10 formas con las que el CFO puede reducir el riesgo de la seguridad informática.

10 ways the CFO can reduce IT security risk.

In today's digital age, the security of business-critical data is not just the responsibility of the IT team. A breach or exploitation of a vulnerability gap has an impact that spans all areas of the organisation, so what in the past may have been considered an IT challenge and responsibility, today can become the bane of the entire organisation. It is under these increasingly frequent scenarios where adding financial perspective and expertise to the enterprise effort strengthens and refines the protection and response capability.

In today's digital age, the security of business-critical data is not just the responsibility of the IT team. A breach or exploitation of a vulnerability gap has an impact that spans all areas of the organisation, so what in the past may have been considered an IT challenge and responsibility, today can become the bane of the entire organisation. It is under these increasingly frequent scenarios that adding financial perspective and expertise to the enterprise effort strengthens and refines protection and responsiveness.

Poorly managed IT security is a matter of financial risk, affecting the success or even the survival of the company as a data breach can bring high costs derived from an impact on business continuity, loss of information, penalties for improper handling, professional services for remediation and long-term consequences such as affecting customer relations and the company's reputation, thus inevitably becoming a responsibility that is requiring the involvement of Latin America's CFOs. As a quick example, CFOs are now managing financial consequences and overseeing investor relations after a data breach. A recent study by the Ponemon Institute1 revealed that a company's share prices fall by an average of 5 percent after a cybersecurity breach.

In some cases, attacks have had disastrous consequences for companies' profitability. In 2016, an employee in the finance area of a multinational company fell victim to a type of attack that exploited vulnerabilities in processes. The cybercriminals sent an email to the employee and posed as the CEO of the company. They demanded that the employee transfer millions of dollars to a foreign bank account for a fake acquisition. The organisation ended up losing so many millions that it wiped out its profits for the entire year.

Businesses, assets and resources are conveniently connected to the internet and all involve devices, processes and humans that are subject to being scanned for vulnerabilities. Attack techniques, strategies and targets are evolving and expanding rapidly with both externally mounted tactics and those that use our employees and/or internal assets as an "operator" or stepping stone.

A risky disconnection, a CFO who does not participate in defining and monitoring prevention and protection strategies can already be considered a vulnerability.

Despite these risks, many IT leaders don't feel that other IT leaders are doing enough to safeguard the data, security posture and therefore the future of their organisations. That's why at Ricoh we provide 10 ways CFOs can better align the team, join with IT and dramatically reduce risk.

10 activities where the CFO (and in reality every C-level) strengthens the IT security posture:

Engage in understanding the possibilities of computer security: As a CFO, it is important to have a general understanding of the principles and scope of computer security technology. They should take advantage of the technological knowledge learned incidentally in these decades of computer interaction. It is also key to allow the CIO to explain and share interesting information about their current IT security strategy, what devices and professional security services they have, how much they invest annually. This will be the start of optimisation and improvement talks within various areas.

Diagram with the CIO how the overall organisation stores, modifies and disposes of data: whether private, confidential, commercial, legal or financial; understand where it is generated, how it is transported, where it is stored, where and when it is backed up, how many off-site copies exist, how it is verified that it has not been modified or tampered with without authorisation and all the logical questions from the C angle that may result and include how paper files are managed or do finance team members leave confidential documents unattended on their desks? Do they maintain paper files in multiple locations, such as different offices or processing facilities?

Implement financial automation technology: Financial teams often rely on manual paper-based processes. However, this can compromise their security. CFOs are investing in automation technology to optimise their processes and better protect their data. According to the CFO Sentiment Study 20182 , more than 50 percent of CFOs plan to increase their investment in financial automation technology this year. Through such solutions, they can store all their files in a central and secure system. It also reduces reliance on missing documents and allows them to place security controls around their documents. Keeping all financial data in a single repository also makes it easier for employees to find information. It also provides visibility on demand, helping to make informed decisions and maintain detailed audits.

Identify the human resources that have access to this information, and align them to the processes and consider that all tools allow additional access to the assets. Define a profile specifying read and/or write and/or modify and/or copy and/or delete rights and others. Within the CFO field, it is recommended to review the financial processes and identify bottlenecks and related users that may put it at risk. For example, do your accounts payable processes depend on a large volume of touch points? The more steps and people involved in a process, the greater the likelihood of errors and data leaks. Gain control over who accesses data: Digital rights management (DRM) technology allows you to create policies on who can and cannot access data. It encrypts files so that only authorised users can access them. It also enforces security policies on desktops, smartphones and other devices. In this way, employees can gain secure access to files and applications, regardless of their device or location. This increases employee productivity, as they don't need to be at their desk to view financial data and collaborate with others.

Review the basics: Don't forget that small, simple details can make a big difference. In IT security, many (the vast majority) of attacks are generated through basic, known vulnerabilities or that could have been prevented only with good practices and policies such as: use of strong passwords, periodical change of passwords, correct user assignment, restriction of application installation, hardening of operating systems and applications with unnecessary connection ports closed, antivirus / antimalware and many others that do not require large budgets to implement.

Budget: It is important to classify a specific budget for IT security and to monitor its correct application and implementation, as it is sometimes mixed in with the general IT budget and business emergencies or events can cut it or postpone it. According to Forreste3 , organisations that invest more in IT security experience 6.8 fewer breaches than others. They also save more than $5 million in breach costs. Work with the CIO to decide how much to spend on data privacy, cyber security and technology. Also keep investors, the board of directors and other stakeholders informed about IT security efforts.

Auditing: most devices and systems have a functionality to be monitored, activating these systems and verifying or automating the verification of access, activities and logs allows to find the trail of malicious activity in a simple way. The technological scope in this sense is wide, there are even solutions within the industry where regardless of the devices the communications network (mandatory road) acts as the sensor and detector of known or suspected attack patterns.

Act according to risk and financial loss calculations: It is important that a resource with experience in risk and return on investment exercises can compare on a sound basis the likelihood and extent of potential impacts versus the cost of preventing them, as well as decisions and priorities for action before, during and after an attack.

Involve an experienced technology partner in the analysis of the current situation and design of prevention, containment and remediation strategies and solutions. Undoubtedly, in this process of increasing information security, it is key for CFOs to find a business partner with a strong track record in advising on digitisation and security issues. Here, Ricoh Advanced Services can help any organisation create highly efficient workflow and content solutions that ensure employees get the information they need when they need it, all while keeping their information and their organisation secure. On the other hand, Ricoh experts can also help automate, optimise and ensure the proper care of information within vital business processes.

Share the responsibility and benefit: create campaigns to distribute and explain the policies, the objective is to raise awareness, to know the importance of being permanently protected, to consider that our collaborators and their personal information are also targets of cybercrime. We must benefit them with these efforts and investments and build together a more secure environment.

In conclusion, most C-levels in the organisation understand that they share responsibility for the security management of their area, but exercising it fully without establishing processes and authorisations that diminish the fluidity and agility of the organisation is a constant challenge that can be lessened if the organisation's leaders are on the same page as IT on this issue. In this way, they can jointly understand and design appropriate ways to generate, transmit and store information; manage customer data; differentiate from fictitious communications and channels. CFOs have the opportunity to take a proactive role in securing their organisations' data. The first step is to examine their existing processes for inefficiencies and security gaps. Then, work with the CIO to determine which technologies can minimise their risks while increasing team productivity.

For further information, please contact
Edgar Matamoros

IT Services Solutions Manager

Edgar.Matamoros@ricoh-la.com

1 | https://www.centrify.com/media/4772757/ponemon_dat...

2 | https://s3.amazonaws.com/new.ax.production/knowled...

3 | https://www.centrify.com/media/4594046/stop-the-br...

RICOH Pro Z75

Sheet-fed Inkjet Digital Press

Learn More