In today’s cyber dominated world, the risks of online attacks have become constant threats for many organizations. As a result, financial professionals are feeling very vulnerable, as the consequences of security breaches can have devastating effects on company capital, public exposure, litigation, and corporate reputation. And, along with this detrimental aftermath are the significant costs incurred by legal services, lost productivity, card association fines, potential FTC settlements, and

Inevitably, cyber security has become a major factor in the modern corporate world and many CFOs agree that it is now one of their top priorities. With so much information readily accessible at our fingertips, the safety of data has become a daily concern, prompting the role of the CFO to evolve from financial expert to security gatekeeper.

On November 11, The Boston CFO Leadership Council presented Cyber Security: Practical Protection For The Modern Age, a panel discussion focusing on the best and most effective ways to ensure that your company is alert to a variety of cyber threats and protected with a strong security posture.

Our speakers included:


Here are their tips and words of advice:

Be Aware Of Top Cyber Threats

From ransomware to spearfishing and hacking, the threat landscape is vast and still growing. In recent years, high profile enterprise breaches have become much more common, resulting in the violation of credit card numbers, intellectual property, and policy holder records. And, as our panelists agreed, a large number of threats, including payment card skimmers, cyber espionage, web infringements, and POS attacks, continue to be found across multiple sectors.

Internal Users Are One Of Your Greatest Risks

According to one of our panelists, information from a recent survey revealed that less than 50 percent of security professionals have the right controls in place to prevent insider attacks. And, with the prevalence of employees disregarding security policies, installing third party apps, sharing external files, and exposing user names and passwords, the number one company security risk comes from internal users. Alarmingly, insider attacks are now considered a significant threat to most organizations, and, just as concerning, they are far more difficult to prevent and to detect than external breaches. According to a report and data from CloudLock, a cyber security service provider, this serious threat continues to grow. For more information, we encourage you to review the company’s August 26 press release, CloudLock’s Q3 Cybersecurity Report Reveals that 1 Percent of Employees Represent 75 Percent of Security Risk in the Cloud.

Always Be On Guard

So, what are the best security precautions to take? Continued compliance management is essential and not simply a “once in a while operation”. You must always be on guard and strongly advocate password rotations, software validations, app alerting, and badging.  Consider protective software, keep a close watch on high risk individuals, and limit permanent access privilege to key systems. Online monitoring must be a daily, ongoing task, involving sweeps of critical systems, portal based access reviews, and complete accountability for all users. And, just as critical, constantly be prepared for system audits.

Employee Training Is Essential

When considering the most effective ways to educate employees, it is important to make them aware of risks. Although it is imperative to highly protect your most sensitive data, it is not necessary to set an overabundance of downloading rules. Present your employees with real life scenarios and realistic guidelines. Give them examples of phishing scams, evaluate the protection of their mobile devices and laptops, and provide them with test e-mails to see what links and attachments they are willing to click. And, in general, keep in mind that the security perimeter is no longer the “firewall”, it is the individual. Furthermore, because cyber criminals can  usually obtain enough information to target people with scam e-mails and links, security training must be continuous. If it is done only once or twice a year, it is useless. Safe usage policies and procedures must be permanently embedded into the corporate environment.

Be Prepared With A Post Breach Plan

One important piece of advice: Always be on the lookout for attempts to trip your data system. Then, once you identify a potential problem, act quickly by isolating the signal, blocking it, installing controls, and, then, moving on. To be prepared for a breach, you must identify critical data in advance and appoint a team to take immediate action. In the event of an attack, know exactly who you will go to, what the costs are, and what the protocol will be. Simply stated, act in the same manner as you would for any disaster recovery plan.  

For further references on this topic, here are some of our related blogs:

If you have questions, comments, or suggestions or if you would like to learn more about any of our outstanding speakers and topics planned for 2016, please contact us. We welcome your feedback.