With the growing adoption of 4.0 technologies, such as cloud, the Internet of Things (IoT), blockchain, artificial intelligence (AI), and even quantum, new cyber threats have emerged. Mitigating the risk and implementing frameworks that would enhance an organisation’s cybersecurity initiatives has become a key differentiator in whether a business thrives in this age of digital transformation.
The Industrial Revolution (IR) 4.0 encompasses a myriad of systems, including IoT, the use of digital systems to control physical movements, big data, robotics, sensors and other technologies such as RFID, GPS, 5G, AI, machine learning (ML) and automations such as robotic process automation (RPA). Although a mouthful, these systems and technologies continue to find their way into everyday business processes and transactions, driven by increased digital adoption in the global economy.
“The characteristics and tools of IR 4.0 are truly applicable in financial accounting, cost and management accounting, taxation and auditing, and affects the way these processes take place. There can be increased automation, ML and AI in these, payroll and tax returns, as well as the use of big data in trending analysis and insights. All these are the benefits of digital transformation and emerging tech,” Mr. Steven Sim, President of ISACA Singapore Chapter, explained in a recent masterclass titled Optimising Cyber Risk in the Era of Accounting 4.0.
However, risk management processes in many companies have yet to catch up with the new risks that are arising in line with increased digital adoption, and as this threat landscape becomes increasingly sophisticated, more enterprises are “falling prey to cyber breaches, including ransomware and fraud”, added Mr. Sim, citing various news reports on enterprise security breaches that have picked up over the last few years, including hits on big tech and global cybersecurity companies.
“Accountancy professionals will need to help their organisations and clients analyse the cyber risks that arise, due to increased connectivity within and outside the enterprise,” said Mr. Sim.
From a financial and accounting process point of view, as virtual and digital transactions will take place more predominantly, especially in the global economy, there is more reliance on intellectual property and intangible assets, as well as on digital services on the cloud, with big data and analytics, and software such as software-as-a-service (SaaS).
Additionally, workers can now be from anywhere in the world and global tax requirements need to be taken into consideration, making the development of APIs (application programme interfaces) to assist in tax administration crucial in ensuring the right taxation rules are applied.
With growing digital connectivity and adoption, it becomes even more crucial for organisations to leverage industry-developed risk IT frameworks - such as ISACA’s risk IT framework that is based on Control Objectives for Information and Related Technologies (COBIT) - in order to mitigate risks and losses.
“Ultimately businesses have to take risks. The only way for a business to be 100% secure is to close down the business completely. In this day and age, you have to be digitally connected, but how much risk to take is dependent on how much risk can be taken and tolerance levels well defined outright. These enterprise risks must be acknowledged right from the top down and communicated to all business units, divisions and departments. It is also important to have an alignment between operational and IT risk, to enterprise or business risk,” Mr. Sim elaborated.
“With proper targets defined, security controls can be optimised, as we do not want to overspend or underspend on cybersecurity. After all we need to take care of the bottom line itself as well and cybersecurity has to be a business enabler, and in some cases even a business differentiator,” he added.
Essentially, good digital governance would enable an organisation to circumvent a cyber incident, where possible, and implement countermeasures to ensure the business continues to run smoothly despite the cyber threats that abound.
“With good digital governance, the roles and responsibilities of everyone is clear. We are in this together, and we have skin in the game to avoid a cyber incident where possible and arrive at our destination safely. So, taking the C-suite and the board on the ride, CISOs are tasked to help the CFO and CEO and the board make risk-informed and data-driven decisions. If any warning indicators pop up, we need to alert senior management or the board so that all of us can take the countermeasures and still arrive at our destination safely,” Mr Sim continued.
A critical part of good governance is risk ownership, where risk owners are defined and made accountable for these decisions within the organisation.
“The RACI (responsible, accountable, consulted, informed) matrix must be well defined in order for effective risk-based decisions to be made. This will reduce a lot of finger-pointing and allow for things to move forward, rather than discussing turf. CISOs and C-level executives and the board work together in partnership to allow cybersecurity to not only to enable the business, but also differentiate it from the rest of its competitors. Ultimately good risk governance is about realising maximum benefits while optimising risk and resources,” stated Mr Sim.
Resilience and a change of mindset are also necessary, he explained, in order to thrive in this new normal environment of increased digitisation and cyber threats.
“Increasingly cybersecurity is seen as pivotal as the business enabler and differentiator, that cyber resilience implies business resilience and with this new cybersecurity normal, the board needs to understand we have to take on an assumed breach approach and mindset, meaning it's not a matter of ‘if’ but ‘when’ incidents will happen ... therefore it is not about whether we’re 100% secure, but about how we can meet the enterprise risk appetite and tolerance and ensure cyber resilience, the ability to bounce back up, to contain the impact before business impact is significant,” Mr. Sim reminded.
