CFOs and IT security: Best practices for protecting data and competitive advantage

Value Added CFO seriesIn an age in which nearly everything is recorded and stored, virtually nothing remains private forever. And while celebrities may lose their dignity through the misuse of social media, companies can forfeit much more from a data breach, including their competitive advantage.

Today’s CFOs must navigate an expanding thicket of security threats to ensure that vital company data is not only available, but also protected. CFOs know that the data they rely upon also represents risk — especially when proprietary financial and customer information can be accessed more readily than ever. But are they taking sufficient action?

Protect data from costly breaches
IT security breaches can dramatically damage a manufacturer’s relationships with customers, suppliers and shareholders — and expose a company to a range of liabilities and costs for investigations, notifications and responses. The average organizational cost of a data breach is $3.5 million.1

“The reality is that security breaches are happening,” says Kevin Morgan, Business Advisory Services principal and co-leader of the national Cybersecurity practice at Grant Thornton LLP. “At some point, it’s not a question of if. It’s a matter of when.”

Grant Thornton’s recent Value-Adding Strategies Survey found that only 40% of CFOs and other senior manufacturing executives lead their companies’ IT security strategies, are involved with them or — at a minimum — have knowledge of them. The other 60% face major risks — at their companies, and for their own careers.

Manufacturers are particularly vulnerable to security breaches due to their IT-enabled equipment, machinery and devices. In fact, only 31% of executives at these firms rate their IT systems and data as “highly secure.” About half of executives point to hackers and their own employees as their greatest risk factors.

  Value-added CFO Series

 Value-added CFO Series

“It’s important for companies to prepare and test, which can minimize vulnerability to IT security threats and also lessen the impact when a breach occurs,” says Morgan. “If you’re not preparing and testing, when a security breach happens, you’ll be dealing with a far-worse scenario.”

Improve the health of your information ecosystem
“Understanding your overall ecosystem of information, and where and how it flows, is a critical step in leveraging and protecting data,” says Morgan. “If you’re a global business and you have manufacturing in China and distribution all over the world, that’s a large ecosystem, whether it’s in-house or used by third parties.”

“We frequently work with manufacturers to map their technical architecture — to understand where the data is, who’s using it and who’s got access to it,” adds Mike Wagoner, Grant Thornton senior manager, business and technology transformation.

Mapping the flow of information helps to ensure that appropriate actions are taken to keep information both secure and compliant with regulatory requirements.

The CFO is the gatekeeper for corporate risk. Given this momentous responsibility, CFOs need to ensure that their companies establish guidelines in a number of key areas:
  • Policies. Create data access policies that secure physical property (computers, servers, smart devices, etc.), data and information wherever they reside (in the cloud, on mainframes, etc.). Then establish and enforce strict authentication protocols for accessing the data.
  • People. Regularly evaluate and perform background checks on system administrators, IT staff and third-party contractors. Individuals accessing data must prove their need for that information based on their roles and responsibilities.
  • Data and information integrity. Update and cleanse data regularly to keep it reliable, available and secure. Aging data can still be sensitive and can still be a target for hackers. Establish and enforce policies to delete old files, emails, etc.
  • Information systems and technologies. Update and upgrade security technologies regularly. Thanks to cloud computing, manufacturers can leverage state-of-the-art systems to battle cyberthreats, but this requires a well-crafted IT plan with regular security upgrades. Grant Thornton’s Value-Adding Strategies Survey found that more than two-thirds of companies invest 5% or less of their information technology budget on technology security/risk mitigation.

Given the critical importance of IT security, Grant Thornton’s Value-Adding Strategies Survey data shows that many CFOs could be doing more to protect their companies’ information. Are you satisfied with the security of your company’s IT systems and data?

1 2014 Cost of Data Breach Study, The Ponemon Institute, May 2014.