What is the CFO’s role in preventing a cyber attack?
Cybersecurity is a top concern for companies across industries in today’s increasingly data-driven, digital world. From political headlines to email phishing attacks directed at our inboxes, or across a growing number of smart devices, we face a growing challenge in ensuring that data can be protected within our organizations.
Cybersecurity concerns are top-of-mind for all departments across the enterprise, but finance remains one of the most vulnerable areas for malicious attacks. A recent report from Deloitte noted that US financial services companies lost on average $23.6 million from cybersecurity breaches in 2013 – the highest average loss across all industries.
Today, information equates to power and customer information is not the only data that is at risk. A company’s internal assets, including financial and strategic plans, can also be targets. An attack on this data (either for leakage, manipulation, ransom, or other malicious intent) could endanger a CFO’s relationships and trust with a number of important parties. It could also lead to business disruptions and loss of market share, not to mention potentially hefty fines.
In this environment, how can CFOs and their organizations more broadly implement an effective cybersecurity strategy?
Provide continuous security education. Education should be a key priority for the CFO to make sure that the risk of cyber attacks is understood and potential impacts are addressed, especially when it comes to protecting critical financial planning documents. Beyond IT it is essential that every employee, from line managers to the C-suite, receive training on cybersecurity trends and threats, whether it’s setting up a company-wide training or nominating a cybersecurity subject matter expert whose role is to set overall standards and advise the board. Given the high stakes, understanding a company’s risk is a critical component in fending off a potential breach.
Understand your data and map assets. As the number of breaches continues to grow at a rapid pace, many companies have decided to strictly protect all of their data. Not only does this come with a hefty price tag but since resources are often limited, it could also mean overlooking some valuable assets. Not all information is critical or confidential. To best prioritize data protection needs, CFOs should work with their finance teams to evaluate which data is critical and rank it appropriately. Once data is evaluated and ranked, it is also important to know where the data lives and how it can be accessed. This might seem like common sense, but a recent EY study found that only 40 percent of companies hold an accurate inventory of their data ecosystem. In order to truly protect information, CFOs and finance teams need to understand how sensitive information is being accessed in order to get a full picture of potential vulnerabilities.
Evaluate existing risk and resolve vulnerabilities. The CFO is responsible for managing the risk created by or impacting their finance operations, and cybersecurity is no different than any other risk assessment that a CFO needs to perform in order to keep the finance department running smoothly. Applying a root cause approach is very relevant in this case as it will help find the weakest link, but it is important to not stop at IT impacts. To understand the real exposure of each vulnerability, roll up the risk chain and assess the business, strategic and also operational impacts resulting from a data breach.
Stay a step ahead. When it comes to cybersecurity, the best defense is a good offense: CFOs should routinely run test scenarios to make sure that protective measures are working and weaknesses in the structure are rectified. While it may not be the best idea to encourage finance teams to attempt to hack their own data, partnering with your IT department and letting the experts run some tests can be a positive exercise. By being proactive, CFOs can deter future breaches before they happen, as well as protect their own personal liability in the event of a breach.
While a company cannot always prevent a breach from occurring, the organization – and finance executives in particular – can take steps to ensure that their organization is best prepared to mitigate an attack and control the impact to the finance function. By educating the workforce from the ground up, taking the time to understand the data at risk, resolving any known vulnerabilities and being proactive, companies can be effective in fending off a potential cyber attack.
Author: Thack Brown, General Manager and Global Head of Line-of-Business Finance, SAP