By Beverley Head

It’s no surprise that cybersecurity is a top issue for Steve Goldsworthy CA, group chief financial officer for St John of God Health Care.

“Most organisations would have it high on their risk registers at the moment, especially those that have confidential information like patient information,” says Goldsworthy. “As CFO you need to be across all risks and impacts for the organisation.”

Over the 12 months to February 2019, the first year of Australia’s notifiable data breaches scheme, 964 serious incidents were reported to the Office of the Australian Information Commissioner (OAIC). The sector most affected was health services which reported 206 such incidents; 113 prompted by human error, 90 deemed malicious and three due to a system problem.

“As CFO you need to be across all risks and impacts for the organisation.”

How data breaches impact finances

Steve Goldsworthy CA.

“If you have a major cybersecurity event that impacts the organisation’s records, whether there is a financial penalty or not, there is an impact on the trust of the organisation and on reputation which will ultimately impact the finances,” says Goldsworthy. “CFOs need to take a broader view on risks.”

St John of God Health Care employs almost 14,000 staff across Australia, New Zealand and the Asia-Pacific. It operates 24 facilities with 3400 hospital beds, and provides home nursing, disability services and social outreach programs. Underpinning all of that are vast reserves of personal, often highly confidential, information that require proper protection.

The organisation recently went through a review and appointed a group manager of cybersecurity. According to Goldsworthy, CFOs and technology teams must work closely on the issue.

“You need to ask your digital technology teams to develop plans and projects to bring you up the maturity curve. Then you need a roadmap of projects that are required based on risk tolerance, and ideally with a cost benefit, so it’s really clear what projects need to occur to bring you to the next level, and what you are comfortable with in terms of risk tolerance.”

That includes consideration of risk transfer. “Historically, cyber insurance has been cost prohibitive. Prices have started to come down and I think most organisations are now seriously considering it,” he says.

Human error is a big cyber risk

Given the high incidence of human error that the OAIC has uncovered, cyber awareness education is critical – and that includes the finance team.

“Finance workloads are electronic these days. We receive regular phishing emails, some looking very similar to internal workflows, so we regularly train the team to be aware about threats,” he says.

“We look at training them to identify the unique identifiers with our workloads, so they can be sure to only click on links from internally generated sources.”

It’s not infallible. Goldsworthy acknowledges that if a hacker penetrated the system then the unique identifiers could be hijacked, but it does significantly raise staff awareness, which is an important step in the right direction.

Read more: