You think your data is safe?
So you think your data is safe?
Sharing sensitive financial data in a secure manner is an increasingly thorny challenge.
Departments typically partner with IT to set up a secure financial information storage and sharing system — giving access across platforms, including mobile devices — but often neither function monitors who is accessing the data. Device-agnostic electronic access anytime, anywhere, increases the potential for a financial information data breach, it could be a journalist or a competitor, or a recently terminated employee.
If management is secretly hoping this is IT’s problem, unfortunately, it’s not. Particularly in the case of M&A, financial statements, and proprietary company intelligence, this will affect the bottom line. So it’s incumbent upon the company to guarantee the security of financial information — not only by making sure that proper access controls and technologies are in place, but also by making sure that everybody understands the importance of following the procedures.
Security vs. Productivity
But companies often find themselves on the horns of a dilemma. Working counter to data-security efforts are dedicated employees who need and expect to be able to share information wherever and whenever they wish — it’s a key component of an increasingly mobile and increasingly productive workforce.
A recent survey by CFO Research, said that having asked 153 senior finance executives they confirmed that productivity frequently takes precedence over information security as employees race to meet deadlines and goals. In the survey, which was commissioned by the document management firm RR Donnelley, only one-third (33%) of the respondents said their companies had a formal, enterprise-wide plan for controlling financial information electronically.
And it turns out that just having a plan in place isn’t sufficient. As one treasurer from a financial services firm put it: “We have a fairly robust set of controls in place. The one thing we need to do more of is training and updating employees so that we can be more confident that the rules are being followed.” This treasurer isn’t alone: 80% of survey respondents said their companies needed to improve their communication of security policies.
Virtual Data Rooms
For sensitive information, companies prefer the perceived security and control of internal electronic and collaboration tools. But those “secure” areas (e.g., internal drives, private clouds) are being accessed by employees using their personal devices with tweaked technical controls and security settings, multiple apps running in the background, and social-media sharing defaults long since forgotten.
It is essential controls are put in place to limit access to those who require it, and keep controls on that access tight and constantly reviewed. It is also worth carrying out a complete audit of the systems and processes used to control and protect this data following, for example, the guidelines set out to achieve the Cyber Essentials certification, details of which can be found at https://www.gov.uk/government/publications/cyber-essentials-scheme-overview.