Attention CFOs: Don’t expect IT to save your bacon

iStock_000008859369LargeSECURITY

So far, we’ve talked in a general way about the value of Silo and the rationale for containing and controlling web apps. In the coming weeks, we’ll start to explore specific vertical or departmental use cases that have emerged from engaging with customers and understanding where risk lives. In this post, we’ll address an often overlooked function at the heart of every company - the finance team. We recently conducted a survey of CFOs to understand how they use web apps and where they see risk. Here’s what we learned.

Finance depends heavily on the browser
Even companies that don’t embrace the cloud can’t escape the browser for key tasks such as online banking, payroll processing, benefits, and 401(k). For a web app friendly team, add the following: accounting, bill payment, ERP, CRM, and revenue forecasting. Most teams have 5 or more online accounts, with some having over 20.

There are a variety of users and a jumble of credentials
Finance teams have a mix of internal and external users (e.g. accountants, auditors, outsourced teams) who access online accounts. For some accounts, a single set of credentials is shared among team members. For others, each user has their own login. In either case, users are on the hook to create strong and unique passwords, store them securely, and refrain from typing them into infected machines or fraudulent web pages.

Admins face a cumbersome deprovisioning problem
Turnover among internal or external users creates a change management headache. The finance admin needs to identify and revoke access to each and every account, which is time consuming, not to mention error prone. And for accounts with shared logins, one departure creates needless disruption for the remaining team.

There is no way to control the flow of company data
The finance team is an artery for the most sensitive information: financial data, intellectual property (IP), customer details, and personally identifiable information (PII). With delegated access to a variety of users on random computers, it is impossible to know from where accounts are being accessed and to where data is being downloaded. The last thing you need is a lost or stolen laptop with sensitive data on its hard drive.

CFOs worry equally about a range of risks
With the browser as the linchpin and users controlling credentials -- company information is highly susceptible to both exploit and user misstep. A fact that seems well understood by finance leaders based on their ranking of the following risks: malware, phishing, other exploits (28%). User error handling logins (20%). Access from and download to unapproved devices (22%). A malicious user committing a crime (30%).

The picture that emerges from our survey drives at the core of why we built Silo. The reliance on the browser and delegation of account access creates a fundamental loss of control.

With Silo, finance teams have a unique way of addressing the vulnerabilities associated with online commerce as well as the human risks associated with credential management and data access. And with CFOs on the hook for securing their online data, they’re empowered to address both

Insulate financial data from exploit
Silo ensures a clean environment for every session and separates company data from personal browsing. CFO concern is justified given the extent to which banking exploits have repeatedly targeted business accounts. A good example is the continued re-tooling of the Zeus banking trojan and its renewed propagation through a Facebook hack. To see other banking malware examples, OWASP has collected a more complete list here

Control access and data flow
Silo’s ability to securely grant and revoke access to online accounts without revealing underlying credentials is equally important. Simply removing the susceptibility to users’ poor password practices and phishing scams goes a long way to reducing the overall risk picture. Similarly, the ability to define where data can spread by establishing content download rules for your most sensitive web apps provides control in an area that has previously been uncontrollable.

So if you’re a CFO, understand how your financial data is being accessed today. Figure out if your exposure matches our survey group. And take a look at Silo. It might be the best recommendation your IT team failed to make.

Ramesh Rajagopal - Ramesh is Co-Founder and President of Authentic8. Before, he was VP Corporate Development at Postini, heading up strategic planning and business development until its acquisition by Google in 2007.

Topics: Security