As Seen in CFO Studio Magazine Q1 2017 Issue
CYBERSECURITY CONTINUES TO BE A TOP CONCERN AMONG CFOS
Fran Shammo was prepared to talk about digital media and corporate communications in a virtual world that is rife with cyber criminals, and found the roomful of financial executives a more-than-willing audience. “I am very interested in knowing if CFOs at other companies are experiencing the same kind of apprehension and worry,” explained Mr. Shammo, who stepped down as Verizon’s CFO at the end of October in anticipation of his retirement at the end of the year. Less than a week after he spoke, Yahoo, which, two months earlier, Verizon announced it had plans to acquire, revealed that half a billion user accounts had been compromised.
Mr. Shammo spoke on “Delivering Your Company’s Message in a Digitally Risky World—Communications and Media from the CFO’s View,” at a World-Class Companies CFO Dinner, part of CFO Studio’s Executive Dinner Series, held recently at The Bernards Inn in Bernardsville, NJ. CFOs from select New Jersey–area companies attended the invitation-only dinner. Mr. Shammo said the intense discussion that followed his opening remarks on the cybersecurity concerns that plague him proved that “As CFOs, we’re all in this together when it comes to dealing with the very real and constant threats posed by cyber-attacks.”
Mr. Shammo cited statistics from Verizon’s recent Data Breach Investigations Report, which shows that, among other things, passwords are still the weakest link in the chain. “Sixty-three percent of confirmed data breaches involve using weak, default, or stolen passwords,” he said. This resonated with dinner participants who said they do, indeed, take the issue of passwords very seriously, and noted that password-enforcement programs are in place at each of their respective companies. Mr. Shammo mentioned that Verizon forces automatic password changes on its corporate network every 30 days, which elicited several nods of agreement around the table.
Participants expressed curiosity about the kinds of attacks that have taken place at Verizon. “Given the scope of service Verizon provides,” Mr. Shammo said, “we see almost every kind of attack on a regular basis, and we’re constantly trying to find ways to educate employees to be ever-wary of phishing scams and ransomware.” The group was familiar with the more common phishing scams in which a fraudulent email, appearing to come from a legitimate source, requests personal information. However, ransomware needed a bit of an explanation, which Mr. Shammo provided: “It’s a type of malicious software, or ‘malware,’ that prevents users from accessing their system until a sum of money is paid.”
This caught the attention of Greg Douglas, Vice President of Sales for Eatontown-based Yorktel, a video-communications and managed services provider, and a CFO Studio Business Development Partner. “It’s so important that everyone be informed and trained on cybersecurity. It’s not just for the people in Information Technology (IT), as the threat is huge.” He continued, “Financial executives are choice targets for hackers because of their authority to control company funds. They need to be particularly vigilant in their actions to avoid being compromised.”
Mr. Shammo agreed, and offered his fellow finance execs a sobering reality: “There is a high probability that every one of your companies has been hacked.” He added, “Most of you just don’t know about it, nor do you have any idea about who has been in your system, when they were there, or for how long.” In order to combat such cyberattacks, Mr. Shammo recommended long-term contracts with security firms.
Does Privacy Still Exist?
The conversation then shifted to mobile devices: “Years ago, we were all issued a company device that was for business purposes only, and secure. Then, we started bringing our own devices to work,” Mr. Shammo said, acknowledging that this resulted in a whole host of security concerns and problems for the IT department.
“I see things coming full circle,” he opined, “with a return to company-issued devices.” Attendees were in agreement; just about everyone in the room had a personal phone and a work phone in their pocket. “This is actually a good sign,” said Mr. Shammo, recognizing that “we are simply becoming more mindful about keeping personal stuff personal, and business strictly business.”
Mr. Shammo predicted that the next wave in security is going to be triple authentication procedures. “Double authentication,” he explained, “in which you log in to a website and receive an access code to enter will no longer be sufficient.” He continued, “It’s going to come to a point where, in order to get into a site, you’re going to have to allow location services to be enabled on your phone for an extra layer of protection.” This led to a consensus that, as years have gone by, there is simply no privacy anymore.
A Rock and a Hard Place
The evening was coming to a close as Mr. Shammo finally addressed digital media. “Verizon is a network company as well as a digital media company,” he said, “so there are different regulations that apply to different parts of our business, and different regulatory agencies that apply them. As a company, we are very focused on protecting our customers’ privacy across the entire company. From a regulatory perspective, however, it doesn’t make a lot of sense for consumers to have different rules and different regulators dealing with different parts of the Internet ecosystem.”
Mr. Shammo concluded that it’s a “fascinating world” right now. “Things are converging, and our ability to regulate or control privacy is just not keeping pace. We must be extremely careful about protecting the work we do.”