With today’s threats to information security, cybersecurity risks should be considered part of an overall enterprise risk management program for any business. The impacts to the organization from a cyber-attack are swift and can be devastating.
Information security is a complicated issue to manage because each organization’s vulnerabilities to cyber-attacks are different. Systems in place and control environments are highly customized, and federal and state regulatory requirements will vary based on your industry and operational location. Although there are best practice frameworks to use for managing information security, the devil’s in the details with how those frameworks are configured for your organization’s needs.
CFOs and business leaders can help their organization manage the information security function by reviewing the following core areas of risk.
Policy & Governance Processes
There are several best practices for policy and governance processes. Leadership should consider whether they have a dedicated person responsible for the organization’s data security who meets with leadership (and the company’s audit committee) to discuss threats and ongoing risk mitigation efforts. By putting one person in charge of this responsibility, leadership has a resource with which to discuss concerns and address questions about how the organization’s information security effort is going as a whole. Other best practices include whether critical security related practices and policies (password changes, privileged account access, etc.) are documented and reviewed annually. It is important that there is training in place on cyber risk awareness for all employees.
Tactical Areas of Focus
Every organization has unique risks, but there are core areas where information security breaches and cyber-attacks are common. To address these tactical areas, CFOs and financial leaders should consider whether your organization has a vendor risk management program that routinely reviews security practices for service providers that process or store critical and sensitive information. It is also critical to make sure your organization performs social engineering and phishing simulations periodically to assess training and awareness. Security patches should also be routinely catalogued, prioritized, and scheduled for timely updates to all connected devices and software within your organization.
Information for Boards
Boards of directors (and investors) play a critical role in the cybersecurity risk management process, but to be effective, Boards need to be informed about the steps the company is taking to protect its information. CFOs and leadership teams can help the Boards have the insight they need by having detailed conversations with members of the IT team about the enterprise-wide approach being taken to mitigate information security threats.
Specifically, boards may be asking the following questions, which CFOs and leadership teams should be prepared to answer:
- Do you have an IT security strategy and plan that is aligned with your highest value information?
- What makes you feel confident in your security and controls over the company's data?
- Would your organization be able to detect a breach? How often does management review incidents and breaches and when was the last one?
- When was the last time the organization had an IT security assessment performed against a standard security controls framework?
- When was the last time key suppliers and partners were reviewed with respect to access to data and systems?
- What investments are you making in improving your employees’ understanding and everyday use regarding information security?
Read more on why each question above should be asked.
Put Your Cyber Approach to the Test
With so much to consider, it can be difficult to get your information security evaluation started. Our team may be able to help. For additional cybersecurity questions or a complimentary consultation on your cybersecurity program, please contact us.
Published on June 15, 2021
© Copyright CBIZ, Inc. and MHM. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ). MHM (Mayer Hoffman McCann P.C.) is an independent CPA firm that provides audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider. CBIZ and MHM are members of Kreston International Limited, a global network of independent accounting firms. This publication is protected by U.S. and international copyright laws and treaties. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.