolerate? How much can we absorb? And how do we balance against that? There will always be a risk-balance, risk-cost-benefit trade off, because we cannot fully eliminate all the risk.”
Mr. Geluk commented, “No organization is void from having a cyber-attack. We often hear within the cyber industry, it’s not a matter of if, but when an organization is victim to a cyber-attack...you’ll be exposed to an attack from time to time.”
Ms. Swapp supported her colleague, stating, “We see attacks happening in really large organizations all day, but [cyber attackers] are also going to go where they think people aren’t paying attention, and after those with high value assets. And that relates to many of us.”
This is especially the case for businesses that have high value assets like data, Mr. Geluk said. He referenced the beneficial ownership information carried by small and medium sized firms, but added that other businesses, even ‘mom and pop’ stores are at risk for cyber-attacks.
Mr. Geluk noted that most of the recent cyber-attacks have been targeting individuals, through emails, and WhatsApp and Facebook messages.
“Cyber-attacks are becoming a lot more sophisticated and stealth in the way they operate,” stated Mr. Geluk, which emphasises the greater need for cybersecurity awareness and relevant strategies.
To mitigate cyber risks, Mr. Geluk recommends security awareness training every six months for all companies, at all operating levels, stating, “[This means] getting employees to understand what cyber risks are, and creating a security culture of awareness.”
“Security awareness is the first area of defense when it comes to a cyber landscape.”
Mr. Geluk said that security awareness training involves teaching employees how to recognise a phishing email, having them think about what they are receiving first, then gauging whether there is a risk in clicking on a link or opening a file sent to them.
In addition to security awareness training, Mr. Geluk said companies should focus on people, process, and technology. Regarding people, stakeholders were encouraged to ensure the workforce is cyber aware through annual Cybersecurity Awareness Campaigns. As for the process, companies were advised to conduct a Cybersecurity Maturity Assessment to identify existing gaps with the fundamental security controls. Lastly, technology recommendations included employing leading practice techniques such as Threat Simulations to measure effectiveness of security controls against cyber threats, along with compromise and vulnerability assessment.
Mr. Geluk noted that strategic integration within various business functions is necessary to build a cyber resilient organization. These include departments like Information Technology, Internal Audit and Risk Management, Legal and Regulatory, Governance Risk and Controls, Finance, Supply Chain, and Board and Executive Leadership. This integration also should include strategies which “talk to each other” Geluk remarked. The managing director said that a company’s IT strategy should be created to support its business development strategy and vice versa. “There should be symbiosis.”
Regarding supply chain and cyber-attacks, Ms. Swapp said, “If we think about supply chain, it’s all the places that your organization’s going to touch and be touched.” The COO explained that companies may not realize that even an outsourced cleaning company becomes part of the security infrastructure, adding that consideration would have to be given to how well they are educated to defend the organization.
“Thinking holistically as leaders in financial services, we have to understand all the different elements - FSC’s security, our own security, our network security, our cleaner’s security, our AC technician’s security - all of that comes together in terms of our tolerance for risk.”
Special note was made to address “internet of things,” and smart devices that can be subject to vulnerabilities. Geluk advised that those peripheral devices are not arbitrarily connected to a company’s network, without the relevant checks.
Mr. Geluk also told stakeholders to invest in cybersecurity, to help them “compete in the future world.”
Tuesday's Breakfast Forum is the first in the 'Cybersecurity Awareness Series', to be jointly hosted by BVI Finance and the ISSA. ISSA is a non-profit organization for the information security profession, committed to promoting effective cybersecurity on a global basis.
To watch video click here.