The increase in business fraud committed through IT systems should lead chief financial officers to learn from – rather than clash with – their CIO counterparts, security experts told a gathering of CFOs this week.
At a seminar hosted by the Canadian chapter of Finance Executives International (FEI), executives from Microsoft, LegendCorp and Queen’s University’s School of Business discussed the vulnerabilities firms face both externally and from their own employees. They also urged CFOs to work with their IT department and senior management team to develop polices that are embraced across the enterprise.
“It is the job of receptionist to give customers information,” said Tony Dimnik, a professor with Queen’s School of Business in Kingston, Ont. “A lot of people could come into a place to find out information and then commit fraud the next day.”
Dimnik showed research from the U.K. that said 10 per cent of companies there suffer IT-based fraud each year. In North America, he said, fraud is estimated to cost organizations hundreds of billions of dollars, while the consequent damage to a firm’s reputation can shave eight to 13 per cent off its market value. Outsourcing can magnify this risk, added Dimnik, pointing to well-known breaches involving ChoicePoint and CardSystems, where thousands of customer records went missing.
Security policies should be written down, with procedures well spelled out and “catholic” in the sense that they involve all departments, Dimnik said. That means CFOs and CIOs will likely have to put their heads together.
“You have to learn about the technology,” Dimnik said. “You knowledge of it may not be detailed but strategic. You must have an understanding of it if you’re going to sell this thing up, down and across the organization.”
John Weigelt, National Technology Officer at Microsoft Canada, said he gained some empathy for the pressures financial executives faced when his cousin, a CFO for a large firm, told him about putting in a 33-hour workday in order to complete an important filing. “Then I told him about Patch Tuesday,” said Weigelt, referring to Microsoft’s decision last month to release nine bulletins covering 14 Windows flaws, “and he realized how that kind of deadline affected me.”
CFOs tend to resist major IT security expenditures because there is a fear that the technology will restrict access to critical service, Weigelt said. CIOs, on the other hand, may ignore some of the physical security concerns that could leave systems just as vulnerable. “It’s easy to pick up a laptop walk away with it, or to break a plate-glass window and take your machine,” he said.
Andy Papadopoulos, president of Microsoft partner LegendCorp, recommended CFOs start tightening their IT security by focusing on “low-hanging fruit” such as payroll or acquisition systems. He also demonstrated e-mail tools that could determine when a message to a user would expire, or whether they would be allowed to forward it. Microsoft already offers free tools such as Baseline Security Analyzer and Exchange Best Practice Manger, which CFOs and other executives should investigate before deploying more expensive solutions, he said.
“You can’t boil the ocean – you can’t go back and do everything at once,” he said. “The best thing to do is start with the most sensitive data and then work outwards.”