On October 8, The Philadelphia CFO Leadership Council presented Cyber Security: Practical Protection For The Modern Age, a panel discussion focusing on the best and most effective ways to improve your company’s security posture and minimize exposure threats.
Here’s What We Discussed and Learned:
All Companies Are Prey For Cyber Threats
Any organization, regardless of type and size, is susceptible to a cyber attack. And, it can present itself in a variety of forms. Whether it’s ransomware that restricts use of your computer system until you pay a fee or hacktivists attempting to spread their messages, you must always be on guard. As one of our panelists stated, your company will always have something of value to target. Some of the most common areas of invasion include:
- Anything that is fungible, such as company intellectual properties
- Procurement channels, which generate paychecks and money transfers
- Third party vendors
- Health care records
- Payroll information
- Interoffice e-mails
Be Cognizant Of Where Problems Can Lurk
One of the most common scams can be found in e-mails. From spearfishing techniques to spoof messages, these e-mails are all created with the common goal of obtaining confidential information. To protect yourself, always encrypt your data and practice good “cyber hygiene” by never forwarding suspicious looking e-mails, as they are generally laced with a code undetectable by malware. For details on implementing a strong security system and meeting your legal obligations to protect sensitive data, our panelists suggest reviewing some of the Federal Trade Commission’s business resources.
Implement and Enforce Strict Computer Safety Policies
First, it is important to start off with a holistic approach. Assess your company data and think about where it is kept, how secure it is, and who can access it. Then, basing your policies off of that information, consider an incident response “data mapping” plan and a carefully selected team, which will report to your top tier company executives. It is also imperative to educate all of your employees and contractors on company expectations and safe practices. As our panelists readily agreed, if policies are not being strictly adhered to, then they are useless. All employees should be required to sign a form stating that they were sufficiently trained in security measures, then, from that point, policies can be strictly enforced. For further information, we recommend that you review the guidelines provided by the NACD.
Assess Your Risks With Your Team
In figuring out all of your risks and weaknesses, it is important to have an initial meeting with your IT team to discuss the state and safety of your data. And, keep your incident response team actively involved, as they need to be kept up to date so that they can take action when problems escalate. Then, do an assessment under attorney/client privilege and discuss how you should delete, purge, and retain data, as needed.
Adhere To Strict Employee Guidelines
When you have your plan in place, you must keep it fresh and assess it every few years. It is important to give your employees incentives to practice safe network use and implement consequences for those who don’t. And, always be on the lookout for anything suspicious, keeping in mind that the biggest exposure is when you are hacked more than once.
Secure Maximum Protection For Your Data
Cloud providers offer one of the best solutions for companies to obtain the tightest data control and security. But, before you sign a contract, give careful consideration to the agreement so that you fully understand your exposure and audit rights and know where your data actually is. And, make sure that you will be notified if your cloud vendor has been breached
Our panelists also strongly recommended cyber insurance, updated to reflect your business needs and cover all of your risks. However, keep in mind that insurance companies can dictate your policies and, in many cases, accident forgiveness will not be included. Furthermore, many third party vendor liabilities have a lock on the market, but litigation is now beginning to challenge that.
So, what’s the best way to protect your data? Here’s what our panelists recommended:
- Assess your known threats, including hardware and devices, and encrypt your data.
- Get a plan that’s tailored to your organization.
- Make sure that your IT team is constantly up-to-date with company tools and systems.
- Always know the location of your data.
- Guard your data perimeter, including your network, firewalls, and AppSec.
- Perform malware detection and antivirus runs on all systems every other week.
- Evaluate your physical infrastructures, including your phone systems and videoconferencing capabilities.
- Ensure that employees are logging off and turning off their computers and systems when they leave the office.
- Limit employee access to data. If they don’t need it, then don’t give it to them.
- The most important data should have the strongest defenses around it.
- Watch for anomalies in your network traffic. If a workstation is beaconing out at 2 am, then it’s, most likely, infected.
- Hold regular meetings to discuss any issues or suspicions.
- Post bulletins and threat alerts, if needed.
Unfortunately, you will probably not find out about a breach until after it has already happened. But, when you do identify one, it is important for your incident response team to have complete authority and take immediate action. Our panelists agreed that, as a CFO, you should not be running a cyber incident. Your role is to be part of a team that should be kept informed. Furthermore, there are legal issues if you get involved, so take the advice of our panelists: Keep calm, carry on, and let the incident response team take over.
For more information on cyber security and protection we encourage you to take a look at the following resource, provided by KPMG:
For further references, here are some of our related blogs: