As Seen in CFO Studio Magazine Q4 2016 Issue
No longer just the responsibility of IT professionals, the threat posed by cyber attacks is in the CFO’s bailiwick
The issue of cybersecurity has become a matter for entire organizations, from the IT department through all of its layers. “It’s now discussed upstairs at the Board level. It’s that serious,” said Paul Mallen, CFO of Amalgamated Life Insurance Company, as he talked about “CFO Perspectives in Managing Cyber Risks” at a Middle Market Companies CFO Dinner, part of CFO Studio’s Executive Dinner Series, held recently at Blue Morel in Morristown, NJ. CFOs from select New Jersey–area companies attended the invitation-only dinner discussion.
“Detection,” Mr. Mallen pointed out, “is just as important as prevention.” He cited an intrusion at an insurance provider in the Pacific Northwest that made headlines last year. “Hackers were in the system for several months before anyone knew it, accessing an estimated 11 million customers’ personal, financial, and medical records.”
In terms of how to detect such a breach, Mr. Mallen said, “There’s really no silver bullet. And the hackers are typically one step ahead of the rest of us. Multiple layers of technology and processes are necessary.” Still, from what he called “a low-hanging fruit perspective,” there are a few hot-button items to consider when attempting to defend against a cyber attack. “Only allow approved software to run on employees’ computers, and minimize administrative privileges by preventing individuals, except those authorized, from making changes in the system.” In addition, he advised keeping applications, plug-ins, and software up-to-date and operating systems current with the latest patches and updates.
The CFO’s Role
Increasingly, CFOs are paying more attention to such measures and controls because, as Mr. Mallen stated, “Typically, our job is to manage corporate resources and risk. …CFOs think in terms of risk vs. return, but when it comes to the issue of cybersecurity, you can’t quantify the return. And the risk could be reputational, financial, and/or customer losses.”
To begin laying the groundwork for a more secure computing environment, Mr. Mallen suggested attendees ask themselves a couple of critical questions: “Where is your data? What data are you trying to protect? Who has access to it, and should everyone in a department have access to the same data?” Once answers to these questions are reached, he said, it’s an opportune time to conduct a risk assessment and a gap analysis. “Then you can methodically approach where your gaps are and attempt to [protect the assets] cost-effectively.”
From a finance perspective, Mr. Mallen said CFOs should determine the amount of money that can be allocated to cybersecurity efforts. “You have to spend your funds appropriately; you can’t allocate capital to all IT requests.” In addition, “As middle market CFOs, we have a unique challenge in the areas of managing capital, and finding and retaining top talent,” he said. He pointed out that it can be difficult for mid-sized companies to hire all the knowledge workers necessary to deal with cybersecurity, due to the many and varied systems most enterprises use and competition for resources from big-name firms.
As a result of this predicament, Mr. Mallen noted that many companies are outsourcing a number of their IT functions as well as turning to cloud computing, which brings along its own set of issues. To that point, he cautioned: “Before picking a vendor to store your invaluable data, attempt to determine if that company is taking all the right measures to secure it.” He recommended compiling an “appropriate and comprehensive questionnaire” in order to glean an understanding of the vendor’s overall security system. “Some of those inquiries should include: How do they segregate data? Who has access to the data? And what are all of their security controls?”
In terms of managing third-party vendors, he added, be sure to get the appropriate reports. “Many CFOs receive a Service Organization Controls report, or SOC 1 report, from a vendor and think that it’s adequate in this area, but it’s not,” as it mainly focuses on financial reporting controls. Mr. Mallen advised requesting a SOC 2 report, which is centered around a business’s other controls as they relate to security, confidentiality, and privacy.
The issue of USB drives, or so-called “thumb drives,” came up at the dinner and, as Mr. Mallen pointed out, there is a “ton of risk” associated with these handy little gadgets. “An employee can inadvertently unleash a virus onto the organization’s network by plugging in a thumb drive that is, unbeknownst to them, infected.” In addition, an employee could download sensitive information onto a thumb drive and then leave the company, or simply lose it.
One way to mitigate this kind of risk, Mr. Mallen said, is to use encrypted thumb drives. A more aggressive approach would be to “lock down your computers so they don’t accept outside drives,” only those that have been issued by the company. To take it a step farther, “Provide thumb drives only to employees that department managers approve” to receive them. In this vein, he said, “You begin to minimize and narrow down your areas of risk.”
From a non-gadget standpoint, Mr. Mallen said, “One of the most important things you can do that is not technology related is to make sure your staff is continuously trained and educated on phishing emails and websites. Links in emails and websites are one way that hackers install malicious software on a computer, which then allows the hackers access to systems and data. Mr. Mallen also recommended that staff be expected to adhere to all prudent cybersecurity policies and protocols.
Mr. Mallen acknowledged that cybersecurity adds complexity to the system, and “if you make it too complex, there’s more chance for human error or misconfigurations.” In addition, he advised the attendees to “build cybersecurity into new systems that are being put into place, so that it’s already a part of the process for your business units.” You don’t want to create changes in the workflow, he said, nor do you want to make it harder to operate your business. The hackers have that angle covered for us already.