Potential for undetected data breaches worries CFOs

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.securityinfowatch.com/article/11587188/new-grant-thornton-survey-reveals-cyber-security-concerns-of-chief-financial-officers

According to the results of a recent survey conducted by audit, tax and
advisory firm Grant Thornton LLP of over 1,000 chief financial officers
(CFOs) and corporate controllers, a majority of respondents (59 percent)
indicated that the potential for undetected breaches was the top cyber
security and data privacy concern at their organization.

Given the fallout from last year’s payment card data breach at Target,
which has resulted in the resignation of the retail giant’s CEO, CIO and
even calls from one proxy advisory firm for the ouster of most of the
company’s board members, it should come as no surprise that cyber security
is now top of mind for most corporate executives.

“I think (these survey results) really just memorialize where the trend is
going and that is it’s no longer just an IT security manager’s
responsibility or role within the organization, that the C-level executives
are getting involved and they understand that it has to be an
enterprise-wide look at what they have,” said Skip Westfall, managing
director, Forensic Technology Services leader and Cybersecurity Services
co-leader at Grant Thornton. “Cyber security is no longer just an IT
function; it is a whole company function from the board to the audit
committee to the C-level all the way down. In the past, the trend has been
that the CFO typically took a hands off approach. It really was a security
issue and therefore, we have IT security people in corporations and they’re
handling this and now what you’re seeing is a lot of times a CFO sits on a
committee or has an active role in the policy setting and ongoing review of
their cyber security practices.”

While Target certainly wasn’t the first data breach to occur at a
high-profile company, Westfall said that two important things came out of
it as it relates to senior executives; vendor management and protecting
data outside the “four walls” of the organization and secondly, the need
for greater situational awareness by companies in detecting and mitigating
the damage of breaches.

“I think what Target realized was that the weakest link in the chain might
not be within your own organization, but might be a partner of your
company,” explained Westfall. “There’s so many people out there looking to
crack the next big story that the time a company has from the time a data
breach is discovered to the time that it goes public is such a short, small
window that if they don’t have a full, organization-wide approach to
responding to the breach then they can find themselves in a very bad
situation publicly. Then you’re getting into an unmeasurable value on your
brand damage and what damage is done to your brand based on the lack of
situational awareness.”

In addition to undetected data breaches, other cyber security concerns
among respondents included;   customer/client data privacy (54 percent);
unknown and identified risks (50 percent); employee and workplace data
privacy (42 percent); and, compliance with data security laws (32 percent).
Given the recent talk about the increasing likelihood that federal
lawmakers may pass comprehensive data protection legislation as well as
similar laws already being passed by foreign nations, Westfall said these
numbers may skew differently in the future.

“I think what you’re going to find are companies understand that the global
market is shrinking,” added Westfall. “In the past, they really didn’t have
to think about European data privacy laws and Asian data privacy laws, but
it’s rare that a major or even a mid-major sized corporation is not dealing
in some way, shape or form with what I would call foreign data and now
they’re being exposed to that, the light bulb is going off that they have
to handle this data differently.”

Despite the concerns that many corporate executives now express regarding
cyber security and data privacy within their organizations, there still
seems to be a disconnect between the gravity of the problem and what’s
actually being done to mitigate the threat. For example, another survey by
Grant Thornton found that while more than 40 percent of in-house counsel
claim that the risk of a cyber security/data privacy breach has increased
in the past year, 17 percent said that they were still unsure about what
was being done to address these risks in their organizations.

“You’re kind of finding the convergence of many different business units
and C-level executives… so the awareness factor is coming in various
different forms from different people,” said Westfall. “CFOs, CEOs and
audit committee members are being made aware of this because they don’t
want their organization on the front page of the paper. IT is being made
aware of this because there job is to secure the data and other positions
in the company are coming about it by listening to how it affects their
business unit. All of them understand their role in cyber security, but I
still think companies are struggling with how do we pull all of that
together? What is the hub for all of this? That’s just a natural part of
the maturation process for the company as they mature their cyber security
defenses and practices.”

While many executives tend to view data breaches in terms of large-scale
cyber incidents like Target or something along the lines of the Heartbleed
bug, Westfall said they fail to realize that oftentimes a data breach can
still involve something as simple as misplaced or stolen paper documents
and don’t always involve a sophisticated hacking scheme.

“We’re not away from the days of dumpster diving. We’re not away from
sending out copies of information and records to outside service providers
like law firms and accounting firms,” said Westfall. “When I talk to
organizations about that and bring that up, it’s almost like it’s the last
thing on their minds. They have to start thinking in the framework that the
data can be in any format – it can be paper, electronic, mobile media, and
cellphones – and they have to think outside-the-box about these unknown
risks.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!