CFO Committee Learns How to Protect Data from Hackers

CFO Committee Learns How to Protect Data from Hackers
By Melissa Hoffmann Lajara
Posted on 3/20/08

NEW YORK -- If you’re the leader of a major company reliant on its information systems, someone like Robert Cioffi is either your best friend or your worst nightmare.

“Put me in your data center and give me five minutes alone, with no passwords,” he said. “With physical access … I can do a lot of damage.”

Cioffi, director of technology for the information technology consultation firm Progressive Computing, Inc., isn’t just bragging -- he’s an expert at bypassing computer security and wreaking technological havoc.

But he has chosen to use his skills for good, rather than evil. At a CPE session offered during the Society’s Chief Financial Officers Committee February meeting, he shared his insights.

While business owners are very focused on technology, Cioffi said they often don’t realize it’s not running on a good foundation. This is because information technology is not always well understood by the financial experts who are in charge of it.

“As a CFO, your responsibility is not only on the financial side; it’s also on the [information technology] side,” said Michael F. Rosenblatt, chair of the Chief Financial Officers Committee,

Threats with a Paycheck

Many dangers threaten a company’s information systems, but “humans are your greatest threats,” Cioffi said.

Human threats fall into three categories: nonmalicious individuals, malicious insiders, and malicious outsiders, Cioffi said.

Nonmalicious threats are the employees who make errors, lose or ruin files, leave data unprotected or “unwittingly circumvent security protocol,” said Cioffi.

He used as an example a certain company that had a pass code–protected entrance to its offices, but the code was a lengthy string of numbers that employees had difficulty committing to memory. Finally, a frustrated worker scribbled the pass code right above the entrance keypad -- effectively eliminating all security.

An important part of security is establishing procedures for employees, Cioffi said.

“Make expectations of employee behavior and accountability clear,” he said. “Make an example out of somebody and watch how quickly behavior changes.”

Malice Intended

Every company has its disgruntled employees, and if they haven’t been fired, they have physical access to sensitive information and a possible motive to do real damage.

If they know their days with the company are numbered, this threat becomes even more substantial. Cioffi noted that physical access offers far more opportunity for real damage than compromised passwords. He said these “malicious insiders” may try to bring their work laptop home or download important files to a memory card or flash drive.

This topic was of particular interest to many of the session’s attendees. “If you’re going to terminate someone, they may have the opportunity to do significant damage,” Rosenblatt said.

“In general terms, people always think about the outside threats and don’t consider those on the inside,” agreed committee member Hiram M. Lazar.

Jeanette Kirazian, who joined the group specifically for the day’s CPE course, said she has worked with information technology before, and said that she too thought “the human threat” was the most interesting topic discussed during the hour-long session.

Cioffi said many employers are unaware that this threat can be mitigated through disabling certain features on company computers, or through a Citrix-type virtual server -- although he noted that Citrix technology does not support every .application.

“There must be a balance of security and usability,” he noted.

Potential information theft can be eliminated by putting glue in USB ports, Cioffi said. New technology allows some handheld mobile devices, also a security threat in the wrong hands, to be reset and wiped clean by an employer from a remote location.

Cioffi said it’s important to define resources, users and what they can access. One executive at a security guard company, he said, made a big mistake when he required all employees to use the same format for their passwords: first initial, last initial, and the number 01.

“A receptionist could easily log on as the CEO,” he said. “Ridiculous.” Malicious outsiders, Cioffi said, are usually hackers.

Hackers may have the goal of concentrated financial theft, he said, but that’s not their main motivator.

“The number one reason hackers hack is because it’s fun,” he said, adding that most hackers are young, with a lot of time on their hands.

The United States is “the worst country to be in for security,” Cioffi said. “We’re the target.”

But sometimes hackers miss their mark.

“Even the best criminals make silly mistakes,” he said.

Defense Systems

In this age of technology, most business owners are well-acquainted with the need for anti-viral software, anti-spam and anti-spyware programs, anti-phishing programs and firewall protection. Many already utilize intrusion-detection software and content filtering. But Cioffi stressed the importance of regular updates.

“New threats emerge every day,” he said, “and those are the nasty ones.”

But as new threats develop, so do new defenses. Hand-readers and retinal scanners have already moved from the realm of science fiction to the business world.

“What we’re seeing are a lot of laptops with fingerprint readers,” Cioffi said.

IT’s Alive

People are only a part of it. A host of other dangers exist, which can destroy a company’s most important asset -- its data.

There are regional events and natural disasters, including floods, fires, riots, terrorism and earthquakes that can pose data-losing risks. Then there are system failures, such as blackouts, heating or cooling malfunctions, software errors, data corruption and hardware malfunctions.

“Bugs happen, and you need to anticipate those things,” Cioffi said. “Equipment is replaceable; data is not. You have to protect your data.”

Backing up data and maintaining equipment properly, he said, is the most important protection against such dangers.

“You may think since the server cost $5,000, that’s your budget,” he said. “But your information system is a living, breathing organism. You have to feed your dog or cat, and nurture them. You have to do that with information technology systems as well.”

He noted that virtual servers can be a lifesaver.

“In the event that the physical server dies, [the information] can be moved to another physical server in seconds.” Replacing computers regularly is also important, he said.

“What’s the most important part of your computer system?” Cioffi asked, and then answered his own question: “The warranty.”

Melissa Hoffmann Lajara, Associate Editor, can be reached at mlajara@nysscpa.org.

Close