In the current day and age, the threat and impact of cyber-attacks is increasing. In January 2018, UK businesses for example, were victimized 7,073,069 times. On January 3, 2018, the US Department of Homeland Security informed 247,167 of its employees that their data had been breached. And because authorities are increasingly looking to address cyber risk and cyber security, it makes security & risk management and policy setting & enforcement paramount objectives for CIOs and CFOs.
Best practices to fight off the next cyber attack
Best practices from companies world-wide, such as Google, Deloitte and Salesforce, in regard to strengthening regulatory and supervisory practices when dealing with cyber risk, include:
- Establishing coordination protocols between financial sector authorities and other agencies involved in regulating and supervising cyber-risk;
- Voluntary and anonymous information-sharing of cyber incidents among market participants;
- Developing an ICT strategy and risk management framework, including incident response plans with a clear chain of command to take the necessary business decisions. Some countries even require the appointment of an information security officer;
- Regular testing and simulating of incident response capabilities.
Other ways to develop sound cybersecurity policies and best practices to cover all your bases include:
Updating your software and systems;
Ensure that centralized policy making in IT adopts a ‘push’ methodology, forcing new security updates onto a user’s device when they connect to the network.
Conducting top-to-bottom security audits;
Conduct a thorough security audit of your IT assets and practices. This audit will review the security practices and policies of your central IT systems, as well as your end-user departments and at the ‘edges’ of your enterprise.
Managing social engineering;
As part of your end-to-end IT audit, include social engineering, which reviews whether your employees are demonstrating vulnerability when it comes to offering up confidential information.
Demanding audits from vendors and business partners;
Get policies in place that require regular security audit reports from vendors you are considering before signing any contracts. Thereafter, your vendors, as part of their SLAs, should be expected to deliver security audit reports on an annual basis.
Providing new and continuing security education;
Provide every new employee with Cybersecurity education, with them signing off that they have read and understood the training. In addition, give a refresher course in cybersecurity practices annually to your employees company-wide.
Watching ‘the edge’;
This is a security exposure point for your organization and for IT that requires training of non-IT personnel in IT security policies and practices, as well as oversight by IT and auditors.
Performing regular data backups that work;
Put a cybersecurity policy into place that requires data backups and disaster recovery to be full-tested on an annual basis (minimally) to ensure that everything is working properly.
Physically secure your information assets;
Physical security, like a locked ‘cage’ for a server in a plant that is accessible only to personnel with security clearance, is vital. Your security policies and practices should address the physical as well as the visual aspects of information.
Maintain industry compliance;
Especially when your company operates within a highly regulated industry, regulatory compliance that concerns IT security should be closely adhered to. It is important to annually review security compliance requirements and update your security policies and practices as needed.
Inform your board and CEO;
It is one thing to tighten up your cyber security with the implementation of the most effective technologies, but those technologies are only as effective as the companies and people who operate them. This is why it is so important for CIOs, CSOs, and others with security responsibilities, to clearly explain cybersecurity technologies, policies and practices in plain language. In a way that the CEO, the board and other nontechnical stakeholders, including Legal, Human Resources, Finance, Policy & Compliance and Training & Awareness, can understand.
Protecting your employees’ data
Another ‘beast’ we are currently facing is complying with the European Union’s General Data Protection Regulation (GDPR), the complex set of new rules and restrictions around processing EU citizens’ data that came into effect on May 25, 2018. In short, General Data Protection Regulation (GDPR) means that businesses will need to be much clearer about the information they hold on people and give them more control over it. And even if a company has no direct EU operations, it may still need to comply. For example, even though Facebook is a US company, the rules affect how it operates in other countries, because its users are connected globally.
Of course you can look at the GDPR as a big pain in the behind, but as a CFO or CIO you could also view things from a different perspective. GDPR in a sense, is a way of thinking about your customer and employees; a way of thinking about your business that is permanent and long term. Complying with the new rules is simply good for your business. There may be some short-term pain involved but if it creates trust and better experiences, GDPR will lead to more long-term loyalty and over time better shareholder value.
How does your organization handle the GDPR?
Now you may wonder what GDPR actually means for your finance department in particular. Dealing with some of the most sensitive information your organization is likely to handle, is a huge responsibility. If the department suffers a breach, it is possible that there will be enough information for a criminal to take over customers’ accounts, steal funds and potentially commit identity fraud. Finance departments should therefore be particularly vigilant in their approach to compliance.
And because complying with GDPR is a company-wide responsibility, the finance department shouldn’t be left to protect itself independently. In fact, no area of the business should operate base on a siloed approach. So If you or your organization is not fully aware of the responsibilities, it is time to change that. Especially for finance departments, the following specific responsibilities have come into play:
Your organization must keep a well-managed archive of invoices at all times.
Organizations must provide customers or suppliers with records of their personal data on request. This must be provided quickly and presented in a format that the customer can read and reuse.
Organizations are required to keep internal records of data processing, and record management systems must be able to extract raw data and providing a full audit history of records kept.
On request, organizations must remove data held on a customer or supplier who withdraws consent for it to be kept.
Keeping things simple
Complying with GDPR helps ensuring that finance and accounting departments are adhering to stringent data protection standards and may completely alter the way in which the finance department operates within an organization.
Reporting and notification systems must report issues as soon as they arise.
Security risks should be managed with automated systems and processes, to eliminate one of the most significant security risks out there – human error.
Rydoo protects ALL of your data
At Rydoo we understand the importance of, and the need for an automated, bullet-proof and SECURE software system to help your finance department in safeguarding your data. We know and understand the risks and challenges you are facing, and are, literally, your partner-in-crime. As an EU-based company we, of course, are also bound by GDPR. So to stay ahead of the game, our Data Protection Officer consults on a regular basis with different law firms to ensure our compliance and keeps a close eye on all the data we process. We also take other aspects into account when it comes down to securing (y)our data, such as physical security, system security, access management and data storage. We promise, that when you trust us with your travel and expense management, we will make things a whole lot easier and safer. Not only for your finance department, but also for your entire organization when it comes down to data- and cybersecurity. We are ready for it! Are you?