Written by Steph Charbonneau, Senior Director of Product Strategy, Vera by HelpSystems
CFOs and financial controllers play a pivotal role in how organisations evaluate and manage data risk. Analyst firm Gartner reports that more than 30% of organisations will use financial risk assessments of their data assets to prioritise investment choices for IT, analytics, security, and privacy by 2022.
Data is particularly at risk within the finance function. Sensitive data such as customer and supplier information, financial statements, and personnel records are processed and shared daily both inside and with vendors outside the organisation. The finance team communicates with banks, auditors, and lawyers on a regular basis and while laws and policies exist to provide protection, there’s no certainty as to where your data could end up, and you can’t control it once it is sent. The information that resides outside the organisation’s security perimeter is accessible with equal permissions, meaning access is not restricted once someone gains it.
Assess Your Vulnerability
All of this presents an immense risk. Understanding what the risks and potential costs are is an important component of organisational planning. How would the organisation react if sensitive information were disseminated to the wrong audience? What could it cost? Simply thinking ‘it won’t happen to me’ or assuming a party erroneously receiving sensitive data will act with integrity and delete the information can no longer be justified. Data breaches are common and can have a significant impact on your business.
The financial risk of a data breach is typically the cost of lost revenue, compliance challenges, cost of litigation, privacy regulation penalties, and reputational damage. Revenue loss risk and litigation costs risk are tangible impacts that can be measured. However, it is more difficult to quantify the probability. On that front, understanding your data’s level of vulnerability is important. If you are SOC2 compliant, your risk will be mitigated by the controls within the internal bounds of your system. On the flip side, it is difficult to assess the probability for data that leaves your repositories. Internal compliance, including SOC2, cannot address it.
Thankfully, there’s a multitude of methods to protect assets and minimise your cyber risk. Consider securing and managing your data with technology like digital rights management (DRM), data loss prevention (DLP), data classification and security incident and event management (SIEM) software. There are network controls you can put in place, and you should have a process for evaluating the security of any apps you use to minimise your vulnerability. Evaluate your cyber risk holistically to ensure nothing slips through the net, otherwise your vulnerability remains.
Implementing Data Security Best Practices
Cybersecurity can be very complex depending on the size and industry of the organisation. New attack methods and new technologies to deal with those attack vectors show up all the time. To maximise efforts at assessing security risk, allocate resources so the most effective tools and strategies (such as encryption or digital rights management) are used to protect the most important information assets.
Finance leaders should follow these best practices to manage their team’s cyber risk.
- Identify exposures in either tools or processes and work with the IT team to close the gaps in security.
- Classify your files and with it, understand where your sensitive data is located and how access is provided to parties that need it, especially those outside your organisation. Company policies and processes often overlook, or have no direct control of, data outside the organisation so this awareness is important.
- Adopt a zero-trust approach to protecting your sensitive data and implement technology that allows you to manage your risk. Software such as digital rights management,for example, protects your most valuable data assets no matter where they travel, allowing you to secure, track, audit, and revoke access if data accidentally or maliciously falls into the wrong hands.
- Educate and train finance team members to recognise and manage risk. Employees need to understand the importance of the data they are using and have access to the right tools and processes so that it is handled correctly.
Protect Your Most Valuable Assets
Evaluating an organisation’s cyber risk starts with clearly understanding the company’s risk tolerance. Is the organisation risk tolerant, or extremely risk averse? The answer may differ depending on what needs to be protected and what industry you operate in. In the finance function, what level of risk are you willing to accept and still justify and defend to stakeholders? Start by identifying those assets where the risk is unacceptable and where access needs to be carefully controlled and managed and focus your execution from there.