Cyber Insecurity: Are Finance Executives Overlooking Third Party Risks?

Assessing Capabilities

In a fierce and fast-moving economy, companies are only as competitive as their partnerships enable them to be. But as common as it has become for businesses to replace, or complement, in-house capabilities with third-party agreements, they may be overlooking the cyber-risks they are acquiring in the process.

Such alliances allow companies to stay focused on their essential competencies, assigning other activities to organizations with the ability to perform them more efficiently. The web of agreements, which may include strategic suppliers, as well as providers of network security and data management, offers the tangible benefit of enabling companies to reduce costs. But the arrangements also expose companies to additional risks, offering a “side-door” through which cyber-hackers try to slip undetected, sneaking their way to a treasure trove of valuable data

There’s not much companies can do to minimize that risk. At least that’s how many finance executives act, according to a recent study. The survey, titled Cyber and Data Security in the Middle Market, was conducted by CFO Research, in collaboration with Visa and U.S. Bank. The online questionnaire drew 316 responses from U.S. finance executives, a plurality of whom hold the title of CFO, with controllers also amply represented. All respondents work at companies with annual revenue of more than $25 million and up to $500 million. The survey-takers represent a broad range of industries.

Under Reviewed

Even if the employees at your company are following proper procedures—in terms of handling company data—that’s no guarantee that outsourced workers have been trained to follow those procedures. Finance executives at middle-market companies find themselves in a bind; their need to turn to partners also opens up more data-access points. “To be honest,” one survey respondent writes, “outside, third-party expertise is required to be as safe as possible. Internally, we do not have the manpower or experience.” (Paradoxically, more companies will need to outsource cybersecurity in coming years as a result of a growing shortage of workers with the requisite skills.)