This month’s question
“With more and more technology creeping into our treasury department, I’d like to know how to tackle cyber security. What are the main threats and what practical steps can treasurers take to help mitigate cyber risk?”
Nasreen Quibria, Executive Consultant, CGI:
The digital age is opening up new forms of payments fraud and cyber crime. One of the most common forms of cyber crime is malware. With these types of attacks, fraudsters lure users to content hiding malicious links underneath a legitimate image. Once a user clicks on that image, it downloads a hidden programme to an employee’s computer. When the employee then logs on to a bank site, it grants information to attackers and redirects them to a malicious payload site. In a corporate setting, malware can have disastrous consequences with man-in-the-browser fraud mechanisms such as Zeus having the ability to compromise security tokens and certificates. Take, for example, a standard ACH batch, this can be manipulated to create a new beneficiary and account information and append the information to an existing payroll batch.
Malware can further exploit vulnerabilities to commit cross-channel fraud shifting from the online to the physical space. In one particular scam, criminals sold pre-printed counterfeit cheques linked to corporate bank accounts. To do this, fraudsters took advantage of the access to scanned versions of paid and received cheques available on many banking web sites, they obtained login credentials through malware and phishing attacks and found all the required information to transfer large sums of money to “mule” accounts.
Certain technology trends also contribute to heightened risk of exposure. For example, Bring Your Own Device (BYOD) is a growing trend in finance and treasury departments and malware can potentially be introduced to the office network through an employee’s mobile device. Similarly the introduction of remote services with cloud storage is another area for concern. The flexibility and freedom that companies gain from such trends can conversely enable cyber criminals to conduct highly automated online banking theft. Therefore, companies that overlook security and employee education in these areas ultimately risk exposing their confidential data.
The good news is that the common forms of cyber crime are preventable. A multi-faceted approach that builds a culture of risk awareness with education, formalised processes and effective tools can thwart criminals’ efforts. This begins with establishing corporate policies and communicating them to employees, such as providing helpful information to identify legitimate emails, the use of encrypted information for confidential information, masking account numbers and employing complex passwords.
Ultimately, fraud prevention requires constant vigilance. Companies should leverage best practices that include monitoring and reconciling accounts daily and instituting operational controls that rely on multiple approvals.
Exposure to risk can be further reduced by implementing tools from software providers and financial institutions. Installing, updating and maintaining firewalls and intrusion detection software, particularly those that provide malware/spyware security is key. Updating web browsers and installing security patches is also important. Finally, there are specialised solution providers in the market which offer real-time fraud detection systems monitoring and identifying unusual activity, such as new beneficiaries and disbursements sizes that are significantly higher than set criteria, which can be beneficial to a treasury department.
John Salter, Managing Director – Cash Management and Payments, Lloyds Bank:
The introduction of large amounts of technology into a treasury department poses different and increasingly more challenging security issues to companies than ever before. Cyber criminals are now able to attack companies in large volumes using technology and only need one breach of security to extract a substantial amount of sensitive information and potentially cause a fair degree of damage to a company in a few hours.
It is true however that despite the threat, many companies have insufficient dedicated resources protecting against cyber attacks. I believe that the key reason for this is that many do not understand the threats posed and assume that they will not be affected. For many companies it is not intuitive to have advanced cyber protection beyond the standard firewalls and anti-virus. Yet cyber criminals do not discriminate against company size, location or industry sector as long as a profit can be made. Cyber criminals will attack the weakest in the herd so ignorance to threats actually makes you increasingly likely to be attacked.
Cyber crime is also becoming increasingly professional and globalised and the scope and sophistication of attacks should not be underestimated. Treasury departments should therefore be aware that an attack may stem from any corner of the world and in many cases may be disguised as legitimate business dealings. Furthermore, overseas associates may not have adequate controls in place which can leave your company exposed to attacks. The correct procedures will therefore need to be put in place to safeguard against these threats.
While cyber attacks are becoming increasingly sophisticated, issues still arise because of human error. Treasury departments looking to increase their cyber security should therefore begin by focusing on the basics. Areas like the processes surrounding opening and closing bank accounts and the handling of sensitive information are a good place to start. We would also suggest that corporates ensure their hiring processes are sound and training is offered so employees understand cyber risks.
Companies should also begin to look at professionalising their cyber security much in the same way as banks, through establishing a business unit which focuses solely on preventing cyber crime. Corporates will have to accept that this will cost money and will need to be continually funded to keep pace with the advancements in technology. However, this will assist in safeguarding the company against both external cyber attacks and slower developing internal attacks, which remain very difficult to spot, unless somebody is looking for them.
Going forward, cyber threats will continue to adapt and become increasingly more advanced. Treasury departments must therefore begin to understand the threats and employ greater safeguards against them before it is too late.
Martin Tyley, Regional Head of Cyber, KPMG:
While growing levels of technology in a treasury department can represent an increased cyber risk it still primarily remains a people issue. For example, a treasury department can have advanced controls and highly secured data, but if an employee takes this home, mentions it in public or wrongly emails it, these controls will be undone and the business will be at risk.
External cyber attacks on a business also pose risks and can be broken down into three areas. Organised crime, politically motivated ‘hacktivitsts’ and state sponsored attacks all use various methods to breach the companies safeguards and steal or corrupt data for personal gain. Unfortunately, there is no foolproof method to fully prevent these attacks but a treasury department, like the rest of the business, has the responsibility to liaise with IT and ensure that the correct security and technology is in place to counter these threats.
Internal threats pose another issue which treasury departments need to be aware of, coming in the form of employees who may steal, corrupt or use data for their own personal gain. Again technology can only go so far in preventing this and we recommend to our clients that background checks are performed on new staff that have access to sensitive information and that these are reviewed every two to four years.
A treasury department should also keep track of the data access its staff has. Most companies are now proficient at providing sufficient access when an employee joins and removing the account when they leave. However, an area that still requires improvement is when an employee transfers departments, from treasury to legal, for example. It is often the case that their access to the treasury department’s data will not be removed following this move even if they no longer require it. In a large company there can be hundreds, if not thousands, of employees who therefore have access to sensitive data which they do not require, increasing cyber risk. To safeguard against this treasuries should work with IT to ensure there are processes for employee transfers and that access is removed in a timely manner to improve cyber security controls.
Third parties that treasuries share data with should also be fully checked to ensure they are not weak links in the businesses cyber security posture. It is important that the correct controls are in place to ensure that data is safe with them and deleted once not required. Furthermore, if the third party also outsources, then these requirements will also apply to them.
Finally, it is important to identify that cyber security isn’t about having an inward looking approach and believing you are safe. The most effective departments are those who understand that it is a collective responsibility. The most ineffective are those who believe that it is just an IT issue and their responsibility to clean up. The key therefore is to be able to harmonise people, processes and technology and if this can be achieved there is a much greater chance of protecting the treasury department and the organisation.
The next question:
“What benefits – both financial and non-financial – can establishing an in-house bank offer to the treasury function? Also, what advice can readers share on best practice for setting up an in-house bank?”
Please send your comments and responses to email@example.com