more-arw search

5 ways every CFO can mitigate cybersecurity risks

It’s time to test your current events knowledge: Which major retailer acknowledged having to spend $88 million related to a mega data breach in its most recent 10-Q, with more costs expected?

Target immediately comes to mind, right? The prevalence of the retailer’s troubles speaks to the far-reaching effect a cybersecurity attack can have on a company. That $88 million is just a drop in the bucket of expenses and problems Target continues to face following the exposure of its customer payment data over six months ago. The initial tally does not include the company’s anticipated claims for incremental fraud losses nor does it include litigation costs for the more than 100 legal actions filed in various jurisdictions to date or the reputational hit and the faltering loyalty by customers now worried about sharing their credit card information with their local store.

Every day there seems to be a new headline reporting another Internet security breach or data protection lapse – be it hacked credit card data, the Heartbleed Bug or well-crafted phishing scams luring victims to give up sensitive information. If there is an upside, it’s that such news may prompt other companies to do a full sweep of their internal processes and systems to minimize the probability of something like this happening to them.

But will they do a good job? Those companies that make such an effort go beyond the confines of their IT department are more likely to succeed in shrinking their risk. CFOs in particular should take responsibility for toughening up the organization’s cyber defenses if they haven’t already.

Regulators are demanding it: Three years after requiring companies to disclose cybersecurity risks and incidents that are specific to them – and to stay away from generic language – the Securities and Exchange Commission continues to focus attention on the topic. In fact, the SEC hosted a roundtable earlier this year to discuss the challenges of cybersecurity on market participants and public companies, and how they’re getting handled. Just a couple of months later, the SEC’s Office of the Investor Advocate announced that it would study how the SEC and other market participants are actually protecting investors from cybersecurity threats, which further puts pressure on the Commission to keep tabs on the risks.

On top of all this regulatory introspection is a call on auditors to pay more attention to how companies deal with the problem and what they say about it. The Center for Audit Quality recently issued an alert outlining independent auditors’ responsibilities related to cybersecurity risks. Such an alert may cause auditors to up their scrutiny of their clients’ forthrightness about their risks and what they disclose about them.

Data breaches at larger companies make the headlines, but smaller companies are not immune from this threat. In fact, smaller companies may be easier targets because they have fewer resources to deploy in preventing a breach. Think what a treasure trove a hacker could find on your servers — employee information, customer information, engineering design information, your financial information, etc. 

What CFOs can do
CFOs can play a critical role in all of this, as the keeper and protector of their business’ sensitive information and internal controls. While your IT gurus, data protection officers and security and privacy experts are addressing “defense in depth” strategies to thwart would-be hackers, here’s what you should be doing.

  • Identify the crown jewels: No matter how good your firewall is, let’s assume that everything can be hacked. Hackers are looking for valuable information that isn’t adequately protected, so the first thing to think about is “what are your crown jewels?” This can include information such as engineering and design data, financial information, employee and HR information, and customer or client information. You want to make sure the full scope of your company’s sensitive data has extra security layers around it. And you’ll need to get input from all areas of your company for identifying your most sensitive information.

  • Control who has access to that valuable and vulnerable info: Now that you have identified what the critical data is, make sure you know where it resides. It is important to limit access to only the specific individuals who need it to perform their job duties. Do you have proper controls in place to ensure proper authorization is obtained before access is granted? Do you monitor access on an ongoing basis to make sure no unauthorized individuals have access to this data? Is your data backed up so that you are not vulnerable to ransom demands for stolen data? Depending on the size and complexity of your business, you may need to confer with your CIO on what measures are currently in place or you may need to bring in outside expertise.

  • Review third parties critically: You can’t outsource your responsibilities. When you use third parties to host, store or process your data, you need transparency in how they are protecting your data and complying with privacy laws. Don’t assume any third party has it all under control. Obtain and critically review SSAE16 reports (depending on the nature of the work being outsourced, you will want to review a SOC 1 report for internal controls over financial reporting or a SOC 2 report for data protection, security and privacy). You may want to reconsider using a company that refuses to share this information or that has questionable results.

  • Encrypt like crazy: Is all of your sensitive data encrypted? Not only is it important to encrypt data during transit, but it is also important to encrypt critical data at rest, meaning that information sitting on computer drives, laptops, flash drives and the like. Encryption won’t protect your data from being intercepted, but it can protect the contents from getting read.

  • Engage everyone in the effort: Do you have formal, companywide policies around data protection and security? Are they effectively communicated to employees (i.e., not just shared with new staff but distributed periodically)? Employees can unknowingly violate a carefully created data security effort by simply sending an unencrypted email that includes sensitive information. Ongoing training and education are key ways of ensuring that the procedures you have created to safeguard your data are correctly implemented.

    If you consistently review and update your policies and systems, train your employees on those policies, and allocate sufficient resources to cybersecurity, you will have taken significant steps to reduce your risk. This should be an ongoing process, not a one-time reaction to a headline about a data breach. In this fast-moving era of hacks and viruses, a protective effort that occurs outside of IT needs to be a matter of course.

Comments

Topic Expert
Wayne Spivak
Title: President & CFO
Company: SBAConsulting.com
LinkedIn Profile
(President & CFO, SBAConsulting.com) |

Pat,

It seems there are several areas that CFO's or Boards don't want to invest in: Cyber-security, Business Continuity Planning (BCP) and Continuity of Operations (COOP), among others.

And we're not just talking about small firms that honestly many not have the money to do a full blown planning, training, implementation and continue the cycle, because these three issues are cyclical, extremely dynamic and NOT static events.

Given the increase in natural disasters alone; hacking and political/social upheaval in certain parts of the world; planning for the worst and hoping for the best is worth the investment.

I see hoping for the best and we'll figure something out should it happen as the method dejure at the moment, and as in your example with Target, its not working.

Topic Expert
Wayne Spivak
Title: President & CFO
Company: SBAConsulting.com
LinkedIn Profile
(President & CFO, SBAConsulting.com) |

I just turned the page on the June 2014 CFO magazine and it has an article that states: "CFOs Disregarding Cyber Risks".

Pat Voll
Title: Vice President
Company: RoseRyan
(Vice President, RoseRyan) |

Hi Wayne – I agree. This is a serious risk that has the potential to cause irrevocable harm. I was just reading an article where the 9/11 panelists are urging Congress to enact cybersecurity legislation, among other recommendations. The panel said US readiness against hackers is poor, likening this to September 10th levels in terms of cyber preparedness. Scary times indeed. Let’s hope businesses start to heed the call to action and take this seriously.

Ernie Humphrey CTP
Title: CEO & COO
Company: Treasury Webinars
LinkedIn Profile
(CEO & COO, Treasury Webinars) |

There is a related critical issue here, and that is how to mitigate the cost of a breach. Mitigation efforts are great, but companies also need is a specific plan of what to do when a breach occurs. There was a recent Proformative webinar that offers useful insights and advice in this regard, Identify and Avoid the Top 5 Data Breach Costs (https://www.proformative.com/events/identify-avoid-top-5-data-breach-costs) which features Daimon Geopfert, National Leader, Technology Risk Advisory Services, McGladrey.

Pat Voll
Title: Vice President
Company: RoseRyan
(Vice President, RoseRyan) |

Ernie – absolutely – focus on prevention and minimizing risk is critical, and having a plan in place to minimize damage once a breach occurs should be part of every business’s ERM plan. Trying to figure out an appropriate course of action in the middle of a crisis is a recipe for disaster.

Kai P.
Title: Certified Ethical Hacker
Company: Black Cipher Security
(Certified Ethical Hacker, Black Cipher Security) |

Pat, I have to say that as a cyber security specialist, I couldn't have written a better article. That was very well written.

Pat Voll
Title: Vice President
Company: RoseRyan
(Vice President, RoseRyan) |

Thank you Kai -- much appreciated! Hopefully it provides some leverage for people wanting to make some changes in their organizations. There are so many organizations who are not addressing this very real threat, and I think are significantly underestimating the potential harm to their business.

Pat Voll
Title: Vice President
Company: RoseRyan
(Vice President, RoseRyan) |

Hi Wayne - that's a good question -- first, I think this should be part of every company's ERM assessment - however, many companies haven't addressed enterprise risk to begin with. A good risk assessment will help identify highest 'real' risk vs potential risk. Clearly some companies are juicier targets than others, and those companies should be doing more to protect themselves. But there are a number of things the 'boring' companies can do that will reduce their risk without adding a lot of cost. A critical look at what information is at risk is a good starting point.

Topic Expert
Wayne Spivak
Title: President & CFO
Company: SBAConsulting.com
LinkedIn Profile
(President & CFO, SBAConsulting.com) |

Pat,

I just re-read you blog. Here's a question:

Given: the more security you enact, the greater the cost(s) (hardware/software, training, human assets, etc.)

Do you suggest a threat assessment and security raised to meet that threat.

Example: You're a "boring" company, no trade secrets, standard customer base, etc. You want to protect yourself from kiddie hackers, that's a no brainer.

But do you also protect yourself from the more seasoned hackers, the professional hackers and the state hackers as well?

EMERSON GALFO
Title: CFO
Company: C-Suite Services
LinkedIn Profile
(CFO, C-Suite Services) |

(mental note : read the whole thread before commenting)..... sorry about that...lol

That being said.....

Companies should adopt a "It is not a question of if but when" attitude/posture.

Topic Expert
Regis Quirin
Title: Director of Finance
Company: Gibney Anthony & Flaherty LLP
LinkedIn Profile
(Director of Finance, Gibney Anthony & Flaherty LLP) |

Great story. I would only add that there are studies that point to remote workers as being a major cause of data breaches. Any time you open your system to the outside world, past your firewall, you are assuming an element of risk.

Kai P.
Title: Certified Ethical Hacker
Company: Black Cipher Security
(Certified Ethical Hacker, Black Cipher Security) |

A few good things to keep in mind are:

1) Hackers and cyber criminals are constantly evolving their tactics and adopting new technologies that allow them to bypass the obstacles (firewalls, antivirus, etc) into your network. If you are not staying current with your cyber security and you are in their sites, you will get breached.

2) A risk assessment, vulnerability assessment and penetration test are snapshots in time. You may get an assessment done that shows no vulnerabilities one day and be extremely vulnerable the following week. This is a cat and mouse game where those with the set-it-and-forget mentality regarding their cyber security will eventually lose.

3) What isn't available online cannot be hacked. If you have sensitive client and/or proprietary data that would hurt your firm if stolen, don't put it on a device connected to the Internet. That means even indirectly on your LAN if that LAN can reach the Internet. Have a stand-alone machine and store it there. It may be inconvenient but it is definitely safe.

4) Hackers are not always looking to steal data. Your computers and network itself can be a great resource for storing stolen data and launching further attacks against others all the while making it appear the attack came from you.

5) In the physical world, if your car is stolen, you know pretty quickly because you are deprived of its use. In the digital world, unless you are keeping and monitoring access logs, you can be "robbed" and not even know it. This is because when data is stolen, the original data is often left intact while the thief makes off with a copy.

6) There are 3 elements to a crime and cyber crime is no different:

1) Means
2) Motive
3) Opportunity

You cannot control the first two, but through the right course of action, you can deprive the attacker of the opportunity to successfully breach your network and gain unauthorized access to your firm's data.

If anyone ever needs any guidance in this area, feel free to reach out to me. I'd be more than happy to help you:

k [dot] pfiesteratblackcipher [dot] com
www.blackcipher.com

Topics: