CFOs and financial controllers play a pivotal role in how organisations evaluate and manage data risk. Analyst firm Gartner reports that more than 30% of organisations will use financial risk assessments of their data assets to prioritise investment choices for IT, analytics, security, and privacy by 2022.
Data is particularly at risk within the finance function. Sensitive data such as customer and supplier information, financial statements, and personnel records are processed and shared daily both inside and with vendors outside the organisation. The finance team communicates with banks, auditors, and lawyers regularly. While laws and policies exist to provide protection, there’s no certainty as to where your data could end up. Furthermore, you can’t control it once it is sent. Once information has left the organisation’s security perimeter, there is no longer any control over access permissions. Effectively, who the information is shared with is based on trust.
Assess Your Vulnerability
All of this presents an immense risk. Understanding that the risks and potential costs are an important component of the organisation’s information security risk planning. How would the organisation react if sensitive information were disseminated to the wrong audience? What could it cost? Simply thinking ‘it won’t happen to me’ or assuming a party erroneously receiving sensitive data will act with integrity and delete the information can no longer be justified. Data breaches are common and can have a significant impact on your business.
The financial risk of a data breach is typically the cost of lost revenue, compliance challenges, cost of litigation, privacy regulation penalties, and reputational damage. Revenue loss risk and litigation costs risk are tangible impacts that are hard to measure. However, it is even more difficult to quantify the probability. On that front, understanding your data’s level of vulnerability is important. If you are SOC2 compliant, your risk will be mitigated by the controls within the internal bounds of your system. On the flip side, it is difficult to assess the probability for data breaches to occur once data leaves your repositories. Internal compliance, including SOC2, cannot address it.
Thankfully, there’s a multitude of methods to protect assets and minimise your cyber risk. Consider securing and managing your data with technology like:
- digital rights management (DRM)
- data loss prevention (DLP)
- data classification
- security incident and event management (SIEM) software
There are also network controls you can put in place, and you should have a process for evaluating the security of any apps you use to minimise your vulnerability. Evaluate your cyber risk holistically to ensure nothing slips through the net, otherwise, your vulnerability remains.
Implementing Data Security Best Practices
Cybersecurity complexity varies depending on the size and industry of the organisation. New attack methods and new technologies to deal with those attack vectors show up all the time. To maximise efforts at assessing security risk, allocate resources so the most effective tools and strategies (such as encryption or digital rights management) are used to protect the most important information assets.
Finance leaders should follow these four best practices to manage their team’s cyber risk.
- Identify exposures in either applications, devices and processes. Then work with the IT team to close the gaps in security.
- Classify your information. Understand where your sensitive data is located and how access is provided to parties that need it, especially those outside your organisation. Company policies and processes often overlook or have no direct control of data outside the organisation, so this awareness is important.
- Adopt a zero-trust approach to protecting your sensitive data. Implement technology that allows you to manage your risk. Software such as digital rights management, for example, protects your most valuable data assets no matter where they travel. It allows you to secure, track, audit, and revoke access if data accidentally or maliciously falls into the wrong hands.
- Educate and train finance team members to recognise and manage risk. Employees need to understand the importance of the data they are using. They also need to have access and know how to use the right tools and processes to handle it correctly.
Protect Your Most Valuable Assets
Evaluating an organisation’s cyber risk starts with clearly understanding the company’s risk tolerance. Is the organisation risk-tolerant or extremely risk-averse? The answer may differ depending on what needs to be protected and what industry you operate in. In the finance function, what level of risk are you willing to accept? Consider how to justify and defend this to stakeholders. Does that justification hold up assuming a breach has occurred? Start by identifying those assets where the risk is unacceptable and where access needs to be carefully controlled and managed. Focus your execution from there.
Vera provides secure file collaboration and digital rights management (DRM). There are hundreds of solutions in the market that can secure your data, but data is rarely good to anyone if it cannot be shared. Vera is the only solution that allows users to share their files securely, with whoever they choose. Users gain the confidence that their data can only be accessed by those they choose, even after it’s open. Vera allows you to collaborate securely while maintaining the seamless user experience that highly productive users demand.