Cyber security for CFOs

This mobility and outsourcing now means that enterprises can’t control their infrastructure anymore. Creating walls around technology no longer works. To combat cyber threats, it’s time to look at the problem differently.

In February 2015, The NYC CFO Leadership Council presented “Cyber Security: Where Are We Now?” where our panel of security experts dove into the issue of cyber threats today, their motivations, and how smaller, private companies can handle threats just as effectively as their larger counterparts.

We learned:

You’ve Probably Been Breached

According to our panel, there’s two types of companies – those that have been breached and know it, and those who have been breached and don’t know it.

In fact, the panel stated that the average amount of time that a hacker is on their network before they’re identified is 8 months. In that 8 months, the attacker has more than enough time to run through your infrastructure, locate the data and resources they’re looking for and move on.

The Threats Are Becoming More Diverse

We’ve been witness to what seems like an ever-widening pool of motivations to breach a company. From Sony to Target to what now seems like commonplace DOS attacks against U.S.-based financial companies, threats range now from your standard hacker to hacktivists, political and diplomatic threats, and more.

Take for example the cases of:

  • The Sands Casino attack, where the CEO made public comments that angered a particular group. In retaliation, they launched a sophisticated attack against their network.
  • The Sony Pictures attack, where some hypothesize that the attack was state-sponsored cybercrime.

The problem is even moving to the supply chain – for example, the Target breach’s starting point was through the stolen credentials of one of the company’s HVAC vendors. As mentioned above, more enterprises are taking advantage of the cost savings found in cloud-based applications, and while have security certifications, this does mean that your sensitive data is now being managed in someone else’s system.

Threat Identification Means Knowing Your Network

All of the bits and pieces mentioned above – personal devices, mobility, supply chain access, etc. – work together to provide additional endpoints of entry that could introduce additional risks and vulnerabilities. Your job as CFO is to understand all of these entry points, the risks that they pose, and do your best to prevent breaches before they occur.

This first means that you must understand what and where your most important assets are, and what their normal behavior is. For example, you must be familiar with who is doing what on your network, and what actions are normal actions. Further, your internal IT team should understand what unusual traffic patterns look like. (For example, hundreds of Gigs of data were extracted from Sony prior to them identifying the breach. A good systems administrator should be able to see this and ring the alarm.)

And let’s be clear – size doesn’t matter when it comes to hackers. While you might think you’re too small to attack, quite frankly, you’re wrong. In today’s age, there’s no such thing as obscurity anymore. While you might not have state secrets or highly sensitive information that you might consider attractive, you do have resources and infrastructure that a hacker might want to rely upon in order to help support them during another attack.

So What Can You, The CFO, Do To Help Improve Your Security Posture?

  1. Understand that you’re facing a spectrum of threats from a persistent and well-financed adversary. Sometimes people think that they just don’t have anything that people want, or security by obscurity. You are wrong.
  2. The companies that are best positioned to defend themselves are those that understand what normal network activity looks like. Get together with your systems administration team and identify your most important assets, and understand what normal traffic looks like. Build a chain of command for your systems teams to alert whenever traffic or activity looks odd.
  3. There is no such thing as ‘prevention’ anymore – it’s all about identification and containment of hackers. Remember, just because someone is on your network doesn’t mean that all is lost – figure out the scope and do what you can to get them off the network.
  4. Plan, Plan, and then Plan some more – One of our panelists said that they work very closely with their CFO to plan out cyber attack scenarios. While you may have a great understanding of what your most valuable assets are, your IT team does not. Finance and IT sitting down together can help identify what’s important, what’s the impact of a breach in particular areas, and how you might be able to spot odd behavior on your network that could indicate an attack.
  5. Start vetting vendors for security posture – remember, the more you outsource your operations or put your data into web-based applications, the more endpoints you’re creating for potential vulnerabilities. While this is in no way a bad business practice, it is a good idea to have a security vetting process in place when bringing new vendors on board. For example, ask your Saas vendors for their security certifications, etc. While the security vet may not/will not be the group to approve or deny a new vendor, you will at the very least be able to understand the risk associated and prepare your security plan appropriately.

Most importantly, the panel stressed employee training. For example, make sure your employees are being trained on good password policies, data protection and common-sense device protection strategies. After all, your employees are your first and best line of defense against lost devices, easily crackable passwords, and more. 

For more articles on this topic, check out:

Photos and More Information

For more information on this or any of the upcoming events The CFO RoundTable has planned, please click here.

Want to be the first to hear about our latest news and events? Subscribe now to our mailing list! 


Subscribe Now hbspt.cta.load(238386, ‘847a5939-3f0e-4480-a652-b08110807574’, {});