Audit committees name cybercrimes as a top concern for businesses
The Audit Committee Practice Report, the latest publication from Deloitte’s Center for Board Effectiveness and the Center for Audit Quality, highlighted cybersecurity as the top concern of audit committees internationally, which is consistent with the last few years. Half (50%) of the respondents rated the topic as the number one focus area, and 62% of them said that audit committees have primary oversight while 23% thought that their full board has primary oversight. The majority (71%) of the respondents said that the topic is on the board agenda quarterly, and 50% ranked cybersecurity as one of the top three areas in which they want to develop their skills to enhance audit committee effectiveness.
Cybersecurity Concerns in Finland
Is this also a fair reflection of the reality of cyber security in Finland? Anu Laitila, a cyber expert at Deloitte, agrees:
"While there is a heightened sense of concern, when it comes to what it really means to a business, it can be quite mystifying. But when you look at the geo-political situation, the level of our reliance on technology, or the prevalence of cybercrimes, it is a real and present concern for businesses."
Ways That Cybercrimes Target Businesses
There are many ways that cybercrimes target businesses. Here we have listed a few of the most typical ones:
Phishing Attacks: Fraudulent attempts to obtain sensitive information by cybercriminals disguising themselves as trustworthy entities.
Ransomware: Malicious software that encrypts data and demands a ransom for its release.
Malware: Software designed to disrupt, damage or gain unauthorised access to computer systems.
Denial-of-Service (DoS) Attacks: Overwhelming a system with traffic to make it unavailable to users. (Lately, this has happened to multiple financial institutions in Finland.)
Insider Threats: Employees or associates who misuse their access to harm an organisation.
Business Email Compromise (BEC): Scams targeting companies to trick them into transferring money or revealing confidential information.
Data Breaches: Unauthorised access to confidential data, leading to its exposure or theft.
It is not only large or asset-rich businesses that should worry about these crimes. "Many cybercriminals – individuals, criminal organisations or even rogue states – are motivated by money", Anu says, "But they do not need to aim at the target directly – it is similar to a supply chain: a cybercriminal may potentially gain access to a computer or network when an individual save their work login details in their browsers on their work computers and then uses the same browser profile on their personal computers. This could lead to security vulnerabilities if the personal computer is compromised. If the person works for an IT provider, the attacker could potentially gain access to client systems, posing a significant risk. There are many ways for criminals to reach the target."
Human Vigilance Against Cybercrimes – How the Board Contributes
It may sound like a matter of basic cyber hygiene, but humans are a security layer if they become vigilant against cybercrimes. Board members, particularly those who access their board papers from their personal computer or email account, may wish to take note. Also, it is important that board members have fast access to the cybersecurity team so that they can give a quick call when there is an issue, just as anyone else within an organisation should be able to.
"1000 pairs of eyes mean that the number of incidents reported may go up. But at the same time, you have 1000 human firewalls in addition to the security officer", stated Anu.
Questions that audit committees may wish to consider
The aforementioned Audit Committee Performance Report lists a few questions that audit committees may wish to consider for a start. These are:
- How are new technologies affecting the threat landscape?
- How are new employees trained to mitigate the risk associated with phishing and other attacks?
- How have third parties been considered in relation to cybersecurity?
However, cybersecurity is not just a matter of business continuity and resilience – it is a strategic business imperative. Prioritising cybersecurity is essential for driving business growth and maintaining a resilient, trustworthy organisation. For example, robust cybersecurity measures can differentiate a company from its competitors, attracting customers and partners who value data security. Additionally, shareholders are reassured that their investments are protected, leading to higher loyalty and potentially better stock performance.
Additional sources of information:
Please note that some of these links may require registration.
Furthermore, the National Cyber Security Center Finland regularly issues news, instructions and manuals. Please refer to their guidelines: Ohjeita ja oppaita tietoturvasta | Kyberturvallisuuskeskus
