Cyber threats and the CFO: Finance Indaba speaker Nathan Desfontaines (KPMG)
Given the connectedness of organisations today, cyber security has become a fundamental part of business. Nathan Desfontaines, KPMG’s Cyber Security Manager in South Africa, believes that this environment is challenging CFOs to look differently at operational requirements. He wrote this guest article in anticipation of the Finance Indaba Africa.
- Nathan will present his insights at the Finance Indaba Africa. His presentation titled ' The inconvenient truth about cybersecurity - Find it, fix it, manage it' takes place at 13.30 on 14 October 2016. Not registered yet? Do not miss the Finance Indaba Africa 2016, its 70 exhibitors, 100 speakers and amazing network opportunities! Be part of 5000 finance professionals who are eager to learn, share knowledge and exchange ideas. Register NOW with invitation code FB2016 and join us!
One of the biggest mistakes any company can make is to relegate cyber security to the CIO office. With technology permeating every aspect of business, this silo approach no longer holds true. In fact, it can open the organisation to a number of risks, not least of which being having its data compromised.
With the CIO traditionally reporting to the CFO for new technology implementations (considering the cost implication on the business), the finance office is in a unique position to gain an organisational-wide perspective on the IT systems and process in place.
This perspective might give way to the temptation of thinking that cyber security is something that can be rolled out annually and be forgotten about. Instead, C-suite executives need to work closer together in order for the business to become more proactive around protecting its most important asset - its data.
"While there is no such thing as complete security, there are a number of measures that can be taken to minimise the likelihood of a breach: In the digital world, these breaches result in not only significant financial damage but reputational as well. And if the breach is significant enough, the company risks not being able to recover at all from such an attack."
The top four means of incursion into a network are through exploiting system vulnerabilities, default password violations, SQL injections and targeted malware attacks. To prevent this, it is necessary to shut down each of these avenues into the information assets of the business.
It is important that the company identifies threats by correlating real-time alerts with global intelligence: security information and event management systems can flag suspicious network activity for investigation. The value of such real-time alerts is much greater when the information provided can be correlated in with current research and analysis of the worldwide threat environment.
Additionally, companies should automate security through IT compliance controls: by developing and enforcing IT policies across their networks and data protection systems, C-suite executives can help prevent a data breach caused by a hacker or a malicious insider, this mechanism works best for protecting sensitive information.
It is important to remember that cyber security impacts on all parts of the organisation - from human resources and compliance, to business continuity and brand communications. Those organisations who see this as an integrated process are the ones that are best able to differentiate themselves from their competitors. So as much as some CFOs think that security is just a matter of Rands and cents, the impact on the company is much more significant.