It’s time to test your current events knowledge: Which major retailer acknowledged having to spend $88 million related to a mega data breach in its most recent 10-Q, with more costs expected?
Target immediately comes to mind, right? The prevalence of the retailer’s troubles speaks to the far-reaching effect a cybersecurity attack can have on a company. That $88 million is just a drop in the bucket of expenses and problems Target continues to face following the exposure of its customer payment data over six months ago. The initial tally does not include the company’s anticipated claims for incremental fraud losses nor does it include litigation costs for the more than 100 legal actions filed in various jurisdictions to date or the reputational hit and the faltering loyalty by customers now worried about sharing their credit card information with their local store.
Every day there seems to be a new headline reporting another Internet security breach or data protection lapse – be it hacked credit card data, the Heartbleed Bug or well-crafted phishing scams luring victims to give up sensitive information. If there is an upside, it’s that such news may prompt other companies to do a full sweep of their internal processes and systems to minimize the probability of something like this happening to them.
But will they do a good job? Those companies that make such an effort go beyond the confines of their IT department are more likely to succeed in shrinking their risk. CFOs in particular should take responsibility for toughening up the organization’s cyber defenses if they haven’t already.
Regulators are demanding it: Three years after requiring companies to disclose cybersecurity risks and incidents that are specific to them – and to stay away from generic language – the Securities and Exchange Commission continues to focus attention on the topic. In fact, the SEC hosted a roundtable earlier this year to discuss the challenges of cybersecurity on market participants and public companies, and how they’re getting handled. Just a couple of months later, the SEC’s Office of the Investor Advocate announced that it would study how the SEC and other market participants are actually protecting investors from cybersecurity threats, which further puts pressure on the Commission to keep tabs on the risks.
On top of all this regulatory introspection is a call on auditors to pay more attention to how companies deal with the problem and what they say about it. The Center for Audit Quality recently issued an alert outlining independent auditors’ responsibilities related to cybersecurity risks. Such an alert may cause auditors to up their scrutiny of their clients’ forthrightness about their risks and what they disclose about them.
Data breaches at larger companies make the headlines, but smaller companies are not immune from this threat. In fact, smaller companies may be easier targets because they have fewer resources to deploy in preventing a breach. Think what a treasure trove a hacker could find on your servers — employee information, customer information, engineering design information, your financial information, etc.
What CFOs can do
CFOs can play a critical role in all of this, as the keeper and protector of their business’ sensitive information and internal controls. While your IT gurus, data protection officers and security and privacy experts are addressing “defense in depth” strategies to thwart would-be hackers, here’s what you should be doing.
- Identify the crown jewels: No matter how good your firewall is, let’s assume that everything can be hacked. Hackers are looking for valuable information that isn’t adequately protected, so the first thing to think about is “what are your crown jewels?” This can include information such as engineering and design data, financial information, employee and HR information, and customer or client information. You want to make sure the full scope of your company’s sensitive data has extra security layers around it. And you’ll need to get input from all areas of your company for identifying your most sensitive information.
- Control who has access to that valuable and vulnerable info: Now that you have identified what the critical data is, make sure you know where it resides. It is important to limit access to only the specific individuals who need it to perform their job duties. Do you have proper controls in place to ensure proper authorization is obtained before access is granted? Do you monitor access on an ongoing basis to make sure no unauthorized individuals have access to this data? Is your data backed up so that you are not vulnerable to ransom demands for stolen data? Depending on the size and complexity of your business, you may need to confer with your CIO on what measures are currently in place or you may need to bring in outside expertise.
- Review third parties critically: You can’t outsource your responsibilities. When you use third parties to host, store or process your data, you need transparency in how they are protecting your data and complying with privacy laws. Don’t assume any third party has it all under control. Obtain and critically review SSAE16 reports (depending on the nature of the work being outsourced, you will want to review a SOC 1 report for internal controls over financial reporting or a SOC 2 report for data protection, security and privacy). You may want to reconsider using a company that refuses to share this information or that has questionable results.
- Encrypt like crazy: Is all of your sensitive data encrypted? Not only is it important to encrypt data during transit, but it is also important to encrypt critical data at rest, meaning that information sitting on computer drives, laptops, flash drives and the like. Encryption won’t protect your data from being intercepted, but it can protect the contents from getting read.
- Engage everyone in the effort: Do you have formal, companywide policies around data protection and security? Are they effectively communicated to employees (i.e., not just shared with new staff but distributed periodically)? Employees can unknowingly violate a carefully created data security effort by simply sending an unencrypted email that includes sensitive information. Ongoing training and education are key ways of ensuring that the procedures you have created to safeguard your data are correctly implemented.
If you consistently review and update your policies and systems, train your employees on those policies, and allocate sufficient resources to cybersecurity, you will have taken significant steps to reduce your risk. This should be an ongoing process, not a one-time reaction to a headline about a data breach. In this fast-moving era of hacks and viruses, a protective effort that occurs outside of IT needs to be a matter of course.
Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client management, ensuring all our clients are on the road to happiness. She previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm. Melette Evans, a RoseRyan senior IT guru, contributed to this blog post.