CFOtech Australia - Technology news for CFOs & financial decision-makers
Story image
Tue, 16th Aug 2022
FYI, this story is more than a year old

As the digital revolution marches on, managing data security has never been more important. The loss or inaccuracy of financial data, in particular, can have a devastating effect on an individual or organisation, and so finance departments and IT security departments must have a strong working relationship. Here are my five important steps to take toward better financial data security.

Step 1. Begin with the end in mind

You must have a plan. Any good IT security plan is built on a solid understanding of the data you manage, your operating environment, your regulatory obligations and your customers' needs. Once you've done your due diligence and have a good handle on these four areas, you can start to develop your plan - and don't forget to include a realistic budget before seeking the necessary approvals. More on this later.

In my own organisation, the customer lens is one of the key drivers behind our information security strategy. We are listening to our customers to plan our security program and helping them to meet their own security objectives.

Step 2: Make it easier for your customers

IT security is complex and difficult in any environment. In addition to improving internal protection, strive to make interactions with your customers as simple and safe as possible.

One of the effective ways to do this is to invest in a self-service capability to provide transparency to prospective and current customers on your information security posture. This should allow customers to evaluate your security implementation procedures.

To reduce compliance efforts for customers, we also invested heavily in obtaining a number of independent attestations and certifications confirming our strong security posture. These include ISO 27001, SOC2 Type 2, PCI DSS and IRAP. They are all independent, industry-recognised certifications that will reduce the need to undertake security audits and, where still required, greatly reduce the time your customers need to spend on their own security assessments.

Step 3: Keep one step ahead

My team and I are continually monitoring information security threats. One of the prominent threats at the moment is credentials compromise, where malicious actors try to guess or steal passwords.

A typical response to these attacks in the past has been to keep making passwords longer, adding special characters or changing them frequently. These measures make access to our systems increasingly complex and bring limited protection.

To find the right balance between ease of use and security, we have launched a single sign-on capability. We can give customers the option to use the same username/password/token they use for their internal systems when accessing ours. This access can also be co-controlled by their own teams, thus easing the compliance burden and making it easier to do business with us.

Step 4: Build security into your culture

My strong view is that company culture is critical when it comes to building and maintaining a robust security posture. Make security visible: speak to your teams regularly, present at staff forums, send security awareness newsletters and be collaborative around risks.

If data and its security are the focus for your organisation, you may even want to consider building its protection into your company values and behaviours, so your team can live it on a daily basis.

Step 5: Think: what if?

Finally, always be prepared for security breaches. It's a little bit like home safety – by putting locks on doors, your risk goes down, but don't put all your eggs in one basket! There's still a chance for bad people to get in – so you have to understand this and be prepared to fight against intruders.

I often tell the story of a neighbour who had his push bike stolen. It was a $5000 bike, protected by a $30 chain that someone broke after jumping his fence. After that, he realised the inadequacy of this protection and reassessed the value of his property - realising the deeper investment he needed to make to protect his asset. The bottom line is that if you have multi-million-dollar data assets, you have to have an in-depth strategy to protect them and an appropriate budget along with it. Typically, between 10 % and 15% of your IT budget is a common standard.