photo (47)

However, there is a delicate balance between building the barricades and allowing your employees to work productively. So how can CFOs prioritize investments in their security infrastructure, while still enabling a happy workforce?

We dove into this and more during our panel “Building The Barricades: Securing IT In The Hands of Employees” as part of our 2014 CFO Technology Conference. Decidedly the most animated of our conference panels, our speakers debated the types of security investments CFOs should consider immediately and in the future, new global threats may have already planted themselves in our networks, and what CFOs should plan to ask their IT team immediately regarding their security posture.

We learned:

The Boundaries Are Changing

Stuart Buglass, Radius Worldwide
Stuart Buglass,
VP, Radius
Worldwide

 

Maria Lewis Kussmaul, AGC Partners
Maria Lewis
Kussmaul, CFA,
Co-Founder and
Partner,
AGC Partners
(Moderator)
 
Harold Moss, EMC
Harold Moss,
Director, Security
Strategy and
Emerging
Technology, EMC
 
John Worrall, CyberArk
John Worrall,
CMO, CyberArk
 
Gil Zimmermann, CloudLock
Gil Zimmermann,
CEO and
Co-Founder,
CloudLock

First things first – the boundaries that you think need protection are no longer the ones at risk. According to one panelist: “When I started this work, we used to focus on firewalls and software encryption. Now I focus my time on protecting the actual data, which is a strategic change in many organizations.”

In fact, the panel agreed that personal data is the biggest sector that needs better protection, both domestically and internationally. For example, look at the finance, retail and healthcare sectors – we’ve been hearing of breaches for years, and it’s not just because these industries are the easiest to hack into. It’s because the data these industries hold on their customers is some of the most valuable out there. And it’s not just personal data that’s of interest – protecting trade secrets and critical company information is right up there too.

And now, as more employees are demanding access to corporate data across multiple devices, inside and outside of the network, CFOs must take a step back to understand where their data is accessed, by whom, on what devices, and most importantly, why. In fact, this is something that you want to review and regularly, and build policies around.

Assessing Your Risk

There is a saying that goes “You don’t have to outrun a bear, just the guy next to you.” For a long time, this was the security stance that was taken by many companies – as long as you have more barriers around your company than your competitors, you could be assured some level of security.

However, those days are long gone. As a panelist explained: “If there is a hacker overseas who’s being paid to find new plane schematics from Lockheed, he won’t care about Boeing’s security. He’s going to focus entirely on Lockheed’s data and system weaknesses, as that’s how he’s going to feed his family.”

Therefore, when you’re assessing your risk, you can’t focus on what everyone else is doing, and you certainly can’t rest your laurels on only being compliant with data standards. As one panelist stated: “Don’t get lulled into the false sense of security of being compliant with ISO standards, as this essentially advertises what your security protocols are.”

Rather, you need to turn your focus inwards to understand what your employees are doing on your network, and how they may unintentionally (or intentionally) expose your data to the outside world. While the panel confirmed that while traditional security methods, such as firewalls, data encryption technologies, antivirus software and rotating passwords are still critical, CFOs must understand that many breaches these days occur through social engineering. After all, you don’t have to break into the bank if you just bribe the guard.

For example, think of third party applications, such as games you can download on your phone. Many offer incentives to email and challenge peers to play, and look for connections to social media platforms, pictures, geo-location, and more. While your employee is racking up the game points, they’ve also just unknowingly given the game developers the ability to impersonate them and access your information. This is an incredibly easy and non-malicious way that employees can expose your company to threats from within your walls, while not realizing the risk this carries to the protection of your data.

(We’ll pause here while you send out an email ordering all employees to delete Candy Crush and Angry Birds from their company-approved devices.)

The message here? There are holes everywhere that traditional (or overstretched) IT resources just doesn’t see. For example, one panelist shared that he has an employee who can hack into other people’s Bluetooths and listen to their conversations, and even knows of a few people who can hack into pacemakers (yes, the device that goes in your heart that helps it beat) and dabble with the settings. Hackers have even been known to get into webcams on laptops and surreptitiously record confidential information and conversations.

While you are most likely sitting back and thinking “Who thinks of this stuff?,” realize that someone somewhere already has, and more likely than not, have been downloaded by your employees onto their (or your) devices and network.

Education Is Your First Best Defense

Now that you’re thoroughly scared, let’s talk about how you can defend yourself.

Not surprisingly, according to our panel, data protection is everyone’s responsibility. While they did concede that larger companies have specific departments and resources dedicated entirely to security, that doesn’t mean that smaller companies can’t have a proactive security posture. After all, you could spend unlimited resources and funds on data protection and never be fully protected.

Therefore, for smaller organizations, the panel recommended that CFOs take an ‘all hands’ approach to data security by pulling in their IT teams, employees, third-party providers, etc., in order to fully understand their risk exposure and immediate and long-term methods to protect themselves.

Afterwards, the best place to get started is educating your employees on the risks that you are exposed to, and how they can help strengthen your security. While you most likely want to build a fortress around your headquarters after reading the last few paragraphs, know that there is a balance between fortifying your security and allowing your employees to do their work in the way that helps them be the most productive.

Your education should focus on the primary information that can be accessed through basic data, as well as the improper use of data that exposes your company to serious risks. For example, email addresses are still a hugely popular gateway for hackers, and can be dangerous if placed into the wrong hands. By teaching your employees basic email safety protocols, you can lessen your risk and potential exposure. Also consider password aging or encryption tools and policies that force your employees to re-secure their devices and systems access on a set amount of time.

The panel also advised that education without an accountable policy (or policy without education) would be an exercise in futility for most CFOs. After all, most attacks and breaches don’t come from highly poised or organized outside groups, but rather, misaligned or malicious employees who share important, encrypted information over insecure means.

Therefore, as you’re educating your employees and constantly communicating on the security threats they and you face, also be sure to educate them on your systems and safeguards put into place that not only protect them and your data, but are also enforced among the employees. For example, many systems today will safely ‘nudge’ employees to let them know when they’re doing something wrong – make sure they know about this.

5 Questions You Need To Ask Your IT Team, Right Now

Wrapping up the panel, our speakers shared these questions that CFOs should immediately ask their IT Teams:

  1. Do you have a dedicated IT security person within this department? If not, how much does the team collective team know about data security?
  2. What data is the most important to our business?
  3. Who has access to this data, and who needs access to this data?
  4. When was the last time we conducted a security audit?
  5. Are employees accessing systems on their mobile devices?

Armed with these questions, a little common sense and a good appreciation of the creativity of hackers, you can kick off your process of building better barricades that allow your employees to work freely, while assuring that your data is secure. 

Photos and More Information

For more information on this or any of the upcoming events The CFO RoundTable has planned, please click here.

Want to be the first to hear about our latest news and events? Subscribe now to our mailing list! 

 

Subscribe Now hbspt.cta.load(238386, ‘847a5939-3f0e-4480-a652-b08110807574’, {});

subscribe to our blog

Our published resources, news, and upcoming events, all in one place!