When it comes to protecting data from cybersecurity attacks, organizations must remember that not all data is created equal. Businesses must prioritize safeguarding their most valuable information assets, and CFOs are obligated to work with senior cybersecurity leaders to ensure this happens.
“In order to identify the proper protection of data assets, CFOs should be working with their data organizations to help identify the value of ‘crown jewel’ data assets,” said Charles Soranno, a managing director at global consulting firm Protiviti. “Based on the value of the data assets as well as sensitivity, proper data security controls should be put into place.”
Where’s the value?
What constitutes “valuable” data might differ to some extent among organizations. However, certain types of information are high priorities for nearly all businesses.
This includes any personal information related to customers and employees, data about client transactions, operational data, intellectual property and trade secrets, product blueprints and financial data including budget and forecasting information — to name a few.
The most valuable data assets for a company can vary based on the type of vertical in which it operates, said Daniel Shaul, principal consultant of hybrid cloud security at Stratascale, a cybersecurity consultancy.
“A company that operates in healthcare is likely going to focus on personal health information while one that operates in the retail space might care most about protecting credit card information,” Shaul said. In general, most companies that are obligated to respond to regulatory audits will care most about the data that the regulation is focused on.
“The one consistency across all these forms of data is that each is attractive to cybercriminals,” said Mike Maletsky, vice president of technology E&O/cyber at specialist insurer Hiscox USA.
And cybercriminals are becoming more and more capable of targeting valuable data resources within organizations.
“Cybercriminals have become increasingly adept at targeting valuable data by refining their tactics and exploiting both technological and human vulnerabilities,” said Michael McLaughlin, cybersecurity and data privacy practice group co-leader at national law firm Buchanan, Ingersoll & Rooney.
“They employ sophisticated techniques such as phishing and social engineering to deceive individuals into revealing confidential information or engaging with malicious links,” McLaughlin said. Ransomware attacks, in particular, have evolved to become more frequent and targeted.
“Not only are these criminals more adept, but they tend to make a beeline for the most valuable data,” Maletsky said. “Some strike almost instantly, while some lie in wait until the right moment to pounce. A cybercriminal might gain access to an email or network but wait days, weeks, or even months until the opportunity presents itself to take the information that is of highest value.”
For example, Maletsky said, after a breach cyber criminals will monitor an email inbox, ignoring the low-value emails about meetings or lunch plans and striking when they see a customer’s banking information.
Attackers use publicly available information, such as social media posts and press releases, to craft highly targeted phishing or spear-phishing campaigns, said Mithilesh Ramaswamy, a senior security engineer at Microsoft.
But tactics don’t need to be advanced to be successful. “Cybercriminals use sophisticated — and also unsophisticated — phishing schemes and ransomware attacks, targeting smaller organizations that may not have robust defenses,” said Forrest Webber, an analyst at Plastic Fusion Fabricators, a manufacturer of custom thermoplastic containment systems.
Using unsophisticated schemes, “it isn’t difficult for them to trick the older generation workforce,” Webber said. “So gaining stolen data doesn’t have to be that complicated.”
Plastic Fusion regularly does environmental containment work for some of the largest companies in the U.S. “Because of this, we’ve had to up our game in this arena to protect us and our customers,” Webber said. “We also have several proprietary designs that need protection.”
Advice for CFOs
Finance leaders in any organization should be closely involved in efforts to protect valuable data. There are several best practices they can follow to be more effective.
First off, they should work closely with other senior executives such as the CIO or vice president of IT, CTO, CISO or other security leader, the legal team, the chief privacy officer, chief data officer and others to determine which data assets need extra protection and the best ways to move forward.
CISOs should be dictating the regulatory and cybersecurity needs of the organization, Shaul said. CDOs and CIOs should be dictating the management of data access and storage needs, he said, and CTOs should be dictating the technical architecture of the organizations.
“A critical step CFOs can take to identify and protect valuable data is to first understand the different levels of data classification complexity,” Shaul said. “Straightforward sensitive data assets like credit cards, social security numbers, email addresses, etc., are generally easy to identify, while data types like intellectual property or forward-looking financial information are trickier.”
The harder data is to find and classify, the higher the risk there is of it accidentally being shared externally, Shaul said. “Addressing this risk often requires the creation of an organization-specific labeling methodology to account for that company’s most valuable data types as part of a broader cybersecurity strategy,” he said. “A CFO that is aligned with this strategy can help ensure its organizational adoption and accuracy.”
An organization should fully understand the type of data, its value, where it is stored or shared and if any of it is subject to regulations, Maletsky said. “The best way to accomplish this is to conduct regular data audits with multiple departments to ensure the full scope of data is understood,” he said. “This audit will help an organization determine how data is collected, used, and stored and identify risks that can be addressed.”
Companies can deploy data classification and risk assessment tools to help catalog and prioritize sensitive information, ensuring critical assets are secured first, Ramaswamy said. They can also budget for cybersecurity solutions such as data encryption and multi-factor authentication.
Another practice is to promote company-wide communication about security incidents. Plastic Fusion has a specific email address where all employees can quickly send company-wide updates. “We use this to report to everyone whenever someone identifies a phishing email attempt or anything ‘sketchy’,” Webber said.
Training employees to identify suspicious emails and other tactics to access data is another good idea.
“Ensuring your workforce is well-trained is a key strategy for protecting sensitive information,” McLaughlin said. “Cybercriminals often prey on human weaknesses through tactics like phishing and social engineering. Conducting tabletop exercises with outside legal counsel can help prepare the team to respond effectively to potential breaches, ensuring that everyone knows their role and responsibilities in the event of a cyber incident.”
Most cyber events stem from human error, and many companies credit a lack of employee awareness as a key factor in increased cyber risk, according to the Hiscox Cyber Readiness Report.
“By providing a robust cybersecurity awareness training program for employees, a company can establish a ‘human firewall’ fighting on the front lines against cyber criminals,” Maletsky said.
Plastic Fusion regularly sends test emails to all staff members to see what they do. “If anyone clicks on the test phishing email, we discuss why they did it and what they can watch out for next time,” Webber said.
Finally, companies should consider hiring outside expertise for help. Plastic Fusion has subcontracted cybersecurity professionals to help better protect its information assets. “A gambling website hacked our website last year, and without the subcontracted [expertise] we wouldn’t have been able to reverse the attack,” Webber said.
