The role of financial directors and CFOs frequently intersects with domains beyond financial management. What was true then is still true now. The exponential growth of data, the constant threat of cyber-attacks, and new regulations are placing mounting pressure on financial professionals to understand and adapt to key issues around data privacy and security.
The responsibility still falls under the security team, the CISO, CIO and the other roles that are in charge of protecting the company from cyber-attacks. Importantly – and this is critical — CFOs need to know what questions to ask their security teams, what to look for, and understand the additional disclosure requirements that are now part of financial statements. They must also realize that regulation is playing a big part in today’s security decisions.
A serious cyber incident can incur heavy costs including regulatory fines, lost business, operational downtime and reputational damage. These risks go up significantly with the GDPR.
Financial leaders must contend with the potential impact a breach could have on the company’s performance and budget. Additionally, data privacy and security have become major business priorities with the advent of the GDPR – raising new regulatory demands that often overlap with financial compliance requirements.
Financial data as a target
The majority of cyber-attackers are motivated by monetary gain. The financial department is often the easiest path for a criminal to secure their payday. Phishing scammers frequently target financial departments to trick them into authorizing fraudulent payments. Financial data can be stolen for use in identity fraud or sold for a profit on the dark web.
One of the most striking things that I’ve seen when speaking to financial heads, as well as decision makers in areas like legal and HR, is the gap between what they believe their IT and security teams are capable of, and their actual capabilities.
It’s alarmingly common to hear that a thousand files could vanish and no one would know. Many organisations, even larger ones in regulated sectors, do not monitor how, when, and by whom, files are accessed.
Compounding this, there is often little in the way of controls to prevent sensitive files from being accessed by unauthorized personnel. Varonis’ 2018 Global data Risk Report found that 58% of companies have over 100,000 folders open to everyone. Even a single unsecured sensitive or mission-critical file can be highly damaging, while a serious breach involving thousands of files can be catastrophic.
Understanding and limiting risk
The inability to control or monitor how files are being accessed is a huge security failure that can easily lead to a colossal data beach. One of the most obvious concerns is the risk of a malicious insider abusing their system access to harm the company.
In one memorable case, we found a payroll file open to the entire company. Our sales rep told the CISO that the receptionist that let him in likely had access to salary information for the CISO, CFO and CEO. The CISO felt strongly that wasn’t the case, so the rep bet the CISO that his financial data could be accessed by their receptionist. Despite the CISO’s confidence in winning the bet, it turned out the receptionist’s computer could easily access confidential payroll files with no barriers at all.
Alongside the threat of malicious insiders, weak access rights management also greatly increases the risk posed by external attackers if a company’s network is breached. The potential for a major security incident skyrockets if an intruder can access the company’s most sensitive and confidential data. In this scenario, attackers can compromise any staff computer, such as one belonging to any junior employee, rather than those belonging to a handful of senior figures who should be the only ones with access.
Trust, but verify: Asking the right questions
Despite the complexity, FDs don’t need to be cybersecurity experts – but they do need to know which questions they should be asking the security team to understand the risk and make the best decisions on protecting data. Once FDs are aware of this risk, they can do what they do probably hundreds of time a year: a cost-benefit analysis to ensure the right decisions are made to reduce risk and ensure resources are allocated properly.
FDs should never automatically assume that their company’s security follows a ‘best-case’ scenario and that all data is properly secured and locked down. It is essential that they ask their security or IT team specific questions about their capabilities to understand if it matches their expectations.
Here are three questions financial directors need to ask their security and IT teams:
- Have any unauthorized personnel accessed your financial statements in the past 30 days?
- What information does your company have that isn’t properly protected under the GDPR?
- Is our intellectual property protected? Would the company be able to spot unusual activity (moving, opening, altering, deleting) concerning our sensitive data?
Overall, finance leaders must understand that cybersecurity is an iterative process requiring continued vigilance and attention – whether you are securing GDPR data to remain in compliance or guarding against a ransomware attack.
Influencing security policy
If the company’s security policies do not match their expectations, FDs must be involved in asking the right questions. Asking those questions can ensure they have a better understanding of the security challenges facing their company, and its ability to meet these threats, and therefore make better decisions and positively impact the company’s security strategy. With the volume of attacks increasing and regulations tightening, FDs must know how to qualify the risks and help ensure that the organization invests funds in the right areas to protect itself from cyber threats.