Out of 100 North American CFOs surveyed by Deloitte in Q2 2015, 97% said that they consider cyberattacks to be a major threat to their companies, yet only 10% believe they are well-prepared for cyberattacks.
Grant Thornton reported that for roughly 40% of organizations, the CFO makes the ultimate decisions about cybersecurity spending.
Although CFOs may lack technical background and expertise, their role in controlling the budget means they must be very informed about the potential risks and costs of solutions to mitigate them in order to best protect their organizations. A first step would be to ascertain the type(s) of sensitive data they need to protect, and the potential costs to be found non-compliant if there are regulation requirements, such as HIPAA for electronic health records, or PCI for credit card data. A cyber risk assessment can help uncover areas of weakness and provide recommendations for remediation as well as a prioritized plan to address them. Having the assessment performed by a third-party is important because if your internal IT staff isn’t aware of a particular type of vulnerability, they won’t be able to alert you to it, or know how to fix it.
It is also critical to have monitoring in place to catch a breach or attempted breach as quickly as possible! No method of prevention is 100% effective, however threat detection tools when combined with human monitoring to investigate and validate suspected anomalies can minimize your exposure if you are targeted.
Finally, have a plan for incident response. This plan should include the technical steps to stop the breach and remediate damages and the notification of legal counsel (and possibly public relations if needed) depending on what type(s) of data was exposed and the size of the breach. It’s very difficult to think of every aspect of what needs to happen in the heat of the moment, but a well-thought-out plan can lead you through step by step to ensure that any incident is handled appropriately.