According to the results of a recent survey conducted by audit, tax and advisory firm Grant Thornton LLP of over 1,000 chief financial officers (CFOs) and corporate controllers, a majority of respondents (59 percent) indicated that the potential for undetected breaches was the top cyber security and data privacy concern at their organization.
Given the fallout from last year’s payment card data breach at Target, which has resulted in the resignation of the retail giant’s CEO, CIO and even calls from one proxy advisory firm for the ouster of most of the company’s board members, it should come as no surprise that cyber security is now top of mind for most corporate executives.
“I think (these survey results) really just memorialize where the trend is going and that is it’s no longer just an IT security manager’s responsibility or role within the organization, that the C-level executives are getting involved and they understand that it has to be an enterprise-wide look at what they have,” said Skip Westfall, managing director, Forensic Technology Services leader and Cybersecurity Services co-leader at Grant Thornton. “Cyber security is no longer just an IT function; it is a whole company function from the board to the audit committee to the C-level all the way down. In the past, the trend has been that the CFO typically took a hands off approach. It really was a security issue and therefore, we have IT security people in corporations and they’re handling this and now what you’re seeing is a lot of times a CFO sits on a committee or has an active role in the policy setting and ongoing review of their cyber security practices.”
While Target certainly wasn’t the first data breach to occur at a high-profile company, Westfall said that two important things came out of it as it relates to senior executives; vendor management and protecting data outside the “four walls” of the organization and secondly, the need for greater situational awareness by companies in detecting and mitigating the damage of breaches.
“I think what Target realized was that the weakest link in the chain might not be within your own organization, but might be a partner of your company,” explained Westfall. “There’s so many people out there looking to crack the next big story that the time a company has from the time a data breach is discovered to the time that it goes public is such a short, small window that if they don’t have a full, organization-wide approach to responding to the breach then they can find themselves in a very bad situation publicly. Then you’re getting into an unmeasurable value on your brand damage and what damage is done to your brand based on the lack of situational awareness.”
In addition to undetected data breaches, other cyber security concerns among respondents included; customer/client data privacy (54 percent); unknown and identified risks (50 percent); employee and workplace data privacy (42 percent); and, compliance with data security laws (32 percent). Given the recent talk about the increasing likelihood that federal lawmakers may pass comprehensive data protection legislation as well as similar laws already being passed by foreign nations, Westfall said these numbers may skew differently in the future.
“I think what you’re going to find are companies understand that the global market is shrinking,” added Westfall. “In the past, they really didn’t have to think about European data privacy laws and Asian data privacy laws, but it’s rare that a major or even a mid-major sized corporation is not dealing in some way, shape or form with what I would call foreign data and now they’re being exposed to that, the light bulb is going off that they have to handle this data differently.”