Survey: Potential for undetected data breaches worries CFOs

July 23, 2014
Target breach places increased pressure on the C-Suite to secure data

According to the results of a recent survey conducted by audit, tax and advisory firm Grant Thornton LLP of over 1,000 chief financial officers (CFOs) and corporate controllers, a majority of respondents (59 percent) indicated that the potential for undetected breaches was the top cyber security and data privacy concern at their organization.  

Given the fallout from last year’s payment card data breach at Target, which has resulted in the resignation of the retail giant’s CEO, CIO and even calls from one proxy advisory firm for the ouster of most of the company’s board members, it should come as no surprise that cyber security is now top of mind for most corporate executives.

“I think (these survey results) really just memorialize where the trend is going and that is it’s no longer just an IT security manager’s responsibility or role within the organization, that the C-level executives are getting involved and they understand that it has to be an enterprise-wide look at what they have,” said Skip Westfall, managing director, Forensic Technology Services leader and Cybersecurity Services co-leader at Grant Thornton. “Cyber security is no longer just an IT function; it is a whole company function from the board to the audit committee to the C-level all the way down. In the past, the trend has been that the CFO typically took a hands off approach. It really was a security issue and therefore, we have IT security people in corporations and they’re handling this and now what you’re seeing is a lot of times a CFO sits on a committee or has an active role in the policy setting and ongoing review of their cyber security practices.”

While Target certainly wasn’t the first data breach to occur at a high-profile company, Westfall said that two important things came out of it as it relates to senior executives; vendor management and protecting data outside the “four walls” of the organization and secondly, the need for greater situational awareness by companies in detecting and mitigating the damage of breaches.

“I think what Target realized was that the weakest link in the chain might not be within your own organization, but might be a partner of your company,” explained Westfall. “There’s so many people out there looking to crack the next big story that the time a company has from the time a data breach is discovered to the time that it goes public is such a short, small window that if they don’t have a full, organization-wide approach to responding to the breach then they can find themselves in a very bad situation publicly. Then you’re getting into an unmeasurable value on your brand damage and what damage is done to your brand based on the lack of situational awareness.”

In addition to undetected data breaches, other cyber security concerns among respondents included;   customer/client data privacy (54 percent); unknown and identified risks (50 percent); employee and workplace data privacy (42 percent); and, compliance with data security laws (32 percent). Given the recent talk about the increasing likelihood that federal lawmakers may pass comprehensive data protection legislation as well as similar laws already being passed by foreign nations, Westfall said these numbers may skew differently in the future.

“I think what you’re going to find are companies understand that the global market is shrinking,” added Westfall. “In the past, they really didn’t have to think about European data privacy laws and Asian data privacy laws, but it’s rare that a major or even a mid-major sized corporation is not dealing in some way, shape or form with what I would call foreign data and now they’re being exposed to that, the light bulb is going off that they have to handle this data differently.”  

Despite the concerns that many corporate executives now express regarding cyber security and data privacy within their organizations, there still seems to be a disconnect between the gravity of the problem and what’s actually being done to mitigate the threat. For example, another survey by Grant Thornton found that while more than 40 percent of in-house counsel claim that the risk of a cyber security/data privacy breach has increased in the past year, 17 percent said that they were still unsure about what was being done to address these risks in their organizations.

“You’re kind of finding the convergence of many different business units and C-level executives… so the awareness factor is coming in various different forms from different people,” said Westfall. “CFOs, CEOs and audit committee members are being made aware of this because they don’t want their organization on the front page of the paper. IT is being made aware of this because there job is to secure the data and other positions in the company are coming about it by listening to how it affects their business unit. All of them understand their role in cyber security, but I still think companies are struggling with how do we pull all of that together? What is the hub for all of this? That’s just a natural part of the maturation process for the company as they mature their cyber security defenses and practices.”      

While many executives tend to view data breaches in terms of large-scale cyber incidents like Target or something along the lines of the Heartbleed bug, Westfall said they fail to realize that oftentimes a data breach can still involve something as simple as misplaced or stolen paper documents and don’t always involve a sophisticated hacking scheme.

“We’re not away from the days of dumpster diving. We’re not away from sending out copies of information and records to outside service providers like law firms and accounting firms,” said Westfall. “When I talk to organizations about that and bring that up, it’s almost like it’s the last thing on their minds. They have to start thinking in the framework that the data can be in any format – it can be paper, electronic, mobile media, and cellphones – and they have to think outside-the-box about these unknown risks.”