It’s the new year, which means new budgets for enterprises! With cyberattacks being one of the top 3 financial risks facing businesses today, financial leaders can ill-afford to overlook cybersecurity as a serious component of 2019 planning. We recently teamed up with our partners at Embark to develop the following blog providing best practices for accounting and finance leaders to educate employees about the ever-evolving cybersecurity landscape, as well shed light on how CFOs can view security solutions as a business driver. This blog was originally authored and published here by Embark.
We’ve spoken about cybersecurity as it relates to internal auditors—how they play a critical role in preserving data and system integrity and are a vital, yet single, component of a comprehensive approach to cybersecurity. Embark now feels it’s as good a time as any to take a step back and look at the broader picture to examine how accounting and finance leaders also play a crucial role in shoring up any binary cracks in the armor.
To all of those in accounting and finance reading these words, we urge you to take these best practices to heart because, like it or not, they could very well keep your enterprise, stakeholders, and workforce safe from the digital scoundrels that would like nothing better than to take what isn’t theirs. And, as always, your financial consulting gurus at Embark are here to lend our expertise and guidance to the cause, eternally on the ready to roll up our sleeves and help your enterprise be as safe and secure as possible.
Think of Your Home Security
Chances are your home contains the people and items you value most in your life. Therefore, it only stands to reason that you place a high value on securing those individuals and things. When it comes to cybersecurity for your enterprise, your organization is your home, and your alarm system and lockboxes are your cybersecurity measures and procedures relative to your internal IT environment.
Likewise, think of the cameras, door and window locks, perimeter fence, and security gates outside of your house as the control environment for your enterprise. These measures control the data going into your systems and coming out, just like monitoring the people going in and out of your property. From an organizational perspective, the measures you've taken inside the house maintain the integrity of the data—and work in conjunction with the controls that govern the data—throughout entering and leaving your systems.
A Data Breach Can Cost You Dearly
Obviously, cybersecurity is no longer the exclusive domain of your IT department. In fact, data and system integrity as well as risk mitigation should be near the top of every CFO’s list of things that keep them up at night, particularly in light of the mounting financial costs of a data breach. When factoring in the additional toll a breach has on brand reputation and loyalty, the stakes are simply too high not to take cybersecurity seriously or delay the implementation of impactful technologies wherever appropriate. Many SMB businesses do not survive a breach, and if they do, significant work and money towards improving brand reputation is required. Still need convincing on the escalating need for airtight cybersecurity solutions? These foreboding statistics should do the trick:
- On average, enterprises with comprehensive security in place saw no more than a 3% drop in stock price, fully rebounding within 4 months of a breach.
- Firms with insufficient data security dropped as much as 7% after a breach and had yet to fully recover within 4 months.
- The average data breach costs enterprises $3.62 million.
- Over 70% of IT departments consider brand protection outside of their responsibilities, leaving those concerns for other harrowed departments within the enterprise. With privacy and data protection legislation being launched within the United States and around the globe, the cost of a data breach impacts all parts of your business because most of the legislation is following the consumer. Have you heard of GDPR?
However, all is not doom and gloom on the statistical side of the data breach fence. While many CFOs have viewed investments in IT security infrastructure as sunk costs, technology has evolved to the point where such expenditures are now growth drivers as well as security solutions. In fact, investments in identity and security management can save as much as 40% of total technology costs, while also enhancing employee efficiency and productivity. Of course, not all technologies and innovations are created equally, so relying on a fleet of digital finance experts like Embark can be like someone handing you a powerful flashlight in a pitch-black room.
Cyber Risk Management in the Cloud
Armor helps financial services, fintech and payment processors accelerate the velocity of innovation while decreasing cyber risk.
The Good Stuff: IT & Security Teams Can Provide a Powerful Defense
Embark knows that you aren’t reading this to terrify yourself over the countless sources of digital danger and thievery lurking in the binary shadows. So on that note, we offer you some useful best practices that can help you form a powerful cybersecurity defense, beginning with your IT and security teams as well as individual employees throughout all levels of your enterprise. After all, comprehensive, effective cybersecurity is the epitome of a team effort, so getting everyone involved will always be an essential first step. That said, accounting and finance leaders must educate their people on the following items on a continual basis, ensuring they are always at the forefront of the dynamic, ever-evolving cybersecurity landscape:
- Always train and retrain team members on identifying any suspicious activity. Employees play a critical role in the overall security of an organization. Most of the cyberattacks experienced by companies every year are indirectly caused by a lack of broad internal awareness and understanding of good security practices.
- Identify, isolate, and protect the enterprise's most sensitive data, especially when impacted by compliance regulations. Compliance doesn’t always mean you are secure, but it should be an outcome of your security best practices. Immediately implement security patches once they're available to minimize vulnerability. Don’t suck at patching. It is one of the easiest ways to protect your organization, as well as one of the easiest ways for threat actors to gain access into your organization.
- Utilize encryption to protect both data throughput and storage.
- Monitor and actively manage access to any cloud services.
- Implement digital security measures like firewalls, malware protection, and system intrusion detection to build a digital moat around your environment.
- Mandate a signed acknowledgment of security policies and procedures, quizzing team members on those policies to ensure a thorough understanding of the material and the stakes at hand.
- Concerning BYOD policies, ensure that you have a team huddle to evaluate whether or not the financial cost savings and convenience outweigh your cybersecurity risk. Sometimes it’s necessary for a BYOD team huddle. Implementing the right controls is essential. It’s all about transparency.
- Educate and train individuals on the same topics while also requiring significant password integrity, multifactor authentication, and restriction on the types of data that can be stored on personal devices. This will limit the level of personal device users to those with basic security competency/best-practice knowledge, regulation of public Wi-Fi hotspot use, and links or attachments from unknown senders. These practices will help build a secure culture within your organization.
If any of this elicits the reaction of “This sounds great but where do I start?” having a cybersecurity-as-a-service partner can come into play here. Extend your security team without having to build your own, purchase the necessary technology tools, or employ personnel to monitor and respond to incidents 24/7/365 days a year.
More Good Stuff: How CFOs Can Mitigate Cyber Risk
Needless to say, leadership plays a crucial role in an organization’s cybersecurity effectiveness. While the previous best practices apply in general to accounting and finance leaders within an enterprise, the following tips are especially pertinent to CFOs as they embrace the absolute importance of cybersecurity and, particularly concerning technology, view security solutions as a source of added value.
- Fully understand the risk: Your cybersecurity practices should be a business enabler, not a deterrent. Intimately understanding the differences between a security risk and a business risk is key. While we're not suggesting CFOs must entirely understand the technical intricacies of risk management in the digital environment, understanding and calculating the possible impact to your assets and reputations—as well as the different types of vulnerabilities and attackers on the prowl—will reveal the severity of the issue and provide sufficient motivation to act accordingly.
- Communication and coordination: CFOs are equal parts quarterback and offensive coordinator within an enterprise. Their view from the top allows them to see relative logistical deficiencies/surpluses among all business units. Knowing where to tap the needed talent and other resources if one business unit requires them versus another, they should leverage that unique perspective and position to both communicate and coordinate a security-focused strategy across multiple departments within the organization.
- Cybersecurity budgeting: Perhaps the most obvious data security best practice for a CFO, sufficient attention should be placed towards the most efficient and effective use of the enterprise's resources towards technology solutions and training. Here, the CFO should be striving to continually protect the organization within an incredibly dynamic cybersecurity environment.
As overwhelming as some of this might sound, Embark assures you that a deliberate and organized approach to your enterprise's cybersecurity procedures and practices will go a long way in protecting operations, stakeholders, and everyone else involved. First and foremost, adopt a structured and measured strategy in your cybersecurity, particularly with respect to your internal controls, and build your environment around it.