©leolintang/ISTOCK/THINKSTOCK
Cyber risks are one of the top threats facing organizations today. Costs, and the malicious nature of attacks, make cyber security one of the CFO’s top concerns. Data is often a company’s most valuable asset and each new breach highlights the challenges companies face in securing customer information and intellectual property.
FEI Daily spoke with Jim Bourke, CPA, CITP, CFF, CGMA and Managing Director of Advisory Services at public accounting firm Withum about the how senior-level financial executives can better understand the risk landscape and create an effective cyber incident response strategy for their organization. Bourke will be a speaker at the upcoming 2018 Technology for Finance Leaders Conference.
FEI Daily: What are some of the common misconceptions you hear from the C-Suite around cyber risks?
Jim Bourke: Many feel that they are ok and safe from risks and sight the fact that they have a good internal IT department or top notch external IT consulting group. So not true! More often than not, internal IT and outside technology consultants are not trained in the cyber area. They may be on their game as far as keeping technology functional, but when it comes to cyber threats, there very well may be exposure.
Some feel that their exposure to cyber threats is minimal because they don’t allow employees free and open access to the internet. Also not true, those same companies allow employees access to company email and in many cases personal email like Gmail, Yahoo, AOL, etc.. More threats come via email phishing attacks and email than any other platform.
FEI Daily: What are the cyber risks businesses should be most aware of and prepared for?
Bourke: Employees are the single largest source of cyber-related issues. Employee education is critical in this space. Phishing attacks with employees clicking on rouge URLs are 90% of the calls that I get.
FEI Daily: Are the risks different for private vs. public companies?
Bourke: I would say that public and larger companies get hit with more “intelligent” attacks vs. generic attacks more often than not. For example, smaller companies would typically get hit with an email appearing to be from a lender such as Bank of America. Since BoA holds a little over 10% of all bank deposits in the US, that would be a pretty good it rate. However, public companies may often publish their lender’s name in their financials in public documents or may provide testimonials to financial institutions, they could increase the likelihood of a successful phishing attack when they are specifically able to name the lender and/or specifics about their financial banking or lending relationship.
FEI Daily: What are the elements of an effective cyber incident response strategy?
Bourke: There are several elements. The plan should be known by everyone that will be expected to be involved in the plan. Also, have a champion that is charged with plan deployment. You also want a group of “first responders” and alternates ready to go. Just make sure everyone knows their role. Continually update the plan and test it!
FEI Daily: How will the CFO of 10 years from now differ from the CFO of today?
Bourke: Wow, loaded question! The CFO in 10 years will be a data miner, will have greater analytical skills, will be charged with deep diving on data to better position their companies. The CFO in ten years will be placing less reliance on historical financials and more reliance on the predictive traits buried in their data.
To learn more about the the C-suite’s role in cybersecurity, register for FEI's 2018 Technology for Finance Leaders Conference.