Why Finance Chiefs Should Lead on Cyber-Security

With attacks targeting financial data and other critical assets, CFOs must set the tone when it comes to identifying and thwarting cyber-threats.
Tom McGrath and Terry JostNovember 19, 2013

It’s 4:03 a.m., and the CFO’s smartphone rings. Never a good sign.

One of the company’s databases has been breached. Details are still sketchy, but it appears customer records, including credit card and Social Security numbers, have been stolen. It’s going to be a long day.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

CFOs, if you think this cannot happen to you, think again. Organizations are now experiencing an average of 122 successful cyberattacks per week, up from 102 in 2012, according to a recent Ponemon Institute study.

Tom McGrath, Americas senior vice chair of accounts, Ernst & Young LLP

Tom McGrath, Americas senior vice chair of accounts, Ernst & Young LLP

CFOs, if you think this is not your responsibility, think again. Across nearly every industry, today’s enterprise measures a significant portion of its overall value based on assets such as financial data and intellectual property. Keeping those assets safe from cyberthreats is a mission that increasingly involves finance executives.

In fact, in the latest CNBC Global CFO Council survey, CFOs rank the possibility of a cyberattack on their corporate infrastructure as their third biggest risk. (The CNBC Global CFO Council is sponsored by EY.) Cyberattack risk even ranks ahead of such dangers as problems with the European economy and terrorism.

If an organization suffers a cyberattack, the injury to its reputation from the theft or loss of data, such as customer account information or technical specifications, can be irreparable.

This potential is only rising with the growing mountains of data that are widely distributed, mobile and frequently changing. In many organizations, however, cybersecurity is viewed as beyond the CFO’s scope. But, in truth, these challenges require CFOs to make cybersecurity a priority agenda item.

The CFO does not need to have a technologist’s mastery of the tools needed to discover and thwart cyberattacks. But the finance chief should communicate the need for the organization to satisfy investors, bankers, customers, analysts and other key stakeholders by doing everything possible to mitigate financial risks to the business.

Trophy Hunting
One of the primary tasks of the CFO is to help the organization identify its most important assets, or trophies, so that all stakeholders can share a common list of priorities and understand what is vital to protect.

This involves the CFO working closely with business and technology colleagues to ascertain and rank data sources susceptible to attack. After all, no organization can possibly lock down every asset. In fact, smart CFOs expend, as a rule of thumb, 80 percent of their resources protecting these trophies.

Businesses use various techniques to prioritize sources and types of data. But there are some trophies that are common to almost every organization. Perhaps the most important is data considered private by major stakeholders.

Such data can include personal information about your customers and employees, as well as financial information about your business partners.

Other core assets include financial information and other back-office data, such as human resources and payroll data.

Now let’s take a look at specific trophies in select industries.

Terry Jost , principal, Ernst & Young LLP

Terry Jost , principal, Ernst & Young LLP

Consumer Products
In this industry, assets that set your company apart and make you a leader in certain markets should be closely guarded. These can include formulas, patents and specialized manufacturing techniques.

To protect these, CFOs should make certain that they gain the attention of the rest of the senior leadership team and key business stakeholders.

Industries are not always cyber-attacked equally. Those with financial assets (banks) or critical infrastructure (telcos) experience more than their fair share of incidents. This makes it important for CFOs in consumer products, which may be less of a target than, banks or telcos, to make sure their companies do not become complacent.

The CFO must stress the importance of an overall incident management framework that guards against hesitation and inaction in the event of a serious event. Without a clear plan, a poor response (or lack of a response) may cause long-lasting damage to a company’s brand and relations with consumers.

Oil and Gas
Compared to an industry like consumer products, oil and gas assets can become much more complex to protect. Those assets can be widely distributed around the globe, making them challenging to safeguard.

Among the trophies in this industry are information about exploration, and industrial control systems in general. An oil and gas company’s hard assets – what is called operational technology – can be especially vulnerable to cyber-criminals and hackers. These can include pipelines, ships and even individual gas stations.

To protect these, CFOs should be sure that they spend correctly. Everyone wants to increase operational flexibility and address the “real” cyber threats. But an old truth related to automation also applies to cybersecurity: the cost to eliminate the first 80 percent of process threats is the same cost as to eliminate the remaining 20 percent.

CFOs should focus on the security processes and technology that achieve 80 percent of their companies’ desired states. Focus on identifying and protecting critical assets, both digital and physical. Establish continual data monitoring and explore alternatives to disruptive technology, including mobile and cloud, where incidents are likely to occur next.

Higher Education
While higher education may seem less attractive to cybercriminals, colleges and universities are actually among the top targets of cybercrime, which originates from both inside and outside an institution.

Trophies in these institutions often include research data and medical and patient information at hospitals connected to universities. Information technology is also vital to protect the personal data of all constituents, e.g., students, faculty, staff and even alumni information, in fundraising databases. Operational technology includes campus buildings, notably residence halls and libraries. CFOs must ensure that access controls are robust.

To protect these assets, CFOs should create a vision for both preventing from and responding to incidents. Implementing programs proactively will ensure that you stay ahead of the curve.

Because higher education uniquely experiences great numbers of joiners and leavers (e.g., those who enroll in a class for two semesters and then drop out), this by definition creates the potential for cybertheft originating from inside the institution.

CFOs should focus hard on the protection mechanisms for their data. To protect their assets, they should invest in solutions to guard against unauthorized and inappropriate access to applications and information.

Tom McGrath is Americas senior vice chair of accounts and Terry Jost is a principal at Ernst & Young LLP.