cyber and data security in the middle...
Post on 25-Aug-2020
2 Views
Preview:
TRANSCRIPT
CYBER AND DATA SECURITY IN THE MIDDLE MARKET
TABLE OF CONTENTS
Introduction: As Digital Ecosystem Grows,
So Do Cyber-Threats ...........................................1
Chapter 1: Cyber-Hackers: Waging War
Against an Invisible Enemy ..............................2
Chapter 2: Enlisting Employees
to Fight Hackers ..................................................6
Chapter 3: Finance and IT:
Partners in Cyber-Crime Fighting................. 11
Chapter 4: Cyber-Insecurity:
Are Finance Executives Overlooking
Third-Party Risk? ................................................ 15
Chapter 5: As Security Becomes a
Priority, Will Checks Be Written Off ........... 19
Chapter 6: Cards in a Cyber-Secure
Company: Receiving Payments ................... 23
Conclusion: With Improved
Security Posture, Companies
Gain Better Standing ....................................... 26
1 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
INTRODUCTION: AS DIGITAL ECOSYSTEM GROWS, SO DO CYBER-THREATSThe language of cyber-hacking may seem clumsy and amateurish—with
makeshift words like “phishing” and “ransomware” used to describe
specific techniques—but the consequences of a data breach can be
devastating to a company’s finances and its brand reputation.
And there’s no single way to block virtual intruders, whose schemes are
constantly evolving. For finance executives and their C-Suite peers, the
ongoing challenge is to remain informed and mobilized to respond should
an outsider break into the company’s network.
A recent survey found that the need to confront cyber-hackers, and thwart
them, unites U.S. finance leaders across industries. The survey, titled Cyber
and Data Security in the Middle Market, was conducted by CFO Research,
in collaboration with Visa and U.S. Bank. The online questionnaire drew 316
responses from U.S. finance executives, a plurality of whom hold the title of
CFO, with controllers also amply represented. All respondents work at com-
panies with annual revenue of more than $25 million and up to $500 million.
As digital ecosystems continue to expand—reshaped by fast-spreading
technologies like the Internet of Things and Artificial Intelligence—finance
executives can expect that cyber-hackers will grow proportionally more
sophisticated. That means cybersecurity must become a top-most
priority throughout the organization. How will that collective mindset
shift reorganize the business? In the eBook ahead, you’ll learn how an
organization is transformed by focusing on cybersecurity, ranging from
changes in how employees work, to which functions must collaborate
more closely, to what processes, such as payments, will undergo
technological makeovers.
Hindering hackers means more than keeping up to date by installing the
latest automated threat-protection tools. For safety’s sake, it requires
building an organizational culture centered on accountability and
awareness.
2 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
CYBER-HACKERS: WAGING WAR AGAINST AN INVISIBLE ENEMYWhen it comes to cybersecurity, the advice CFO
Rick Mills gives to fellow finance executives is
straightforward—and chilling. “Until your company
has been hit by an attack,” says the finance chief of
online retailer Headsets.com, “you probably think
you’re more protected than you are.”
3 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
“ALWAYS ASSUME THAT SOMEONE IS TRYING TO GET ACCESS TO EVERY PROCESS AND BIT OF INFORMATION POSSIBLE, AND BE VIGILANT IN FOLLOWING THE PROPER PROCEDURES TO HELP ENSURE NOTHING IS COMPROMISED.”
Mills isn’t trying to amplify the anxiousness finance executives already feel
about the cyber-crooks that are constantly circling, testing different tools
for cracking open a company’s network. “As an individual, it’s discouraging
to know that there are people out there who are focusing on hacking your
data and taking your site down,” says Mills. “But I’ve gotten numb to that.
We’re doing the best we can, but I’ve learned that it’s pretty impossible to
become immune to them.”
It’s a lesson Mills absorbed the hard way. But the CFO Research survey
found that most CFOs are hyper-alert to and ultra-concerned about
coming under attack by cyber-hackers—even if they haven’t been
drawn into hand-to-hand combat with their invisible foes. As one survey
respondent instructs, “Always assume that someone is trying to get
access to every process and bit of information possible, and be vigilant in
following the proper procedures to help ensure nothing is compromised.”
Among survey-takers, only 21% have had business activities disrupted by
hackers in the past two years—compared with the 37% who report having
had physical property swiped during that same time frame. In terms of
damage, the proportion of respondents whose companies have suffered
the loss of customer data, financial assets, or intellectual property reaches
no higher than 15% (see Figure 1).
FIGURE 1 BREACH FRONT Has your company been the victim of any of the following security breaches in the past two years? (percentage answering “Yes”)
37% 21% 15% 15% 11%Theft of customer
informationDisruption of
business activities due to hackers
Physical property Theft of financial assets
Intellectual property
4 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
“SAVE THE DATA BY A VERY SECURE WAY, WHATEVER IT COSTS.”
Not that finance executives of middle-market companies consider their
businesses, by virtue of their scale, to be less appealing targets to cyber-
criminals. Only a quarter (25%) of respondents see their companies as “too
small to be the target of cybersecurity breaches and data theft.” In their
written answers to survey questions, respondents frequently express the
exhausting persistence required to safeguard their proprietary data. They
advise “ongoing vigilance” and “constant checking,” as well as “keeping
your eyes on every detail” and “being proactive, not reactive.”
For finance executives, they sound almost helpless when it comes to
concretely capping the budget for cyber-defense. “Save the data by a
very secure way, whatever it costs,” writes one respondent. Another, in
a slightly less freewheeling mode, suggests “making cybersecurity a big
portion of the IT spending budget.” What’s most important, as collectively
communicated by the finance executives surveyed, is developing a realistic
grasp of the risk, prioritizing the assets that most need protecting, and
equipping the business to bounce back from any hacking-related event.
FIGURE 2 IT’S ABOUT TIME Has a cybersecurity breach caused any of the following types of damage to your company in the last two years? (Respondents could choose multiple responses)
60% 23% 20% 19% 19% 15%Loss of
valuable information
Loss of revenue
Lost time and other resources due to manag-ing a security
breach
Loss of credibility with
customers, suppliers, or
the public
Damage to the
reputation and authority of the finance or IT function
Loss of financial
assets
5 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
“WHEN THESE KINDS OF ATTACKS HIT YOUR COMPANY IS WHEN YOU FIND OUT HOW COMMON THEY ARE.”
Such events may include unsuccessful cyber-attacks, which can expose
vulnerabilities that require immediate securing. Among survey-takers, six in
ten (60%) report having lost time and resources as a result of managing a
security breach (see Figure 2).
What fuels the ever-escalating challenge facing finance executives is not
just the relentlessness of cyber-hackers. Freshly emerging technology
such as the Internet of Things (IoT) brings with it additional risks, requiring
companies to make sure their web-connected devices, from factory
machines to surveillance cameras, are fully secured.
The dynamic nature of the cyber-hackers makes them an especially
stealthy opponent. Not long ago, cyber-criminals would infect desktop
machines by enticing users to download fake tool bars. Then came
malware—banking Trojans and the like—that was designed to burrow
inside a machine and steal sensitive data such as log-in credentials. More
recently, cyber-thieves have been unleashing “ransomware” on corporate
networks.
As the name suggests, this category of malware, which is often spread via
phishing emails, encrypts user files then demands that users pay ransom
to regain access. The first time it happened at Headsets.com, the thieves
demanded just under $1,000—but were caught by the FBI. Last year, an
attacker barraged the company’s site with fake traffic, shutting it down.
The attackers demanded $200,000. As a result of having its site shut
down intermittently for a day and a half, Headsets.com lost about $15,000
off its net margin. The company also ended up hiring a service that screens
its web traffic for about $35,000 a year.
“You don’t think you need something like that until you find out that you
really need it,” says Mills. “In fact, we were probably getting off cheaply
by not having that service for a long time. When these kinds of attacks hit
your company is when you find out how common they are.” The answer, by
his calculation: too common.
6 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
ENLISTING EMPLOYEES TO FIGHT HACKERSBy now, finance executives know that cyber-thieves
are constantly looking for ways to climb over, or
tunnel under, their firewalls. What they may not
realize, however, is that the gate is frequently left
unlatched—by their own employees. They’re doing so
inadvertently. It’s not as if most employees are secret
cyber-hackers, waiting for the day (their last one,
retroactively) when they can set loose an email
7 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
“MAINTAIN AN UP-TO-DATE SECURITY SYSTEM AND MONITOR THE SAME ON REGULAR BASIS IN REAL TIME.”
worm capable of compromising the company’s proprietary data. In the
survey, in fact, the majority of finance executives, 56%, confirm that they
view current or former employees as little or no threat. By comparison,
67% of respondents consider hackers or cyber-criminals to be a moderate
or severe threat.
Survey-takers assessed several different aspects of their companies’
awareness—and preparedness—in terms of successfully guarding against
cyber-intruders. In their answers to questions, finance executives offered
evaluations of their companies’ technological tools and skills when it
comes to repelling hackers as well as how much of a priority it is for the
management team and for employees.
Most respondents say they believe that their company’s technology is up
to the task of deterring hackers. More than three-quarters of respondents
agree that their company has deployed the appropriate technology for
effectively managing cybersecurity (see Figure 3). As one respondent
urges, “Maintain an up-to-date security system and monitor the same on
regular basis in real time.”
FIGURE 3 SECURITY GUARD Our company has deployed the right technology to manage cybersecurity effectively.
25% 53% 11% 4% 7%Disagree somewhatAgree somewhatAgree strongly Disagree strongly Don’t know
8 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
45% OF FINANCE EXECUTIVES AGREE STRONGLY THAT THEIR TOP EXECUTIVES APPROACH THE ISSUE WITH THE ATTENTION REQUIRED.
A nearly identical proportion agrees that their company possesses the
expertise to effectively manage the cyber-threat (see Figure 4).
Furthermore, the clear majority of respondents, 82%, agree that their
company’s top executives treat cybersecurity with the appropriate gravity
and seriousness. Asked to identify the most important step a CFO can
take to make the finance function less vulnerable to cyber-threats, one
respondent writes: “Due diligence from the top and upper management.”
What matters most, offers another finance executive, is the “tone at the
top.... take security practices seriously.”
That admonition doesn’t just apply to senior management. One survey-
taker stresses the “need to be aware” and to “convey the importance [of
cybersecurity] to management as well as employees.” Guarding against
hackers needs to become an organizational priority, with every company
member accepting accountability for deterring, detecting, and reacting to
cyber-risks as they come up.
In the survey, just under one-quarter (24%) of respondents say they agree
strongly that their “rank-and-file employees treat cybersecurity with the
gravity and seriousness that it warrants.” By comparison, 45% of finance
executives agree strongly that their top executives approach the issue with
the attention required.
FIGURE 4 KNOW HOW Our company has the technical expertise required to manage cybersecurity effectively.
24% 55% 12% 5% 5%
Disagree somewhatAgree somewhatAgree strongly Disagree strongly Don’t know
9 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
HACKERS CAN NOW TARGET EMPLOYEES WITH EMAILS THAT ARE CLOSE TO DEAD RINGERS FOR THOSE SENT BY COLLEAGUES OR BUSINESS PARTNERS
In their written comments, as well as during follow-up interviews, finance
executives drew a connection between employee awareness and outsider
access. A critical tool for keeping the cyber-pirates from sneaking aboard
is, as one respondent writes, to “make employees aware of the potential
threats so that they can recognize and prevent them.” One respondent’s
advice summarizes the issue simply: “Ensure that all systems are password
protected and that staff is appropriately trained to look for these issues.”
What can go wrong? As they become ever-more skilled at taking
advantage of cracks in corporate systems, hackers can now target
employees with emails that are close to dead ringers for those sent by
colleagues or business partners—the phenomenon known as “phishing.”
At Temkin International, a manufacturer of plastic packaging products, an
email from a vendor included instructions for wiring payment to them. “We
wired the money,” says Controller Dalan Andersen, “and we’re still trying
to figure out what happened. That’s a fishy one.” In any case, it’s become
clear that the vendor had nothing to do with it.
Andersen himself has received emails that “look exactly like they are coming
straight from our owner. He keeps asking me to send him money by wire.”
Despite the persistence of these emails, Andersen knows better. “I know he’s
FIGURE 5 WORKING KNOWLEDGE Our company/employees have access to training/education on recognizing cyber-threats and acting on them.
25% 46% 15% 10% 5%
Disagree somewhatAgree somewhatAgree strongly Disagree strongly Don’t know
10 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
IN THE ABSENCE OF SEEING AN EASY WAY IN, CYBER-HACKERS WILL OFTEN CHOOSE TO STAY AWAY.
not the type to ask me to do that over email,” he says. He also knows that
neither he, nor the company’s 400 employees, can depend on his instincts
to fend off cyber-hackers. “The hackers are coming up with new stuff all the
time, and I should know about it before it shows up in my inbox,” he says. “I
read as much as I can. But I probably need to get better training.”
He’s hardly alone. Asked whether their employees have access to training/
education about recognizing and acting on cyber-threats, only one-quarter
of respondents say they agree “strongly” with almost half choosing to
agree “somewhat.” Finance executives clearly see room for improvement
(see Figure 5).
In their responses to open-text questions, respondents often suggest
that employees must be made more aware of the policies and procedures
they need to follow, from how they choose passwords (seven characters,
combining alpha and numeric characters) to when they change them
(every 60 days). One respondent’s checklist: “Change passwords regularly,
make sure you don’t open spam or spoof emails, and help support
investments in cybersecurity.”
In the absence of seeing an easy way in, cyber-hackers will often choose to
stay away.
11 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
FINANCE AND IT: PARTNERS IN CYBER-CRIME FIGHTINGIt sounds like the cyber-secure workplace of the
future: where to gain entrance employees present
an ID card and a fingerprint, where using a printer
means swiping it with a key fob, and where it costs
hundreds of thousands of dollars a year to maintain a
high level of data security certification.
12 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
“THERE ARE ALWAYS ROGUE HACKERS TRYING TO HACK ANYTHING. WE’VE GOT TO BE DILIGENT AND HAVE THE PROTECTIVE LAYERS SO THAT EVERYTHING GETS STOPPED OUTSIDE THE BUBBLE.”
That begins to describe The Judge Group, an organization focused on
sealing the kind of gaps in its security systems that cyber-hackers try to
exploit. Based in suburban Philadelphia, the company isn’t some updated
version of the Biosphere2 (the giant, closed-system hothouse used for
ecological experimentation in the 1990s), nor is the business mired in the
intrigue of international espionage. With over $400 million in revenue,
The Judge Group places roughly 5000 people a year in IT and healthcare
positions. “We have a lot of pieces of private information, and we take that
risk very seriously,” says CFO Robert Alessandrini. “There are always rogue
hackers trying to hack anything. We’ve got to be diligent and have the
protective layers so that everything gets stopped outside the bubble.”
Inside the bubble, the task of defending against cyber-hackers is
coordinated by the company’s director of cybersecurity, who combs
through logs and records every day and coordinates with security-related
vendors. When it comes to managing cybersecurity, middle-market
companies tend not to rely on separate departments, or even specially
assembled teams, to quarterback the effort. In a recent survey, one finance
executive explained that, “the Cyber Risk Committee drives our cyber
risk mitigation efforts—a committee comprising the CIO, CFO, CHRO, and
Security VP.”
For the most part, the survey found, middle-market businesses look to
the IT function. In describing their company’s organizational strategy for
managing cybersecurity, about three-quarters report that “cybersecurity
is governed and managed by the information technology function.” (See
Figure 6.) “Having a strong IT department is paramount,” as one survey-
taker puts it.
By contrast, only 12% of respondents say that cybersecurity at their
companies is centered in the finance function. But in their responses
to open-text questions, finance executives stressed the need for the
departments to collaborate, agreeing on strict guidance and carefully
orchestrated steps that the rest of the company can follow.
As technological transformation changes the nature of emerging cyber-
threats, it’s up to the two functions to implement upgrades on security-
related processes and policies, ensure the performance of regular audits,
and zero in on defending against future challenges. In their advice to other
CFOs regarding their role in cybersecurity, respondents frequently bring
up the imperative for finance to interact with IT. Finance executives need
to have “ongoing communication with the head of IT to stay up-to-date on
13 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
“MAKE CYBERSECURITY A BIG PORTION OF THE IT SPENDING BUDGET.”
cybersecurity issues,” writes one finance executive. Another urges fellow
finance leaders to “stay informed and up-to-date with a strong cyber IT
team.” Others advise “working closely with IT,” “keep a close relationship
with the IT department,” and “communicating with the IT team…to ensure
that we are all constantly apprised of potential threats.” Writes one
respondent: “Coordinate with IT staff to assure that all new systems are
vetted by our IT group to make sure they are secure.”
Aside from being attentive, finance executives also encourage their peers
to help IT in a more concrete way: by giving the function the resources
it needs for cyber-related initiatives. “Support the IT function with their
security policies and requests,” writes one respondent. More specifically,
writes another: “Make cybersecurity a big portion of the IT spending
budget.”
How big should that line item be? Perhaps reflecting the sense of urgency
CFOs feel as technological tools like the cloud, mobile, and social seem to
increase their exposure, the “whatever it costs” position is not uncommon.
This view, rare for the CFO, no doubt makes allies of the folks in IT.
FIGURE 6 CYBER-CZARS Which of the following statements best describes your company’s organizational strategy for managing cybersecurity?
76% 12% 9% 3%
Cybersecurity is governed and managed by a
dedicated cyber- security team
Cybersecurity is governed and
managed by the corporate finance
function
Cybersecurity is governed and
managed by the information
technology function
Cybersecurity is governed and managed by
something else
14 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
“YOU HAVE TO TRAIN THEM ENOUGH TIMES TO WHERE THEY ARE ROLLING THEIR EYES AND SAYING, ‘I GET IT. DON’T OPEN UP THOSE EMAILS.’”
Of course, keeping the cyber-hackers at bay requires more than dollars.
Like a Neighborhood Watch program, employees need to supplement
firewalls and encryption software with their own efforts. They need to
draw attention to any deficiencies they detect. They need to follow
security-related policies regarding, say, collaboration with internal or
external partners. One survey respondent writes that it’s important to
“ensure all employees in applicable positions are aware of security issues.”
How much training is enough? Rick Mills, CFO of Headsets.com, has
calculated his own metric. “You have to train them enough times to where
they are rolling their eyes and saying, ‘I get it. Don’t open up those emails.’
We bring it up a lot.”
Although it’s impractical to monitor employees’ every move, companies
like Headsets.com do check up on how careful their employees are when
it comes to evaluating email. The company uses a service that generates
fake phishing-like messages and sends them to the company’s employees
on a periodic basis. “We’re at the point where we don’t get too many
who click on it,” says Mills—and when they do, the link takes them to a
site that provides education about such malicious emails. At Lazydays, a
$600-million RV dealership near Tampa, employees also receive what CFO
Randy Lay refers to as “synthetic phishing campaigns” with subject lines
like “Here’s the spreadsheet you asked about yesterday.” Lay says, “If you
don’t know who it’s from and you didn’t ask for a spreadsheet yesterday,
do not open it, that’s what we tell them. That’s how you get folks trained
not to open malicious emails and download dangerous links.”
Even so “the cyber-attacks are ubiquitous. We get hit every single day,”
says Lay. Last year, when a new CEO took over, it took the hackers time to
adjust—a month, to be exact. Then Lay started receiving phishing emails
with the appropriate CEO’s name on them. “Given how savvy these people
have gotten,” he says, “I consider that to be a small victory.”
15 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
CYBER-INSECURITY: ARE FINANCE EXECUTIVES OVERLOOKING THIRD-PARTY RISK?In a fierce and fast-moving economy, companies are
only as competitive as their partnerships enable them
to be. But as common as it has become for businesses
to replace, or complement, in-house capabilities with
third-party agreements, they may be overlooking the
cyber-risks they are acquiring in the process.
16 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
“ENSURE REGULAR AUDITS ARE PERFORMED ON IT SECURITY AND HOLD PROPER INSURANCE IN CASE OF A LOSS.”
Such alliances allow companies to stay focused on their essential
competencies, assigning other activities to organizations with the ability to
perform them more efficiently. The web of agreements, which may include
strategic suppliers, as well as providers of network security and data
management, offers the tangible benefit of enabling companies to reduce
costs. But the arrangements also expose companies to additional risks,
offering a “side-door” through which cyber-hackers try to slip undetected,
sneaking their way to a treasure trove of valuable data.
There’s not much companies can do to minimize that risk. At least that’s
how many finance executives act, according to study. Respondents express
a keen awareness of the need to review their own company’s security
systems, assessing controls in light of evolving cyber-risks. By doing so,
they can gain an understanding not only of their existing capabilities but
also of the investments they need to protect their information from future
hacking incidents. For the finance function, the challenge has become
figuring out how to protect the company’s data without stifling innovation.
As companies shift technological tools to accommodate growth, they
open up new security risks.
Explaining the most effective step a CFO can take to reduce the finance
function’s vulnerability to cyber-hacks, one respondent writes: “Ensure
regular audits are performed on IT security and hold proper insurance
in case of a loss.” Another advises fellow finance leaders to “perform an
independent audit of the area.” Adds a survey-taker: “Periodic audits.”
Many respondents aren’t just paying lip service to the idea, apparently. In
the survey, nearly half—48%—say they have conducted formal assessments
of their cybersecurity efforts for all systems, locations, and business units
in the last two years. An additional 22% report that they do the same for
some systems, locations, and business units. (See Figure 7.)
However, cyber-criminals have pulled off some of the highest-profile
data breaches—including Target, which had its network hacked through
a subcontractor—by stealing credentials from a third-party vendor. By
targeting outsourced providers of payroll services, for example, cyber-
thieves have pilfered identities and filed fraudulent tax returns
Even if the employees at your company are following proper procedures—
in terms of handling company data—that’s no guarantee that outsourced
workers have been trained to follow those procedures. Finance executives
at middle-market companies find themselves in a bind; their need to
turn to partners also opens up more data-access points. “To be honest,”
17 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
“INTERNALLY, WE DO NOT HAVE THE MANPOWER OR EXPERIENCE.”
one survey respondent writes, “outside, third-party expertise is required
to be as safe as possible. Internally, we do not have the manpower or
experience.” (Paradoxically, more companies will need to outsource
cybersecurity in coming years as a result of a growing shortage of workers
with the requisite skills.)
Whether as a result of cost-consciousness—which is typically the catalyst
for outsourcing functions—or lack of urgency, only about one in five
finance executives who participated in the survey say they frequently
evaluate the security efforts of their suppliers and customers. (See Figure
8.) Combined with those who say that their companies occasionally review
suppliers and customers, the proportion reached 56%, a far cry from the
70% that have done at least some review of their own security situation.
And while only 15% say they conduct no formal evaluation of their own
preparedness, 31% echo that sentiment about evaluating their external
partners.
The absence of consistent audit procedures coincides with a time when
cyber-attackers are growing more sophisticated. “Keep measures up
to date always,” one respondent offers by way of advice to peers in the
FIGURE 7 ASSESSING CAPABILITIES Has your company conducted a formal assessment of its cybersecurity policies and systems in the last two years?
48% 22% 15% 16%NoYes, for some
systems, locations, and business units
Yes, for all systems, locations, and business units
Don’t Know
18 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
THE RISKS OF INCREASED VULNERABILITY THROUGH THIRD PARTIES IS ONLY GOING TO GET HIGHER.
finance function. Another describes the greatest security challenge as
“keeping ahead of hackers.”
Clearly, conducting formal reviews has a role in that battle. Yet only 18%
of survey respondents report that customers and vendors have frequently
formally evaluated their company’s security policies and procedures. And
just 28% have been reviewed occasionally. Given the value of data in the
digital economy—where competitive advantage can be built on credit
card numbers and social security information—the risks of increased
vulnerability through third parties is only going to get higher.
21% 35% 31% 13%
NoYes, occasionallyYes, frequently Don’t Know
FIGURE 8 UNDER REVIEWED Does your company formally evaluate the security policies and practices of its suppliers and customers?
19 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
AS SECURITY BECOMES A PRIORITY, WILL CHECKS BE WRITTEN OFF?In the realm of business-to-business payments, checks
remain king—but their reign may soon be overthrown.
For growth-minded finance executives, the need to
optimize their payments processes is becoming a
priority, and not simply because they want to reduce
transactional costs or gain better control over the
timing of their payments. The momentum to switch to
electronic payment systems is partly fueled by the
20 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
“CHECKS ARE VULNERABLE. I WOULD GET RID OF THEM ENTIRELY, IF IT WERE UP TO ME. ”
the security issues surrounding paper checks. “Checks are vulnerable,”
says Robert Alessandrini, CFO of The Judge Group, a staffing firm. “I
would get rid of them entirely, if it were up to me. But we’re a few years
from that.”
What’s the hold-up? In some cases, vendors aren’t ready to make the
switch. “We’re pretty much still using paper checks,” says Tim Marquardt,
CFO of Max Credit Union in Montgomery, Ala. “To make the transition, you
have to coordinate with vendors. More and more, they are ready to do it.”
In the survey, 72% of finance executives say that they use paper hard-copy
checks either “very frequently” or “frequently.” Direct payment services
such as automated clearing house (ACH) and electronic funds transfer
(EFT) weren’t far behind, attracting 64% of “frequent” or “very frequent”
users. Corporate cards/purchasing cards were next at 52% (see Figure 9).
In their written answers to survey questions, finance executives reflect on
the need to tighten their payment processing systems. One respondent
writes that the most important move that CFOs could take to make
72% 64% 52% 14%Corporate credit
cards/procurement/purchasing cards
Direct payment through automated
clearing house (ACH) or electronic funds transfer (EFT)
transactions
Physical hard-copy checks
Cash/currency
FIGURE 9 MAKING CHANGE How often does your company use each of the following methods to pay its vendors and suppliers? (percentage selecting “very frequently” or “frequently”)
21 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
SWITCHING TO ELECTRONIC PAYMENT PROCESSES PRESENTS ITS OWN CHALLENGES FOR FINANCE EXECUTIVES.
the finance function less vulnerable to cyber-hackers was “moving to a
paperless environment.” Another survey-taker writes of “use of significant
controls over cash transactions,” reflecting an awareness of the company’s
vulnerability.
Then again, switching to electronic payment processes presents its own
challenges for finance executives. One finance executive writes that the
company’s biggest challenge is “moving more to ACH/Electronic methods,
but maintaining the security and integrity of confidential company and
customer information.” Another says “security with online payments” is a
top concern.
As the number of transactions grows—along with their confidence in
the technology—finance executives may be drawn to start using cards
to pay vendors and suppliers primarily because they are faster and less
FIGURE 10 COMPARISON – PAYING VENDORS AND SUPPLIERS How well do these payment mechanisms serve the following requirements when paying vendors and suppliers? (normalized percentage of respondents indicating that a payment mechanism does an “excellent” job)
96% 95% 96% 89% 95% 81% 98% 94%
Security and protection from fraud, theft, hacking, or cyber
intrusion
Availability of accurate and
transparent audit trail of transactions
Prompt payment of accounts receivable
Convenience for transaction partners
n ACH/EFT n CARDS
22 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
THE SOONER THEY START MAKING THE TRANSITION TO CARDS, THE SOONER THEIR COMPANIES WILL SEE THE PAYOFF.
costly. While ACH is a big improvement over checks, in terms of providing
security, purchasing cards offer yet another distinct advantage: While
payments made via ACH are disbursed immediately, cards give the finance
function time between when the purchase is made and when the money
is disbursed. That gap can become the key to reducing working capital
requirements.
The closer finance executives look at cards, however, the more benefits
they may appreciate, such as cash rebates for all purchases as well
as robust reporting. And when respondents graded both ACH and
cards on four crucial qualities, the two were nearly tied in terms of the
percentage of survey-takers who ranked them as “excellent” in terms of
providing “prompt payment of accounts receivable” and “convenience for
transaction partners.” (See Figure 10.)
The pace at which middle-market finance executives seem to be moving
toward corporate and purchasing cards may be a by-product of their
current mindset. Having managed several technological transformations—
whether exchanging on-premises technology for the cloud or expanding
mobile platforms—finance chiefs may be suffering from undiagnosed
transformation fatigue.
If that’s the case, they are likely to receive the motivation they need from
their suppliers and vendors. As suppliers become more comfortable
with cards—and more knowledgeable of the benefits they provide—they
become supporters. By getting paid faster, they may be able to stay away
from using more costly financing options. For both suppliers and vendors,
the transition to cards can help in making their own operations more
efficient—by providing better data for forecasting, for example.
Such benefits take time to fully materialize. But forward-looking CFOs
know that the laborious system of processing checks is also making
their companies more vulnerable to cyber-hackers. The sooner they start
making the transition to cards, the sooner their companies will see the
payoff.
23 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
CARDS IN A CYBER-SECURE COMPANY: RECEIVING PAYMENTSMike Steele knows better than to expect that any weapon
he deploys against cyber-hackers will defeat them
completely. “We anticipate what will help us reduce any
losses,” says Steele, VP of accounting and controller of the
Lake Michigan Credit Union. “We look for any technology
that will give us significant advantages.”
Lately, for card issuers this has meant shifting from
issuing magnetic striped cards to chip-equipped EMV
cards (the initials refer to standard-setters Europay,
24 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
“FROM WHAT I UNDERSTAND, THEY GET BETTER AND SMARTER ALL THE TIME.”
MasterCard, and Visa), which are far more secure. Even with merchants
upgrading their payment terminals to accept the new cards, the change
“won’t stop the hacking,” says Steele. With over 460,000 members,
Michigan’s largest credit union, like every financial institution, will have
charge-offs for fraud as a result.
Steele ranks ACH, the electronic payment service, as “reasonably secure.”
He adds: “We haven’t had any significant problems with those transactions
that are done via ACH. But that’s not to say there couldn’t be an issue.”
As for corporate and procurement cards, Steele observes that the card
processors “have fairly good fraud detection nowadays. And from what I
understand, they get better and smarter all the time.”
In the survey, finance executives say they consider cards roughly on
par with electronic payments services ACH and EFT in areas such as
promptness of payment and convenience. While 95% of respondents
ranked ACH/EFT performance as “excellent” in terms of security and
protection from fraud, 83% graded cards on that level (see Figure 11).
FIGURE 11 COMPARISON – RECEIVING PAYMENTS FROM CUSTOMERS How well do these payment mechanisms serve the following requirements when receiving payments from customers? (normalized percentage of respondents indicating that a payment mechanism does an “excellent” job)
98% 96% 96% 91% 95% 83% 99% 92%
Security and protection from fraud, theft, hacking, or cyber
intrusion
Availability of accurate and
transparent audit trail of transactions
Prompt payment of accounts receivable
Convenience for transaction partners
25 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
“WE HAVE INFORMATION WE NEED TO PROTECT, AND A BRAND REPUTATION WE DON’T WANT TO LOSE. WE’RE OUT THERE FIGHTING THE ATTACKS EVERY SINGLE DAY.”
However, with the introduction of chip/EMV technology, that gap is closing
fast, and corporate cards offer the advantage of rebates and/or rewards
along with the benefit of cash float. In fact, cards stack up very favorably
in all the requirements tested in the survey. In addition, survey respondents
also cited the ubiquity of card acceptance as a strong driver to receive
payments more efficiently and securely.
As part of the survey, finance executives were asked to identify the
biggest challenge their organization’s payments function would face in the
next year. Writes one: “Converting to corporate card payment.” Another
respondent identifies “integrating the new EMV chip card machines” as the
highest hurdle in the near-future.
Steele says that the credit union has “never had major losses” from the
three dozen corporate cards it issues. While corporate cards may carry
some risk, Steele points out that they also offer “some pretty robust
reporting and visibility into transactions.” With that in hand, the credit
union can analyze the data for particular retail outlets where it ought to
encourage its customers to shop, based on the amount of interchange
income it receives. “The data can also be helpful for budget forecasting,”
says Steele. “We are always trying to look three-to-five years from where
we are now.”
Aside from access to data on spending, as well as savings from improved
control, corporate cards offer benefits such as convenience. And there
are secondary gains as well. With better control over the payments
process, finance executives can maximize discounts, minimize late-
payment charges, and consolidate supplier relationships. CFOs can use
the improved visibility to identify and mitigate practices that increase the
risk of cyber-hacks. With a clearer assessment of the risks—both internal
and external—the finance function can promote and implement the tools
necessary to thwart the cyber-thieves. For now, anyway.
Cyber-hacking “comes in all sorts of flavors,” says Randy Lay, CFO of
Lazydays RV. “We have information we need to protect, and a brand
reputation we don’t want to lose. We’re out there fighting the attacks
every single day.” For astute finance executives, that means always having
a new—and effective—battle plan.
26 I CYBER AND DATA SECURITY IN THE MIDDLE MARKET
CONCLUSION: WITH IMPROVED SECURITY POSTURE, COMPANIES GAIN BETTER STANDING Once companies devote more resources to battling cyber-crime, they may
even discover some welcome, if unexpected, payoffs.
As training and technology combine to prevent breaches, companies
will find that their improved security posture makes them much more
appealing to customers who share their concern. As a source of
differentiation—setting them apart from their more vulnerable peers—a
corporate cybersecurity strategy can serve as a potent competitive
advantage.
Communicating that cybersecurity is a top priority, and not just another
aspect of risk management, tells customers, prospective and existing, how
much the organization values the critical information that its users share.
It’s a message that will be well-received by other stakeholders as well, such
as investors, employees, and vendors.
Of course, it also sends a strong missive to any would-be cyber-hackers:
There are less-defended places where they could be plying their
misdirected skills. As much as they may love a challenge, they aren’t likely
to linger if they can find more vulnerable targets—moving on to other
targets is the only aspect of their mission you should actively seek to make
easier.
top related