Given the connectedness of organisations today, cyber security has become a fundamental part of business. NATHAN DESFONTAINES believes that this environment is challenging CFOs to look differently at operational requirements.
One of the biggest mistakes any company can make is to relegate cyber security to the CIO office. With technology permeating every aspect of business, this silo approach no longer holds true. In fact, I believe it can open the organisation to a number of risks, not least of which being having its data compromised.
With the CIO traditionally reporting to the CFO for new technology implementations (considering the cost implication on the business), the finance office is in a unique position to gain an organisational-wide perspective on the IT systems and process in place.
This perspective might give way to the temptation of thinking that cyber security is something that can be rolled out annually and be forgotten about. Instead, C-suite executives need to work closer together in order for the business to become more proactive around protecting its most important asset – its data.
While there is no such thing as complete security, there are a number of measures that can be taken to minimise the likelihood of a breach: In the digital world, these breaches result in not only significant financial damage but reputational as well. And if the breach is significant enough, the company risks not being able to recover at all from such an attack.
The top four means of incursion into a network are through exploiting system vulnerabilities, default password violations, SQL injections and targeted malware attacks. To prevent this, it is necessary to shut down each of these avenues into the information assets of the business.
It is important that the company identifies threats by correlating real-time alerts with global intelligence: security information and event management systems can flag suspicious network activity for investigation. In fact, the value of such real-time alerts is much greater when the information provided can be correlated in with current research and analysis of the worldwide threat environment.
Additionally, companies should automate security through IT compliance controls: by developing and enforcing IT policies across their networks and data protection systems, C-suite executives can help prevent a data breach caused by a hacker or a malicious insider, this mechanism works best for protecting sensitive information.
At KPMG, we believe it is important to remember that cyber security impacts on all parts of an organisation – from human resources and compliance, to business continuity and brand communications. Those organisations who see this as an integrated process are the ones that are best able to differentiate themselves from their competitors. So as much as some CFOs think that security is just a matter of Rands and cents, the impact on the company is much more significant.
I (along with other KPMG cyber security experts) will be discussing these and other issues at the upcoming Finance Indaba in Sandton, as well as the CFO World Congress taking place in Cape Town in November.
* Nathan Desfontaines, Cyber Security Manager at KPMG in South Africa