As technology becomes more and more commonplace in corporate life, the risk of cyber-attack is increasing. Treasurers must be vigilant, as the financial risk associated with cyber security breaches is significant.
Cyber security has once again been pushed into the public consciousness with the news that Barclays has had the personal details of 27,000 customers stolen. It is alleged that confidential information such as earnings, passport details and health data have been put up for sale by cyber criminals; although precisely how the information was obtained remains unclear. This is yet another incident in a long list of high profile security breaches in recent months featuring companies such as Adobe and Target – the latter saw cyber-criminals hack into up to 40 million customers’ debit and credit card details.
A report last year by the Centre for Strategic and International studies estimated that cybercrime costs the global economy around $300 billion a year, so it is certainly a concern that treasurers should be paying attention to.
While larger security breaches may make the headlines, businesses of all sizes and from all industries are now targets of cyber-attacks. SMEs are increasingly bearing the brunt of cyber-attacks because in many cases these companies often do not have adequate security protection, which makes them easy targets. A November 2013 study by the Ponemon Institute highlighted that cyber-attacks cost SMEs a combined average of $1.6m in 2013.
With the increasing risk that cybercrime is posing to all companies, Treasury Today spoke to Phillip Pettinato, Chief Technology Officer at Reval, a Software-as-a-Service (SaaS) Treasury and Risk Management solutions provider. Pettinato shares his top five tips for treasurers to take in order to safeguard their department from attack, especially as treasury technology continues its evolution to cloud-based systems.
Engage security teams
The first order of business for treasurers should be to engage with their company’s IT security team and their provider’s security team. These should be dedicated teams, ensuring that each is prepared for any threats posed by cyber-criminals, and that they are proactive in minimising these. If these teams wait for threats to be identified or breaches to occur before acting then it may already be too late and a significant amount of damage may have already been made.
Formal security programmes
A fundamental step that all treasury departments can make to protect themselves from attack is to make sure that the correct security programmes are in place. Engagement will again need to be made with a treasury’s own IT department and also with their Software-as-a-Service (SaaS) provider to ensure the correct security framework for defining policies, procedures and controls is in place.
Audits and testing
Treasury departments are continually engaged in activities which can have a material impact on the business, such as booking transactions and moving money. It is therefore important that IT departments and providers frequently employ internal and external parties to carry out audits. It is particularly useful to use third-party security experts to assess potential areas of treasury security which could be exploited and may be missed by internal IT teams. The security infrastructure should also continually be “attack and penetration” tested. With frequent testing and auditing of policies and procedures, IT departments and providers can make sure payment processing, for example, has the right workflows, right user controls, right authentications, signatures, PINs, and encryption, making sure the data flows the right way and is secure.
It is vital that companies do not stand still regarding cyber security. Both the IT department and SaaS providers should be continuously improving their security management from a risk management and assessment perspective. They should employ the latest security technologies and ensure that these are continually updated to maintain their effectiveness. When choosing third-party vendors and even banks, treasurers would do well to include cyber security measures as part of their RFP.
If a treasury adapts a legacy technology to work with new technologies such as mobile devices, this can create areas of risk in the different technology layers. True SaaS solutions that are designed from inception to connect easily with new technology such as mobile devices, ensure that the right level of security is built into the new features right from the beginning. It is therefore important when implementing new technology into the treasury department to ensure that it integrates with the current system; otherwise, data could be exposed should a device fall into the wrong hands, for example.
Since cyber-attacks present such significant financial risk to corporates, we will be examining this topic in further detail in the March edition of Treasury Today.