Whether driven by industrial espionage or hacktivism, calculated and sophisticated data leaks have been making headlines worldwide in recent years leaving many enterprises under siege with the click of button.
Major data leaks, like WikiLeaks, and more recently the Panama Papers, which led to approximately 11.5 million leaked documents exposing widespread tax evasion of international business leaders and politicians earlier this year, further heighten the threat of exposure.
Similarly, in 2015 the Sony Pictures Entertainment hack revealed copies of then-unreleased films and the executive salaries at the company.
And while the incidents of cyber attacks are declining, an Australian cyber security expert says that the extent of damage caused by attacks has risen dramatically.
Director of private cyber-crime investigative firm, IFW, and expert researcher in cyber security from the University of New South Wales, Dr Alana Maurushat said that while Panama and Sony made headlines, most cyber breaches go unnoticed.
“We often find in the course of our investigations that an external party has been in a system for several hundred days going completely unnoticed,” she said.
“The only reason why incidents like Panama and Sony appear in the media is because the hacks were performed in order to attract media attention – that was the goal.
“Most of the cyber attacks and investigations IFW addresses involve incidents where the perpetrator wants to go un-noticed, lurking in the shadows for as long as possible. Media attention, or any attention for that matter, is undesirable – these are the cyber incidents that companies should be most aware of.”
In light of the increasingly malicious nature of these cyber attacks, and the potentially serious monetary damage to companies they cause – not to mention reputational harm – many CFOs are justifiably focused on making sure their organisations’ cyber security measures are upgraded and maintained.
Valerie Rainey, CFO of INTTRA, and chair of the Business and Industry Executive Committee of the American Institute of Certified Public Accountants, said CFOs can no longer afford to not take an interest in cyber safety.
CFOs should ensure they’re up-to-date with cyber security issues that are specific to their company, Valerie said.
“You need to understand where attacks are coming or could come from, how the attacks are coming in, and what kind of data hackers are going after,” she said.
“As well what mitigations are in place to prevent attacks.”
Four top tips for CFOs to protect their business and secure its data:
1. Map and classify data
It’s imperative that CFOs know the types of data in their company’s system. That means figuring out what data is sensitive and what data is not so sensitive.
Undergoing a data mapping exercise is the best way to find out this information.
Data mapping is constructing a digital inventory of where your company’s data resides and what it consists of, in order to discover the types of data that might be sensitive. Sensitive data may be financial information, client or stakeholder information, documentation protecting intellectual property or sensitive statistics, if the company is an information-gathering or data-hosting firm.
Information assurance firm, NCC Group, said data mapping helps to define and understand the types of data held within the business so that you can determine the sensitivity of data based on the overall damage that would be caused due to a breach of confidentiality, integrity or availability of information.
By measuring data based on its sensitivity, a business can classify or rate its data and define its protection requirements.
2. A response is critical
In the article 5 Things CFOs Must Know About Their Role in Data Security, Dev Tandon, said that putting protocols and levels of protection in place are the first and most necessary step to defend a company from a security threat.
“If data is hacked, CFOs must have a response plan in place,” Dev said.
“Strategy often depends on what information is lost or threatened. For example, if proprietary information, such as Intellectual Property, is accessed by an outside party, it can harm the profitability of a company through its ability to remain competitive.
“Leaked customer information can lead to major attrition and the inability to acquire new customers. Even worse, publicly-traded companies can lose public faith and face a downward-spiraling stock price.”
Dev says that cyber-attacks should be dealt with swiftly by data security experts, so there is minimal damage to the company’s bottom line.
“We recommend CFOs engage in consulting with data security experts to put a data breach program in place. Even if they never expect to be hacked, a well-planned response strategy is critical to reducing the damage that follows,” he said.
3. Prevent the threat from within
It’s an unfortunate fact that internal threats are usually more likely than the threat of external hacking.
“Despite the fact that most ‘hacks’ are performed internally by employees within an organisation, this doesn’t make for a great media story, which is why stories are more often focused on malicious hacking activities,” Alana said.
“A well designed system has various levels of access, use, and disclosure controls appropriate to the level and role of the person using the data and its systems.
“A good system monitors this carefully with warnings when there is the likelihood that data is being accessed without authorisation.”
Dev Tandon also weighs in on the subject, saying that employees are often reckless with company data – taking documents home to work on late at night and failing to log out of applications – and that’s not even taking into account employees who no longer work with the company.
“Many businesses forget to close down old email addresses or application accounts; they forget to change passwords to all systems, giving former employees ample opportunities to access sensitive information,” he said.
“If they feel they were treated unfairly by their former companies, then senior leaders have even more to worry about – these individuals are motivated to wreak havoc and create lasting damage with access like that.”
As business leaders, Dev also said that CFOs need to take charge of their data security, especially sensitive data related to financial and customer information.
“They must clearly define what employees can and can’t do with internal data. CFOs can start by outlining these rules in their employee handbooks and forcing automatic password resets on all applications, servers, and networks.”
Other tips on how CFOs can hold employees accountable for how they handle company data include:
- Organising regular employee training sessions and keep employee-signed documentation up to date with new protocols as needed;
- Ensuring all staff and internal resources understand their responsibility to protect company and customer data; and
- Encouraging employees to update their passwords often.
4. See data security as an ongoing discipline
Alana believes providing a higher level of cyber security does not simply mean investing in better and more technology.
“Cyber security involves training of staff, risk management assessments, data practice documents, appropriate data access and control mechanisms,” she said.
“You also need threat mitigation case studies, and working groups within a company that involve more than managers and technical staff, to ensure everyone is responsible for data security.”
As data management grows and evolves, so must a company’s data security.
CFOs, along with other executives, should regularly revisit strategies and other security-related elements on a quarterly basis to catch weak points or leaks early.
While data resiliency isn’t built in a day, with enough time, vigilance, team work and security tools in place, CFOs can protect their company’s data.