Daily Mirror - Print Edition

ICT

Cybersecurity best practices for CFOs

23 Mar 2017 - {{hitsCtrl.values.hits}}      

In today’s digital world, cybersecurity is an issue that is top of mind for every company. 
Whether it’s worrying about the malware threat from employees chasing Pokémon around the office, to large scale breaches such as that seen with a leading US fast food restaurant chainearlier this year, executives face a greater challenge than ever in ensuring that data is protected in the enterprise.  
While cybersecurity concerns are widespread, finance remains one of the most vulnerable areas for malicious attacks. Information is the new tool of war – beyond customer information, a company’s internal assets are also at risk, from financial and strategic plans to employees’ personal data and so on. An attack on this data (either for leakage, manipulation, ransom, or other malicious intent) could seriously endanger CFOrelationships and trust with a number ofimportant parties. It could also lead to business disruptions and loss of market share, not to mention potentially hefty fines.
So how can companies, in particular CFOs, stay ahead when it comes to cybersecurity? 


Educate your workforce on security threats
Cybersecurity is not merely an IT concern. It is a complex challenge that entails an enterprise-wide approach.Outside of IT, it is essential that every employee, from line managers to the C-suite receive training on cybersecurity trends and threats. 
Whether it is setting up a company-wide training or nominating a cybersecurity subject matter expert whose role is to set overall standards and advise the board.Given the high stakes, understanding a company’s risk is a critical component in fending off a potential breach. This should be a key priority for the CFO to make sure that the risk of cyber attacks is understood, and potential impacts are addressed, especially when it comes to protecting critical financial planning documents.Cybersecurityis a shared responsibility and should be addressed across all constituencies of the company.This begins with the CFO being well-informed about various risks and involvingstakeholders in a mindful dialogue.


Rank your data
In response to the growing number of breaches, many companies have taken an overly cautious approach, deciding to strictly protect all of their data. However, not only does this come with a hefty price tag but, since resources are often limited, it could also mean overlooking some valuable assets. 
According to a 2014 study from Saugatuck Technology, many finance departments tend to be more cautious when it comes to moving data from the ‘money’ function – such as treasury, core accounting and revenue management data – to the cloud, but tend to be less concerned with managerial data such as expense management, planning and forecasting.Data assets need to be classifiedbased on sensitivity and business value. Not all information is critical or confidential – in order to prioritize data protection needs, CFOs should work with their finance teams to evaluate which data is critical and rank it appropriately. Today, with companies sharing more and more information across multiple geographies, stressing on critical data can further highlightkey impact subjects.


Know where your data lives
Once data is evaluated and ranked, it is also important to know where the data lives and how it can be accessed. This might seem like a ‘no-brainer,’ but a recent EY study found that only 40 percent of companies hold an accurate inventory of their data ecosystem. 
In order to truly protect information, CFOs and finance teams need to understand how it is being accessed in order to get a holistic picture of potential vulnerabilities.It is crucial to identify and examine information flow across the enterprise as well as its extended networks. Given the dynamic background in which companies function,substantial activities such as data mapping and classification can boost an organization’s responsiveness when under threat.


Managing risk and address vulnerabilities
Cybersecurity is no different than any other risk assessment that a CFO needs to perform in order to keep the finance department running smoothly. The CFO is responsible for managing the risk created by or impacting their finance operations. 
Applying a root cause approach is very relevant in this case as it will help find the weakest link, but it is important to not stop at IT impacts. To understand the real exposure of each vulnerability, roll up the risk chain and assess the business, strategic and also operational impacts resulting from a data breach.This will also help determine which areas need to be allocated focused training and resources.


Think ahead and have a proactive strategy in place
The best defense is a good offense, so it’s critical that CFOs routinely run test scenarios to make sure that protective measures are functioning, and weaknesses in the structure are addressed.  
It may not be the best idea to encouragefinance teams to attempt to hack their own data, but we do recommend partnering with your IT department and letting the experts run some tests. Internal auditors assure management and the board that they are receiving accurate information, and ensure structural risks are addressed. By being proactive, CFOs can deter future breaches before they unfold, as well as protect their own personal liability in the event of a breach.
Cyber-attacks ultimately damage a company’s reputation which is why it’s important that CFOs take the right stepsto completely equip their organization.Given theincreasing sophistication of threats and data breaches, cybersecurity should beregularly reflected upon and entrenched within the corporate culture.
(The writer is the Chief Financial Officer, SAP, Indian Subcontinent)