Ernst & Young: Balancing risks and controls for finance professionals

Cyber security threats are evolving rapidly. Organisations are facing not simply an escalating risk, but the near certainty that sooner or later they will suffer a cyber-security breach.

According to Ernst & Young’s 2014 Global Information Security Survey, both the volume and sophistication of cyber-attacks has increased over the last year. While awareness of incidents is increasing, including within finance teams, many organisations have to work harder to protect themselves. It is vital that organisations view cyber security not as a compliance topic, but address it as a business risk.

Balancing cost, risk and value in the finance sector

79% of polled finance professionals expect to increase their proportional spend on cyber-security defences in 2014/15 in response to an increased level of threat. Rather than simply throwing more resources at the problem, organisations should be prioritising what they are aiming to achieve. This is about balancing cost, risk and value. The first step is to understand the business risks associated with the cyber threat. The next step is to target security investment appropriately, ensuring that IT and security are enablers, not a constraint on business.

Where does the threat come from?

One of the challenges is that the threat can come from multiple sources and causes. 28% of polled finance professionals were most likely to see the biggest threat emanating from external hackers, but significant proportions also saw threats coming from technical systems vulnerability (23%) and employees (21%).

Organisations need to consider whether contractors and suppliers have access to data assets, what these assets are and how they are protected.