To understand your business, your consultant will need to see items such as your business process maps, details of internal procedures, information on existing system priorities and vulnerabilities, and more general information linked to your future and growth strategies. Once the project is underway, they may need to move or process segments of your data across multiple locations or export it for analysis or testing. Obviously, you do not want this to fall into the wrong hands.
Look for consultancies that have been independently verified as having what it takes to keep your information safe. Probably the single most valuable trust indicator here is ISO 27001. If your consultant has an up-to-date ISO 27001 certification, it shows they have an effective ISMS (information security management system) in place. This means the following:

• The consultancy has identified the risks to which its information assets – and clients – are exposed.
• It has appropriate measures (i.e., controls) to protect those assets.
• It has a clear action plan in case of an information security breach.
• It adheres to clear accountability and auditability principles: i.e. you know exactly who the individuals responsible are for each step of the information security process.

It’s easy for a business to claim that they prioritise information security. The proof is in the action they take. If a consultancy takes its responsibilities seriously, you should expect to see the following types of safeguards in place:

• The consultancy has an information security policy in place
• Regular security audits and risk assessments are carried out
• They follow a recognised information security framework (e.g. ISO 27001). They have up-to-date accreditation to demonstrate this
• There are clear measures in place to protect client data, including encryption for data at rest and in transit, access controls, and secure storage
• Special care is taken with personally identifiable information (PII) and other categories of sensitive data. This includes GDPR compliance
• If they need to do system or application testing using PII, this is anonymized or pseudonymized beforehand
• Access to client systems and data is closely managed. This includes the application of the principle of least privilege (PoLP)
• Auditability is taken seriously: they can track and log consultant access to client environments
• Care is taken to revoke access after project completion
• Appropriate DevSecOps practices are followed for software implementations
• Incident response and disaster recovery plans are both in place and verifiable. This includes clear procedures for notifying clients in the event of an information security breach

More than a third of all data breaches involve phishing, whereby criminals use fake messages (usually emails) to dupe users into downloading malware, giving away information, or executing fraudulent transactions.

This fact helps explain why even the world’s largest and best-resourced enterprises still get hit with catastrophic security events. Your business may already have firewalls, intrusion detection, anti-malware software, and a host of other cybersecurity measures in place. But if an unsuspecting employee clicks on a malicious link or downloads something they shouldn’t, those basic breach-prevention measures count for little.

The finance function is not only seen as the financial gatekeeper but also the place where lots of sensitive, exploitable data resides. As such, your finance team presents a particularly attractive target to phishing scammers. This includes so-called ‘spear phishing’ and ‘whale hunting’ exploits, whereby criminals deliberately identify and target key business insiders with heavily personalised (and often, very convincing) fake messages.

Both in finance and across the wider business, one of the longer-term consequences of the pandemic is that many employees have much greater leeway in when and where work gets done.

Following on from this, Gartner has recently picked up on a trend of what it calls “radical flexibility.” In other words, employees in 2024 often crave much greater flexibility in deciding how work gets done – including their choice of tools for the task at hand.

So, what might this mean for keeping financial data secure?

Well let’s say one of the finance teams needs a better way to visualise and present some data, or a tool to manage a new regulatory requirement. A decade or so ago, this would probably have meant contacting their manager. A solution would be sourced; IT would then check that it’s safe before installing and configuring it.

Fast forward to the present, and an employee can bypass these steps altogether. They have an issue; they find something suitable on the app store, sign up using the company’s details – and the problem is solved.

This gives rise to the issue of shadow IT; whereby software or other assets are added to an enterprise network, without IT knowledge, approval, or proper oversight.

This can be wasteful, with multiple employees potentially signing up for the same or very similar tools (one estimate suggests that the average enterprise wastes over £105,000 annually on duplicate/unnecessary license spending). It can also give rise to multiple security and governance risks. Assets from untrusted – or even malicious – sources can easily find their way into your network, and sensitive data could end up being processed, stored, or exposed in a way that significantly increases the chance of a serious data breach.