News broke last week of another major data breach—this time against the federal government—resulting in the compromise of millions of current and former employees’ personal data. AFP compiled four best practices for corporate treasury and finance professionals to help their organizations avoid similar incidents.
Take an “outside-in” approach. In order for the private sector to avoid falling victim to a breach like this one, Brad Deflin, president and co-founder of Total Digital Security and speaker at the recent CTC Corporate Treasurers Forum in Chicago, believes companies need to switch up their mindsets. “I think that the traditional approach has been inside-out; that is, we start from the core of the enterprise—the server-based architecture—and go out to individual employees and try to protect it all that way,” he said.
Instead, companies would do better to take an “outside-in” approach, Deflin explained. Companies should look at their high-level, decision making executives who operate in remote locations. Those individuals’ remote offices, homes, vacation homes, private airplanes, etc. should be equipped with top cyber defenses. That way, whenever those individuals connect to the network, it isn’t a gateway for a hacker. “That line of demarcation between our professional lives and our personal lives, as it pertains to our technology, simply is not there,” he said.
Personalize the issue. Furthermore, Deflin had advice for corporate treasurers who are having trouble convincing the upper echelons of the companies of the seriousness of cyberthreats. “Think about saying to your key executives, ‘We want to protect your home. We want to protect your family,’” he said. “If key executives are thinking about this in terms of their kids, their level of understanding and awareness, will be elevated to a completely different level. The buy-in comes when you personalize the issue.”
Makes sure that your business continuity plan includes cybersecurity. A treasurer at this week’s Treasury Advisory Group (TAG) meeting noted that her organization realized that its business continuity plan did not include a cybersecurity component—even after experiencing a cyber-incident. Since that time, she has involved IT in the process. “They focused on our other systems, and [treasury] just needed to partner with them a lot more to take a look at what we’re operating with,” she said.
Another treasurer at the meeting explained that her treasury team took a different approach. Its existing business continuity response network is responsible for handling breach responses so that IT can remain focused on its traditional duties. “In the event of a cyberbreach, we want our IT areas to be down in the trenches, working on the recovery,” she said. “We didn’t want their organization to have to be the incident response in addition to that. And it’s been great. It’s not like our business continuity people didn’t pay attention to cyberbreaches before then, but since bringing them in, that’s helped marry those two areas together.”
Work with information sharing and analysis centers (ISACs). Also at this week’s TAG meeting, a representative of a major bank advised treasury and finance professionals to partner with ISAC communities, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Retail-ISAC. ISACs promote awareness of top cybersecurity threats and defense through sharing information and are therefore a great source for helping corporations protect themselves. “We even encourage small business owners who don’t even have IT departments to show up at their local ISAC meetings,” she said.
The Latest Breach
Last week, the United States Office of Personnel Management revealed that 4 million current and former government employees’ personal information had been compromised in a breach. The agency is the government’s human resources department, and its database contains information for high-level security clearances.
Deflin noted that this breach is yet another clear indication of the value our personal information. “If you look at this mega breach, the real target is this personal information,” he said. “It can be traded, sifted and sorted to do almost anything you want, once you have enough of it.”