Information Security: Three Red Flags For CFOs

Gert Schroeter

I recently spoke to a hacker who told me that the last thing he hacked was a city because someone had told him it was impossible. He saw it as an intellectual challenge.

Security threats to businesses today are everywhere. Some are motivated by malice; others by money. The term “crime wave” seems an understatement when you consider that cyber-crime costs are projected to reach US$2 trillion globally by 2019, according to Juniper Research.  That’s almost a four-fold increase on the cost of data breaches in 2015.

As our lives and enterprises become increasingly digitized, it’s putting CFOs and CISOs in the hot seat. You’re effectively in charge of a cyber playground, and the criminals are having a good year. Security stopped being an IT problem years ago. It’s now a mainstream business issue. And as a business risk, it requires a business response, not just a technical one. That’s why I want to use this blog to outline a few high-level thoughts.

At SAP, we experience an average of 10,000 hacks per day, stemming from different motivations. Protecting a company our size has its own set of unique challenges: a global network in 70 countries, with 220 subsidiaries, connecting 83,000 end users, 100,000 PCs and laptops, and 95,000 servers. Yet, we have a relatively low rate of measures requiring attention (MRAs).

How? Because we focus our enterprise threat detection systems on where it matters most – where the important data resides – and flows, instead of a mere perimetric security approach. You can read more about that here.

While I can’t cover everything in one blog, I’d like to draw your attention to three red flags that we see time and again.

  • Have you educated at all levels? The majority of internal information security breaches are typically committed by junior staff or middle management. All employees should be trained for compliance, and security should be built into the culture of the company rather than bolted on as an afterthought. You’d be amazed at how many of your colleagues are unwittingly helping intruders. Information security and awareness should be done at every level of your organization.
  • Are your IoT initiatives opening the door? Take a closer look at your controls and processes, particularly with regard to Internet of Things (IoT) initiatives and even small projects. IoT brings significant advantages and insights, but security must be built in at the outset – not just in the devices, but also the applications and network connections that link them. Think about productions systems (formerly cut off from the outside) that are now potentially connected to the Internet. Make sure you’re not vulnerable at the “edge,” which can put your complete business at risk. Also, take a look at your processes and controls to flag, identify, and prevent changes that may be inconsistent with security policies and monitor unauthorized changes to settings or any profile changes to sensitive user IDs, for example. Your security governance must be enforced consistently and proactively – and it starts with processes. You also need to focus your efforts on where the most important data resides.
  • Do you have a holistic approach? The cornerstone of a secure company is an effective information security management system and a security governance model that brings all the different aspects of security together. Processes should be supported with an integrated and effective internal control system across the company. Implement a modern technology platform that enables a holistic approach to cyber crime and security attacks, real-time monitoring, and preventative measures in real time. These capabilities combine a variety of defense lines including management oversight, independent audits, sophisticated compliance, and risk analytics to predict and react before any damage happens.

If you’d like more advice, you can read the full statement of principles on Business Application and Information Security in the New Digital Economy.

For more resources on enterprise risk and compliance management, read the Forrester report: Adopt Three Lines of Defense Technology To Manage Governance, Risk and Compliance (GRC) and check out the GRC eBook and the Value Calculator.


About Gert Schroeter

Gert Schroeter is vice president, Security Marketing for SAP.