If you are a CFO, you will be carrying a lot of confidential information with you, you will have a lot in your office, and your email and messaging system will be full of material, non-public information. If you want to save yourself from embarrassing leaks, at least practice some very basic security measures.
The very first step you need to do is become aware of the fact that risk exists. You’re reading this blog entry, so you must care enough. I cannot cover every single possible example in a simple blog entry, but I will try and do at least a grand overview of the biggest holes and issues you may face. I will be broader than just IT, but almost everything we do today comes from some digital source.
Before I go into my review, it is impossible to fully secure a typical commercial establishment against very sophisticated resources. If you have drawn the attention of national spy agencies or very skilled criminal groups, then you will be under even greater threat. Encryption is not even the most reliable option as there is reasonable evidence that the algorithms at the heart of most publicly available encryption were designed and seeded in such a way that agencies like the NSA could break it. Just because you cannot reasonably expect to always be able to stop such threats does not mean you should not make it harder for the average threat to get through.
Even if you are very modern and rely heavily on computers, you will generate a fair amount of paper. I personally also carry around a moleskin notebook (the small size) which I use to quickly jot down notes in meetings. All of this paper is a potential leak.
Close to earnings reports, you will almost for sure have financial statement drafts and drafts of your press release printed out. Not just you, your Controller and your consolidation staff, your Investor Relations staff and your auditors and lawyers probably have advance copies. You need to try and not make it trivial to get access to the information. This starts with controlling access to the paper.
Before you start feeling smug about the receptionist and the locks on your office doors, think a little more broadly. It is an almost certainty that cleaning staff and security staff have master keys to enter any office. Many of these are even outside contractors. You also are probably having meetings in your “secure” office during the day, sometimes with outside vendors. If you leave sensitive copies on your desk or just casually toss drafts into your regular garbage, you are exposing yourself to more risk than you should be.
The measures to take are simple. Unless you are working on the pages, at least keep them turned over. If you are throwing out a draft, shred it or put into into a controlled container that will be shredded. Lock papers away in your desk out of sight when you leave for the day. If you are traveling with a paper draft, then be very sure and paranoid about their location and do not leave them easily accessible in your hotel room.
One final area of physical security you should worry about is either reading them on a screen (or paper form) in public places. In particular, in an enclosed space such as an airport, on an airplane or a train station or on a train. Most of my travel is business travel and I tend to have lounge access and if I am not sitting in business class, then I am up front in the more comfortable coach seats. All around me are other businessmen and I can tell you from personal experience that it is very easy to read other people’s screens without even meaning to or making an effort to. The same goes to overhearing phone conversations, so many people talking on their phone use headsets and really have no idea just how loud their voice is (and my natural speaking voice is pretty loud). There are privacy films that can be used on laptop screens that greatly reduce the viewing angle and you can be cautious about how you tilt or otherwise position your screen (likely to be a tablet or phone as well these days). Keep your phone face down to turn off the message preview. Use code words for transactions.
The second big danger that your company will face from a determined attacker is what is called social engineering. Social engineering is an attack that focuses on what. Is often the weakest part of a company’s security – the employees. It is remarkable what someone who is confident and expresses themselves well can convince employees to do. A call into your admin from some one claiming to be from IT that needs access to your account to do testing or upgrades can result in your password being given out. In one of my recent jobs, I received several emails a month that claimed to be from my boss requesting that a wire transfer be sent. You would think that such an attempt would never work, but actually fraud of this nature is already costing companies billions of dollars.
I want you to think about that. A simple spoofed email is allowing criminals to steal billions of dollars from companies. This is not a sophisticated and highly technical virus or exploit, this is a simple plain test email requesting that money get sent. The same type of scam is done on a smaller scale targeting elders via a phone call claiming that a family member is in trouble and needs an urgent wire transfer, but a phone call is not even needed in some cases.
The only defense to this is training and awareness that it will be attempted. No one will fall for such a scam if they know it could happen and have their defenses engaged at all, so make sure your staff is aware. I would alert my Treasury team occasionally about the emails I was receiving and warn my boss as well. Our IT team tried to modify our spam filter to catch more of those emails, but they are not the easiest to screen out without catching too many other emails.
Remember that criminals know that a few people have access to earnings releases and other highly sensitive documents and that you are one of those people. Plan accordingly and keep your guard up. Do not give out your password. Don’t open attachments in email from people you do not know and make sure that even people you do know are not sending you executable files. All the hard work your IT team does in securing your system can be undone in an instant if employees open up attachments without thinking. In general, opening up emails on your phone or tablet instead of your laptop is a little safer, but smart phones can be compromised and it is not a sure thing. Even the iPhone with a curated App Store had malicious code inserted on a mass scale from programmers in China using unauthorized tools they were able to download faster than the official tools.
Don’t use simple and easy to guess passwords and don’t write your passwords down where they are accessible. Make sure that your browser does not remember and autofill crucial passwords like those you use for banking.
In general, a phrase consisting of two words, at least one character in CAPS and a number and a special character makes your password much stronger and harder to break. It also makes it easier to memorize if you use a phrase. Try and change your passwords occasionally and don’t use facts like your birthday or family member names that can be easily researched online, especially in today’s open, social media filled world.
Let me say this again, don’t write your password down. If IT has a system of generating impossible to remember passwords under the mistaken assumption that nonsense characters are best, push back on that. All it leads to is post-it notes with the password written down and that allows the cleaning lady full access when no one else is in the building.
When you travel, it is quite common to connect to hotel and other shared networks, like in airports. Everything you transmit is open and public. Most websites and email systems do encrypt passwords and other sensitive information, but many do not and not everything will be protected. Use a VPN (virtual private network) where you can. Otherwise, assume that what you share over the Internet can be read by any determined person on the network. Not that they need to as you are typing in plain sight and talking loudly on your cell phone.
Home router and home network
Have you ever updated the firmware on your home router? How about setting the default user ID and password to something else? The security cameras in your house, you realize that they often have mini-web servers embedded into them and they all have default user ID and passwords as well?
Maybe you’re just the CFO of a small company and it really does not matter, but maybe you’re not and it does matter. It usually is pretty trivial to find out where people live. Wifi does not stop at your house walls (or apartment walls) and if they can get onto your network you might as well be on a public network.
Same for the Network Attached Storage I suggested you buy in an earlier blog. They are all Linux based and quite a few have had massive security flaws. So all the documents you store there can be vulnerable, especially if you open it up so you can use it from outside your home.
I think that a good firewall (usually the router is the best line of defense for that) is important and not opening strange attachments is second on the list, but make sure that you have some defenses against virus attacks on your computer. Remember that you probably have kids and they may not understand the risks, especially when they are younger. So they can get their PC infected and since they are on your home network, you are at risk as well.
IT Policy and Awareness
As much as you might think that your IT team is on top of typical threats, it really depends. The more central control your IT department asserts, the less likely you are vulnerable to non-standard equipment but the more vulnerable you are to specific exploits that no one will have defenses against. As super restrictive policy will almost always result in individual employees rebelling and then your security becomes a factor of your least prepared employee.
IT is also especially vulnerable to social engineering and they control and know the master passwords and access onto your networks. If you are not running IT (as many CFO’s do), then make sure that security is discussed somewhat often at the leadership level.
Where to read more detailed information?
Budget an hour. Go here: https://www.us-cert.gov/ncas/tips and read the topics that interest you.
Oops, there was a leak
Consult your lawyers. If material, non-public information was leaked, you probably have to do a press release under Reg FD. If private employee of customer information was stolen, you probably have other serious disclosure obligations.