As a chief financial officer (CFO) in today’s rapidly changing environment, you are forced to confront many variables that pose a risk to your organization on a daily basis. Cyber security came in at number 4 of the top 6 concerns in a 2015 survey conducted by the independent audit, tax and advisory firm, Grant Thornton. Some 44% of CFOs said the most significant concern for their organizations is cyber security risks, while 57% said it was undetected breaches that worried them the most.
CFOs are keenly aware of the fiscal havoc data loss can wreak on a business. And while big names suffering massive breaches – such as Sony, Target and even departments of the federal government – may grab headlines, the financial hazards are not limited to large organizations. A 2013 study by the Aberdeen Group discovered that a single data loss can cost a small to mid-size business (SMB) more than $163,000 per hour.
Here is a 5-point plan for SMBs to avoid and mitigate the risk of cyber loss:
- Know your process – How does your business collect data? What type of data is being captured? Only collect information that you need and will use. How is it being stored? And how is it being discarded? Not knowing the answers to any one of these questions equals exposure.
- Know your business continuity plan — Fraud or forensic cyber documentation is a new, complex and evolving field. Very few people are qualified to investigate cyber threats. Having a plan has never been so difficult. Consider seeking an expert to document a continuity plan and to educate your employees on how to best respond. How you handle post breach communications determine how well you mitigate reputational risks with your customers and suppliers.
- Know your technology – Review your technology in place to protect your firm from data loss, such as firewalls and intrusion detection systems. Hire an IT Managed Services Provider (MSP). Today, many MSPs focus on cyber security and stay abreast of the latest threats and developments far faster than you can.
- Know your legal requirements –Are you in compliance with Data Breach Notification (DBN) laws? How fast must you respond? What information must be provided to authorities, customers and other parties? Oklahoma enacted the “Security Breach Notification” act on November 1, 2008. The act relates to identity theft and will affect all individuals (natural persons) or entities that own or license computerized data that includes personal information.
- Know if you are insured – Consider hiring a Risk Management Consultant to do a comprehensive review of your insurance policies to determine the type and amount of coverage you need to protect against financial loss. Find out what risk management support services are provided by the insurance provider and take advantage of the pre-breach services offered. Some insurance carriers may offer reimbursement for hiring a cyber loss prevention consultant. Know who to contact post-breach. Know your duties in the event of a breach. Know who selects legal counsel and whether underwriter approval is required for post breach service providers.
Cyber breaches and data loss will always be a risk. Your responsibility, as CFO, is to mitigate the probability and to have your company prepared if a breach occurs.