One of the hottest topics in Finance in 2015 is data security. In fact, in a recent survey by Protiviti and FERF, cyber security ranked as one of the top 5 priorities for Finance executives, along with margins/earnings performance, strategic planning, periodic forecasting, and budgeting.
Given the increasing interest in this topic, the CFO Leadership Council’s New Jersey chapter recently Planfuled a panel discussion titled “Cybersecurity: Practical Protection for the Modern Age.”
The panel was moderated by Glen Badach, a leading consultant for a cryptocurrency startup. The panelists included Albert Murray, Special Agent, FBI; Daniel McKenna, Partner, Ballard Spahr; and Fred Rica, Cyber and Threat Intelligence Leader, KPMG.
Here’s a recap of the key points highlighted in the panel discussion.
General Industry Trends
Cybersecurity is becoming a high priority – both for C-Suite executives and at the board level. This isn’t something new. It’s been a long-term issue that’s getting more headlines recently. In fact, the increased media attention to security breaches is making many companies gun-shy about reporting incidents.
The hacking threat has evolved over time from amateurs to professionals, nation-states, and terrorist organizations. This topic is in focus for both large and mid-sized companies – every company has something of value, and that something is at risk.
According to Albert Murray of the FBI, one of the most common threats is email scams – criminals posing as CEOs, asking their companies for money to be wired to an account. Another threat is “ransomware” attacks, basically malware that takes over a computer and encrypts files until a ransom is paid. If the company doesn’t have a backup, it pays the ransom, and its data is freed. Another common problem is when email accounts are compromised and wire transfer instructions to vendors are modified by criminals. In many cases, the FBI can help recover funds or at least freeze payments.
Employee Training and Awareness
The panelists agreed that, in many of the cases cited above, it’s usually a result of the CEO, or another executive or manager, responding to a false (a.k.a. phishing) email. Some companies will even run internal tests with “phishing” emails. And it’s often the most senior executives who are easily duped. Another simple example is the issue of employees attaching rogue thumb drives to computers, which can include malware.
Technology alone cannot solve these problems. Employee training and awareness is key. Companies need to raise the security IQ of executives and staff.
Guidelines for Finance and IT
As the security function in an organization matures, it should move out of IT and become a standalone function. This topic needs high visibility with reporting on the program as a whole – people, processes, access controls, third-party relationships, a recovery plan. It’s healthy to have tension between IT and security teams and to have a well-controlled rollout of security programs.
However, security guidelines are often too complex. They need to be boiled down so that employees can easily understand and comply. Every company’s employee manual should include information security plans, guidelines, dos and don’ts. Consultants and cybersecurity experts are being engaged by boards to review security programs and make recommendations.
Third-Party Evaluations and Benchmarking of Security Programs
There are third parties that can evaluate and rate a company’s security program, but confidentiality is a big factor here. Benchmarking vs. competitors and peers is an important step for companies. Information security is not a temporary trend – it’s a long-term strategy need.
Thus, establishing your company’s risk profile is a key starting point. You need to understand your company’s maturity level with regard to information security and your ability to support specific business processes.
Disclosure Obligations in Cases of Breach
The panelists recommended using the term “data incident” vs. “breach” as breaches require public disclosure. The biggest concern is customer perception and trust. Companies would prefer not to disclose publicly and just let impacted consumers know about an incident. In most states, the Attorney General must be notified as well. Another area of risk is vendor and supplier contracts. These should include information-security language as well as remediation and communication plans.
Incident Response Plans and FBI Reporting
Albert Murray of the FBI said that any issues should be reported. Reporting to the FBI raises awareness regarding potential risks to other companies and any required government action. The FBI doesn’t hear about all breaches. Usually consultants are initially engaged. While many companies don’t want to be exposed to an investigation, every company’s “incident response plan” should include a relationship with the FBI.
The reality, however, is that most companies don’t have an incident response plan. Having this can create competitive advantage, assure customers. The plan should define the core team who will focus on a security incident response. It should highlight reporting deadlines – FBI, Attorney General, etc. And it should include a decision tree that guides actions in a crisis. Companies should not only follow the plan after each incident, but update the plan based on key learnings along the way.
Fred Rica of KPMG quoted boxer Mike Tyson: “Everyone has a plan until they get punched in the face.” Security breaches are a punch in the face, one you need a proactive plan to deal with. You must keep the business running while taking action.
Securing Internal vs. Outsourced/Cloud Based Systems
Typically older, mission-critical systems are most at risk. Critical system failures can have a big impact on a business. But in general, all systems are at risk – companies need to evaluate who has access, what the exposures are. A big challenge in large companies is that they often cannot keep track of all computers and connected devices that need to be secured.
Thus, you need to have your house in order whether processing is in-house or outsourced. Bad processes are bad processes. It’s your responsibility either way. The FTC will hold companies liable for data breaches, not third-party IT vendors. This makes it even more vital that you understand and evaluate the security measures of cloud-based providers you are partnering with.
Impact of use of Mobile Devices
The panelists highlighted that mobile devices themselves are typically not used to execute a breach, but the data on mobile devices is sensitive and can be used to execute a breach (e.g., user IDs and passwords). Content on mobile phones can be risky – email attachments, pictures of contracts, etc. Companies must enable employees to work remotely, with security, to avoid workarounds like using personal email for company data.
How can Companies be Proactive, and Aggressive, on Cybersecurity?
Companies must separate criminal vs. non-criminal hacking risks. They need adequate employee restrictions and easily understood guidelines. They need to provide training for employees and acquire an attestation from every employee that they understand the guidelines. They need to know where their data is given the sensitivity of specific information. It’s about governance – people, process, and technology.
Companies need to raise the security IQ of employees. Younger employees, a.k.a. Millennials, are accustomed to mobile devices, social media etc. – companies need to raise their awareness about the risks, acclimate a new generation of employees.
Company size isn’t an issue. All companies must assess their own risk and decide how much risk they want to take vs. how much they want to focus on information security. Compliance is a starting point. It should not be the only driver. Thus, every company needs to understand its own risk profile. What data is being stored? What’s at risk? Companies must weigh out the risk vs. costs of putting a program in place – it can even be as low as $25K to create an initial program – without undervaluing what they get in return – safe, secure data.
Planful and other cloud-based application providers like us, take security very seriously as it’s core to our business. To learn more about our approach, download this free white paper titled “Ensuring the Security of Customer Data.”