In today’s threat-filled environment, money is not always a hacker’s prime motivation. They could be driven by political reasons or just want to embarrass organizations.
But irrespective of their motivation, hackers often target sensitive company information. Panelists during a session titled “Anticipating Disruptions: External and Internal Threats to Data” at the recent MIT Sloan CFO Summit in Newton, Mass., said there are several steps organizations should take to protect their data.
“As protectors of data, we are in some way sitting ducks to the agility of the cybercriminals who are coming at it from many different vantage points,” Bright Horizons Family Solutions CFO Elizabeth Boland said.
Not taking steps to protect data could be costly: A report from World Economic Forum and McKinsey & Company estimates that cyberattacks could cost the global economy $3 trillion by 2020. The problem will only get worse as cybercriminals become more innovative, Michael Ellis, CFO at online tuition payments service Flywire, added. Josh Siegel, CFO at security software company CyberArk, emphasized the need for speed when it comes to identifying a breach.
“The programs should have speed to detection, speed to contain the breach and then speed to remediate in case there is a breach,” Siegel said. “Get to the problem as fast as possible and then you would have the fastest containment of the issue.”
Training and awareness programs for both employees and board members are critical to enhancing cybersecurity, Ellis stressed. Organizations should have protocols in place so that employees know how to contain, analyze and report when an issue surfaces, he added.
“Audit your employees; make sure they understand,” Ellis said.
As company data has become a prime target for hackers, board members have become more aware about cybersecurity issues and have higher expectations about what their organizations are doing in regards to cybersecurity, according to Boland. Therefore, it is crucial to help board members understand the cybersecurity concerns that CFOs and CEOs have, Ellis added.
To avoid financial disasters, organizations should implement manual controls in their systems that complement automated ones, Ellis suggested.
“Any type of breach can be catastrophic at the enterprise level,” he said. “[An organization’s] reputation is destroyed … and there are financial, operational and legal issues.”
The benefits of segmentation, CISOs
Boland highlighted the need for network segmentation to enhance security. If hackers break into a flat network that is not segmented, they would have access to information assets across the network. She advised the audience to implement a layered approach that goes beyond initial security measures to protect sensitive client and employee information.
“We have to detect intrusion, but more importantly prevent the extraction of any information if there is intrusion,” she added.
Panelists also emphasized the need for hiring CISOs.
“Enterprises need to get CISOs earlier on in the game, because the problem with cybersecurity is it’s a moving target,” CyberArk CFO Josh Siegel said. “The benefit of the CISO is that they are thinking 24/7 about, ‘What do I need to do to keep the enterprise secure?'”
Organizations should also deploy security analytics tools and software to collect, filter, integrate and link diverse types of security event information in order to gain a more comprehensive view of the security of their infrastructure, according to session moderator Chetan Gavankar.
Boland suggested being selective about partners and vendors, and include security protocols in contracts.
“We are not just concerned about our security, but the security of our supply chain, because if our law firms are breached that’s an avenue to breach us,” Siegel reinforced.
CyberArk uses red teams that try to penetrate the company network in order to help the company identify security vulnerabilities, Siegel said. The company also has a very flexible budget for cybersecurity to help fix these vulnerabilities, he added.
“With respects to budgeting, you need to evaluate all kinds of risks — legal, compliance, financial, operational, and reputational — and put it with the business risk itself and quickly evaluate and come up with a number,” Ellis suggested.