Skip to main content
close search
site logo
Event Questions's headshot
Event Questions Event Questions

How are CFO's, in collaberation with IT, mitigating risks associated with "cyber espionage" and the proliferation of mobile devices accessing sensitive corporate data? (Webinar Attendee Question)

Asked on May 9, 2013

This question was asked during the Proformative webinar "The Evolving Role of Finance Leaders: Technology Strategists."  A video of the webinar can be viewed here: https://www.proformative.com/resources/webinar-video-evolving-role-finance-leaders-technology-strategists

Answers

Tom Kelly's headshot
Tom Kelly Managing Director • July 30, 2012

There is no quick answer here. Overall risk management needs to extend beyond the financials for the CFO to include technology. I would look at some of these links that can help shape your understanding of what is being or has been done:

http://www.telos.com/news-and-events/industry-news/industry-news-archive.cfm

http://news.cnet.com/8300-5_3-0.html?keyword=cyber-espionage

http://www.dhses.ny.gov/ocs/awareness-training-events/news/2012-01.cfm

Keith Perry's headshot
Keith Perry Director of Global Accounting • July 31, 2012

I think in essence things have not changed much in type of problem, but more in scope. This has long been an area for collaboration between IT and Finance.

My first step remains an information audit; ITAR, HIPAA and others require it, and it is a good first step for anyone. What are the paths for information, and how is it protected? Bad is not having good policies; worse, you don't want to find out that you've been storing SSNs in an internal-rogue context because they were stolen.

Strongly communicated policies are next. If you're going to allow BYOD (and not all companies do), what restrictions will you apply? Will IT get to touch/wipe all BYODs? Are there things that shouldn't be taken home or remote-officed (the answer is "yes"). And be prepared to enforce these policies. Make it clear that just as you would fire someone for storing the company's cash in the trunk of their car because it is "convenient", so too does violating data storage policies trump utility arguments.

In parallel, a battle must be fought on what information is captured and retained. When you are deliberately capturing user-identifiable data, such as in a HIPAA context, you will probably have good ways to restrict and protect that information. However, just as the black-hats are finding new ways to steal information, your own internal people are finding new ways to capture it. That data can create risk that exceeds the value of having it. Think of data as if it were a liability itself; if it isn't generating income for you, then all it is doing is creating risk. Processes and defenses reduce risk; elimination eliminates it.

The final step is the good news; just as the black-hats have new tech and avenues to penetrate your defenses, new defenses arise. Document-level access control, centrally managed intranets and through-to-BYOD vpns are all areas where Finance should be collaborating with IT on cost-benefit and process deployment.

Want to join the conversation? Submit an answer or ask a question by emailing us at [email protected]

Submit an answer
Filed Under: Technology
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell