As we’ve discussed in a variety of articles, the controller and the finance organization as a whole has continued to take on new roles, adopt new skills, and drive change in a wider range of departments. Though we have spent a lot of time discussing the move into a field like operations, what about something like cybersecurity?
After all, it is a risk that needs to be managed. It’s often one of the vectors for fraud. It’s an area that affects the bottom line. Wouldn’t it make sense for you to have some input on what needs to be controlled? A new article from Journal of Accountancy says yes.
In a post titled COVID-19 decisions create data dilemma for businesses, author Jerry Ravi, CPA looks at the challenges that companies have faced in controlling and tracking the movement of data.
Data is Money: Asking Questions about Your Security Posture
Whether it’s due to connectivity and interoperability problems that occur when organizations blend SaaS and legacy or from the continued work from home initiatives, many leaders need to take a deeper look at something Ravi defines as your ‘security posture’.
“As people are continuing to quarantine, businesses are now forced to evaluate the impact this transition has had on their own security posture. The paramount question that has resulted from this introspection is one that has been looming for several years: “Where is my data?””
It’s a good question. Whether you compare it to oil or uranium, data is a not only a high-value product, it can be misused in the wrong hands. Unfortunately, as noted in the article, many companies’ hasty moves to bring mobility into the organization have resulted in new challenges.
“While effective at meeting the immediate business needs, these implementation and migration efforts were largely performed agnostic of compliance requirements. As such, many companies may be facing potential fines and sanctions and could be forced to figure out solutions to deal with regulatory violations.”
Normally, this wouldn’t be a problem—tools and processes are in place to ensure that data movement is monitored—but in the seemingly overnight move to work from home that has taken place in 2020, many overlooked the potential blind spots that this creates.
Seven Controls to Focus on in Data Management
To address the challenges presented, someone needs to look at what this all means. As the person who is in charge of the monetary moves and risk management, controllers need to speak with IT to understand what risks have presented themselves and put controls in place to detect and prevent loss.
According to the article, leaders are recommended to take the following seven step framework and implement it in a way that fits current processes:
- Define: Define the confidentiality levels for business data or privacy for personal data, what needs to be protected, and at what level. The highest level of security should be assigned to personally identifiable information (e.g., Social Security numbers, tax identification numbers, etc.).
- Identify: Find where data is stored. Communicate to everyone in the organization where data resides and why usage of “shadow IT” (i.e., nonapproved IT resources) needs to be restricted.
- Contain: Ensure that data is contained within organization-approved storage mediums and that unapproved storage equipment or locations are not being used.
- Monitor: Implement controls to ensure that confidential data within the defined environment remains protected. Ensuring that encryption is in place, that awareness training is performed periodically, and that devices used to access data are secured will serve to bolster monitoring capabilities.
- Recover: Confirming that data is backed up, secured, and recoverable by performing tabletop exercises will help to ensure that recovery is possible in the event of a disaster-type event.
- Insure: This doesn’t protect from reputational risks and other risks, but it is a good business practice as it helps to limit organizational exposure in the event of a breach.
- Commit: Commit your organization and your vendors/partners to this approach, and continue the conversation as an ongoing effort.
Ravi closes with the following, pertinent not only to accountants but business leaders, adding “prevention is less expensive than recovery and repairing reputational damage from an incident, breach, or data loss.”
Minimize Risk: Controllers Council Resources
Whether it’s a move to the cloud or it’s finding the right IT help, if part of your job is to manage risk at your organization, it pays to be in the know. That’s where the Controllers Council comes in. With forums, benchmarking, and networking opportunities, we are proud to help you successfully navigate the new and ongoing challenges you face.
If you’re looking to learn more about your roles and responsibilities when working with the IT department, we invite you to download the free guide titled The Ultimate Guide to Cloud Migration, written for the Controllers Council by IT experts VAST. This guide will help you to understand the risks that may have already presented themselves if your organization has already made a hasty move to the cloud and discuss how you can work with an IT partner to shore up your cybersecurity risk management.
Additional Cybersecurity Resources
Internal Controls: Who’s Committing Fraud and What Should You Look For?
Controller’s Role in a Company Data Breach
Five Resources for Controllers Looking to Understand Cybersecurity