In a recent CFO Corner post, I talked about how the responsibilities of the CFO and CTO are overlapping and we’re finding ourselves working more closely together to achieve similar goals. Then news broke about the WannaCry ransomware attack and it felt relevant to discuss how finance leaders can protect their businesses from cyber threats. A key area of focus for many CFOs is managing risk management for the company. As part of this larger effort, there’s significant overlap and collaboration between the CFO and CTO regarding cyber risk management.
There are many areas of risk management that we as finance leaders oversee and manage. In my day-to-day, the efforts around mitigating risk range from contract provisions with vendors and partners – to obtaining the right levels of insurance for the business – to managing internal and external audits – to having the right controls in place for compliance and security. Given the increased cyber risk as more companies move their data to the cloud, my CTO and I are focused on cybersecurity as a core effort toward risk management and protecting the business.
I went back and talked with Motus CTO Rick Blaisdell about the importance of cybersecurity as part of our risk management efforts. Here’s how we work together to protect the business against cyber risk:
Document controls and processes
Tim: Rick and I collaborate extensively in the development of our contingency plan. Together, we think through all the possible scenarios and “what ifs” we might face so we’re prepared. For example, we work together on plans around business continuity, disaster recovery, incident response, data retention, and the likes.
As CFO and CTO, we’re managing these efforts by coordinating the controls behind every system. This includes setting up controls for things like who has access to our office building, servers, and cloud services. It also involves things like ensuring backups of our critical business data are running offsite. We also document processes around meeting compliance and insurance requirements. This is more involved than some might realize. For example, most insurance providers today want their business clients to have processes in place for collecting motor vehicle reports on their mobile employees to verify safe driving records. Our clients typically sign up for motor vehicle reports and insurance validation to ensure compliance and mitigate risk. So, we’re not just considering compliance for state and federal government regulations, we must also set processes that adhere to these types of requirements.
Rick: As the Chief Technology Officer, it’s also a critical part of my role to protect our business against risk – particularly cyber risk. I work closely with Tim to implement the appropriate processes and controls across the organization. My team and I set controls for both physical and logical security systems based on industry best practices. This includes everything from who has access to our building to business continuity planning and even successor language. We’ve also taken steps to develop a technology due diligence binder to provide vendors and customers information around our completed SOC audits, the results, and feedback on those results. This documents all the controls and processes in place that satisfy the requirements of our customers, vendors, partners, and auditors. It reduces the cost of an audit and allows us to rapidly respond to security questionnaires.
Conduct internal training
Tim: After we’ve documented the various processes and controls in place within the business, it’s critical that we take measures to ensure they’re being followed by the team. For this reason, we require a security training upon hiring and once per year to refresh employees on best practices. As a CFO, it’s important to be aware of the signs of social engineering attempts and spoofing emails where another executive might be impersonated in an email asking you to transfer funds to them (likely to an offshore bank account). This is something we train our employees on as well, so that everyone in the business is aware of the risk and can identify these attempts. We also train the team on taking the necessary actions to get a secondary verification whenever there’s suspicion of a social engineering threat.
Rick: My team creates these internal training programs based on industry best practices. While we know it’s impossible to completely avoid a hacker infiltrating our systems, we can take steps to educate our team around security best practices. We understand that despite all our efforts, there’s always risk of a hacker finding a hole in our system. This is an ongoing effort for my team to train and advise all employees on how to act as gatekeepers for the business.
Complete SOC audits
Tim: In addition to the financial audits we complete, I also work closely with the Technology team to put the business through extensive SOC audits. These audits test the system and organizational controls that Rick and I have implemented. It helps to control where data flows and understand who in the business has access to sensitive information. As we grow it becomes even more important for us to put ourselves through a higher level of scrutiny and auditing.
Rick: The technology due diligence binder we’ve put together serves as the detail documentation that supports the SOC audits we’ve been through, the results, and the feedback on those results. These audits allow us to test the processes and controls in place to confirm to third parties that our data is secure. There’s two types of SOC audits where the documented processes are audited and another where the controls are tested. For example, do they exist and perform the way you intended? This presents any potential issues that need to be addressed and gives the company better visibility into the effectiveness of our efforts.
Perform vulnerability testing
Tim: Another effort to test our security is performing vulnerability testing to our systems. The findings from these testing efforts help us to understand where the vulnerabilities are and how we can improve our cybersecurity. In addition to SOC audits, it’s required by state law to perform penetration testing and determine cyber risk. These requirements vary across states so CFOs should be aware of what’s required for their business.
Rick: Unfortunately, nothing is truly safe with the abilities of today’s hackers. That’s why performing vulnerability testing is critical for any business. At Motus, we employ a third party and integrate automated tools into our testing environment. These tools attack our system and expose holes in our security. We also perform social engineering testing as part of these efforts. For example, we send spoofing emails to different employees and see how they react based on their training. This helps inform my team on security training – what’s working and what needs to be reiterated. All these efforts are in hopes of avoiding an attack. But there are security conferences every year where hackers come together and there is always a vulnerability that is found and exposed. This shows that there is no system that can’t be hacked. It’s also why it’s critical to continue vulnerability testing in addition to security training and introducing security patches on an ongoing basis.
Given the impact of recent ransomware attacks, it’s especially important for CFOs to be involved in cybersecurity as part of their risk management efforts. It’s also critical for finance leaders to work closely with their CTO or CIO to ensure there are proper controls in place to protect the business against cyber threats. Without a collaborative effort from both the Finance and Technology teams, businesses risk exposing a vulnerability to an even more vigilant world of cyber criminals.
The CFO Corner is a recurring series on the Motus blog featuring advice from Motus Chief Financial Officer Tim Brown who has spent his career working with technology and growth companies as an executive and investor. The topics covered range from management best practices, insights on industry trends, and advice for the modern finance leader.