Many businesses continue to underestimate cyberthreats. An urgent change of mindset is called for, says Florian Stahl, lead information security consultant at MSG Systems in Germany. He offers nine tips to bolster thinking around data security.
Don’t underestimate the severity of the threat. Many companies think that their data are not of interest to cybercriminals. But external attackers are moving away from the really big companies that have already implemented robust information security systems and are starting to look at smaller companies instead. Attacks on smaller organizations still have the potential to cause large-scale damage since they often have relationships with, or host systems for, larger companies.
Breaches can often go undetected. There already may have been incidents, in your company or your clients’, that have gone undetected. For example, if data are copied, they remain in place, which is not as noticeable as a breach in which something is removed altogether. Many companies do not have advanced monitoring or logging systems, so they often cannot detect attempts by external actors to access or manipulate the data.
Be aware of the emerging threats, but don’t ignore the old ones. For example, unsecure web applications still pose a significant risk. A process needs to be established within the company to ensure patches are applied when required.
Consider security from the inception of a project. When developing new solutions and software, security should be taken into account from the initial stages of development. If vulnerabilities are considered only at a later stage, firewalls, anti-virus, and detection systems can still be put in place, but they may not provide a completely secure system. Addressing security later, rather than sooner, also will increase costs.
Make it a C-suite issue. Stahl suggests that responsibility for information security be moved from the IT department to the C-suite. While the necessary countermeasures should come from this level, individual departments should also take some responsibility for the information they work with and think about the potential threats to that data, as well as the implications if the data are manipulated or fall into the wrong hands. The IT department often lacks awareness of the business case behind each set of data.
Train all staff, not just the IT department, on cybersecurity. Unintentional data leakage is mainly caused by insiders who may not be aware of the risks. This includes, for example, employees who want to finish some work at home and either put sensitive files on an external platform such as Dropbox, email it to a personal email account, or mistakenly send an email containing confidential information to the wrong person.
Classifying your data into confidential, internal, and public categories is a significant step toward protecting it. Only public information should be permitted to leave the company. Clear classification provides criteria by which employees can decide whether they should be sharing information with a partner organization, for example. The decision can otherwise be difficult for employees to judge. Employee awareness of the threats that exist and how to deal with them is crucial. Management cannot control every element themselves.
Implement technical solutions. Given that people make mistakes, it is hard to eliminate unintentional data leakage completely, but it is important to reduce it to a minimum. In addition to educating employees about the risks, organizations can implement technical solutions such as data leakage prevention software that filters all traffic that leaves the company, whether email or internet traffic, and raises an alert when credit card numbers or a particular keyword or pattern is detected.
Identify the data “crown jewels.” Companies should focus on protecting their most important data first. This category, which makes up about 5% to 10% of the company’s data, is referred to as the “crown jewels” because, if it were to leak, it would cause significant financial or reputational damage to the company. This category should be encrypted and access to it restricted.
Ask questions. Although finance professionals may not be directly involved in development or migration projects, they can, and should, ask questions to verify whether information security has been taken into account on these projects.
The original version of this article, “Nine Ways to Bolster Data Security,” by Samantha White, is available at tinyurl.com/qhrc24q.
—Jack Hagel, editorial director, CGMA Magazine
Also at cgmamagazine.org
Talent Shortage Worries CEOs
CEOs are increasingly concerned with the availability of talent around the world, a problem that is especially acute in emerging markets. The skills gap, combined with rising labor costs, is forcing CEOs to look for new talent markets, according to PwC’s 17th annual Global CEO Survey.
Sixty-three percent of CEOs say the availability of key skills is the biggest threat to their organization’s growth, up from 53% two years ago. With half of CEOs planning to add staff in the next 12 months, the competition for talent is expected to intensify, the report said.
“The gap between the skills of the current workforce and the skills businesses need to achieve their growth plans is widening,” Michael Rendell, global HR consulting leader at PwC, said in a news release. “Despite rising business confidence equating to more jobs, organizations are struggling to find the right people to fill these positions.”
The full article, “Access to Talent a Rising Concern for CEOs Around the World,” by Neil Amato, is available at tinyurl.com/k3mzm8l.
Investors Crave Sustainability Disclosures
A majority of investors participating in a PwC survey said they are dissatisfied with the level of corporate disclosure related to climate change, resource scarcity, social corporate responsibility, and good citizenship in the Middle East and North Africa, the Asia/Pacific region, and North America.
Europe was the only region represented in the survey whose corporate sustainability disclosures pleased most investors.
Overall, more than two-thirds of investors in the survey are dissatisfied with:
- How risks and opportunities related to sustainability are identified and quantified in financial terms (82%).
- Comparability of sustainability reporting between companies in the same industry (79%).
- Relevance and implications of sustainability risks (74%).
- How the company identifies social and environmental impacts in its supply chain (69%).
- Sustainability strategy that is linked to business strategy (68%).
The full article, “Investors Yearn for Sustainability Disclosures,”
by Ken Tysiac, is available at tinyurl.com/o4mc34d.