Data security and controls are a growing area of importance in the world of modern finance, and there are different methods that can be taken to improve your information security. To set the stage we are going to start this post off with a description of two separate home security scenarios:
- Your home comes equipped with a traditional key lock which you believe is an adequate security measure, until one day there is a security breach! As it turns out, someone gained temporary access to your key and was able to create a copy of it, allowing them to enter your home and steal all your valuables. After this event, you changed your locks and got a brand-new key to prevent the robber from coming back. This would be a corrective security measure. Unfortunately, the damage has already been done.
- You notice that your current traditional key lock security system is starting to get out of date, and it poses a danger to you and your family of a potential security breach in your home. Acknowledging this risk, you go out and invest in a brand-new security system which uses a keypad code rather than a physical key to unlock the door. Days later, a robber comes by attempting to unlock your home using a copied key, only to realize that the lock has already been changed. This would be a preventative security measure. Fortunately, you come away from the situation safely without any security breaches.
I have used this example to outline the importance of preventative security for homeowners, but this same concept applies to security with regards to your data.
The repercussions of a data security breach can be detrimental to an organization. Example of a large data breach was the January 16th virus attack on a hospital in Sudbury, Ontario called Health Sciences North. The attack contaminated several systems within their network, so for damage control, Health Sciences North took preventative action and a system shutdown was ordered to avoid the contamination from spreading across the network. There were 24 hospitals in the region which relied on the HSN IT network, which really amplified the scale and urgency of the situation. The concerns were that data would be corrupted and patients’ private information would be compromised. However, there was a good disaster recovery plan in place which prevented any significant damage. The system shut down was able to control the contamination, and the organization had strong backup procedures in place to prevent data loss. The downtime for the IT systems was only about two days, and the hospital was able to reschedule appointments for patients who planned to come in on these days. Overall, the situation was handled well, but without a recovery plan and proper preventative security controls set in place, the breach could have been much worse.
Another large-scale security failure example which drew a lot of attention was Facebook’s March 2019 incident where up to 600 million user passwords were reported to be stored unprotected and unencrypted, potentially accessible by up to 20 000 Facebook employees. The passwords were compromised because of employee built applications which stored the passwords in a plain text format on internal company servers. The issue was not found until a security review in January, which eventually led to the development of this ongoing investigation. It has been reported that there are no known cases of the passwords being abused by any employees, and the users affected have been notified of the breach. Facebook is now taking a corrective approach by finding and fixing problems with access tokens. The company is not unfamiliar with the cybersecurity spotlight, as many still recall the famous Cambridge Analytica incident in 2018, where the firm used unauthorized personal Facebook user data for political purposes. The inability to implement effective preventative measures has caused significant reputational damage, as a study revealed 44% of users view the company negatively after the incident, and 41% of millennials have limited their use of the site. Often, it becomes extremely difficult to control the damage caused by large scale security breaches like this.
The scale or importance of a security breach can be judged by two main factors:
- The number of people/parties affected
- The severity of the consequences
The Health Sciences North incident warrants being classified as a significantly large breach because of the severity aspect of it, while the Facebook incident is on a large scale because of the quantity of people affected. The potential consequences of a security breach/system shutdown for a large network of hospitals are very serious and concerning, as the lives of patients in critical conditions become endangered and people fall at risk of not receiving the necessary treatment. Thanks to the strong disaster recovery protocols and a competent IT team, the risks were mitigated, and no one was seriously harmed. With Facebook’s incident, the high number of people affected warrants classifying the breach as a large-scale threat. Though it was reported that the compromised passwords were never actually misused, Facebook still had to notify the affected parties and people, so the reputational damage was the most severe consequence in this scenario. Both breaches were significant in their own respect, but Health Sciences North had effective preventative measures in place to minimize the damage from the hacker attack, while Facebook continues to use corrective measures as the reputation of their privacy and security infrastructure diminishes. The comparison of the two events outlines the concepts of these two security methods, and the importance of prioritizing security failure prevention.
The lessons learned from examples like this can quite naturally translate to the Finance business function, specifically with regards to CPM/EPM software. Secure financial data held within these softwares is invaluable to enterprises, so protecting that data should be at top of mind for Management, Finance, and IT Teams. New vulnerabilities in software often occur naturally, so it is important to review security patch updates to ensure your financial data is proactively protected. A strong review process is a great example of an effective preventative security measure that enterprises can take.
Establishing a strong disaster recovery process is also a valuable way of limiting damage in the event of a disaster. A strong disaster recovery process should allow you to, in the event of a sustained outage of a Production environment, quickly establish a new ‘Disaster Recovery’ environment, where business can effectively continue with day to day operations with relative ease – thus mitigating the impact of the disaster as much as possible. Disaster recovery is often dependent on strong back up procedures, where enterprises regularly copy their data into an isolated location separate from the regular data storage used for day-to-day business operations. The process should be tested at least annually to ensure that effective corrective measures can be taken if needed.
Ultimately, the privacy and integrity of the data held in Performance Management solutions is of great importance to enterprises, and as a result, protecting that data should be a high priority.