October Cyber Security Awareness Month 2018
BDO has conducted throughout 2018 discussions with CFOs from hundreds of global
industries, including financial services, healthcare, government contracting, automotive,
manufacturing, private equity, and law firms. In these conversations, it became apparent
that CFOs are frustrated by a ‘knowing’ versus ‘doing’ gap. This is understandable, since
most C-Suite or Board members Directors never receive appropriate cyber security
education and training.
CFOs need not become a Certified Information System Security Professionals. Rather,
CFOs should increase their knowledge of core cyber security concepts and leverage their
own leadership skills to conceptualise and manage risk in strategic terms and how best to
invest their time and resources to improve cyber defence.
To address this Know/Do gap, BDO provides a list of 10 effective, proactive actions any
CFO can undertake immediately and enhance his or her company’s cyber defence.
Top ten things CFOs should do immediately about cyber security
• Determine what are the organisation’s most valuable information/digital assets:
Cyber-attacks and security breaches will continue to occur and will negatively
impact the business. Today, the average cost of the impact of a cyber breach is
$7.5 million according to the US Security Exchange Commission (SEC).
• Determine how much cyber liability insurance coverage is necessary to
financially protect the company’s assets.
• Determine what their organisation’s risk of a cyber breach is: According to most
cyber security surveys, over 60% of all data breaches originate from
unauthorised access from one of the organisation’s current employees, former
employees, or third-party suppliers. Has your organisation created an insider-
threat program to mitigate the risk of a cyber breach from within the
• Achieving information security compliance with one or more government
regulatory standards for information security (i.e. ISO 27001, NIST 800-171,
HIPAA, NYDFS, AICPA- SOC, etc.) is good, but not sufficient to ensure real cyber
security. What actions should our organisation take to ensure real cyber
• Conduct an independent email and network threat assessment. If one was
recently conducted, then what were the results?
• Obtain an independent assessment of the adequacy of our cyber liability
insurance coverage. Cyber liability insurance premiums are significantly
increasing in cost and often do not cover all of the damages caused by a cyber
• See that managed Monitoring, Detection, and Response (MDR) Managed Security
Services (MSS) are combined, to achieve real information security and data
resilience. Determine if the internal resources to perform MDR work or if these
need to be outsourced. If so, then how much will it cost?
• Determine if the organisation has comprehensive incident response (IR), disaster
recovery (DR) and business continuity plans (BCP).
• Undertake scenario thinking and ask: If we are attacked by ransomware, would
we pay the ransom? If so, then how much should be budgeted? Will it be
covered by cyber liability insurance coverage?
Organizations may not realise how valuable a cybersecurity strategy is until there’s a
vulnerability. BDO wants to make sure your organisation never faces that situation. BDO
professionals are available to provide guidance and specialised resources surrounding any
cyber security issue. To contact BDO's Global Cyber Security Team, visit