Cyber-security is to become an even more critical area for treasury departments to focus on in 2017.
If your organisation is thinking about cyber-risk, and it should be, then reading Stroz Friedberg’s 2017 cyber-security predictions report is a good place to start.
Last year, they accurately predicted four key cyber-trends including cyber threats influencing the US election, the use of connected devices to launch attacks on the major websites of companies, an increased insider threat, which may have led to the Bangladesh Bank SWIFT heist and finally a localisation of data processing and storage.
And this year, Stroz Friedberg believes that “2017 will bring the intensification of long-standing trends that cyber-security professionals today are vigilantly monitoring, while several new or enhanced challenges will present themselves in force”.
Before looking at this year’s prediction. Justin Clarke-Salt, Co-Founder at Gotham Digital Science, a Stroz Friedberg company, has some interesting perspectives on 2016.
Most notably, he believes that this may have been the year that all businesses began to take cyber-security very seriously. “The biggest trend that we witnessed last year was just the sheer number of incidents that occurred,” he says. “This was a significant increase on the year before.”
What is more, not only was there an increase in the rate of attacks, the success of these also grew.
As a result, Clarke-Salt highlights that all of the organisations that he is working with are now asking how well they are positioned to manage and fend off, not just the threats that exist today, but those that are coming in the future.
Six cyber predictions for 2017: digested
According to the Stroz Friedberg report, the following will be the six big trends in cyber-security and cyber-risk this year:
Criminals harness IoT devices as botnets to attack infrastructure
In 2017 internet of things (IoT) devices will be compromised, harnessed as botnets, and used as launching points for attacks against both businesses and consumers.
Nation state cyber espionage and information war influences global politics and policy
Clarke-Salt notes that whilst on the whole, this trend will not influence businesses, he warns that some countries may look to use cyber-attacks against companies in order to boost their own domestic businesses.
Data integrity attacks rise
With treasury becoming a function that manages data as much as it manages money, this is a worrying trend. Stroz Friedberg suggests we might see an increase in account numbers being changed on systems, as well as account databases being tampered in an effort to distort reality. There is a particular risk of this happening around M&A activity, they say.
Spear-phishing and social engineering tactics become craftier, more targeted and more advanced
This is another worrying trend for treasury professionals with the keys to the company’s bank vaults. Stroz Friedberg predicts that criminals will increase their focus on the human element as an entry point to pivot into broader network systems. Automation will also be built into their tools, allowing criminals to more efficiently exploit credentials, company data and sensitive information once credentials are obtained.
Regulatory pressures make red teaming the global gold standard with cyber-security talent development recognised as a key challenge
Regulatory pressures will see an uptick in cyber-expertise. This push will likely first occur in financial hubs such as Hong Kong, Singapore, the EU and even the United States.
Industry first-movers embrace pre-M&A cyber-security due diligence
There have already been a handful of high-profile M&A deals that have been negativity impacted because of cyber issues. Moving forward, acquiring companies will use these insights to assess the acquisition targets’ cyber abilities and cyber-security histories, and use the subsequent discoveries to adjust purchase price and terms.
What can treasury do?
Of course, the treasury department is not at the frontline of cyber-security, but as cyber-risks change and intensify the function needs to be fully aware of what is happening.
“The treasury community should continue to have an eye on the risk of financial fraud, especially through erroneous payments,” says Clarke-Salt. “This should probably be their chief concern.”
But Clarke-Salt also advises that treasurers should remain aware of other threats. “Ransomware, for instance, could lock the treasury out of all its systems,” he says. “This would be a big problem and one that could snowball into something that becomes very public.”
To prevent such incidents, Clarke-Salt recommends that treasury becomes involved in the broader company-wide discussion around cyber-security. It can then begin to look at the controls it has in place around the department and how these correlate to other departments.
“It is wise to take a good look at these controls and ensure that there are a variety of systems protecting you from threats,” he adds. “However, training staff is also a control – usually your last line of defence”. Threats need to be tackled using people, procedure and technology.
Three steps to cyber-security success:
Understand the threats and if the business is prepared.
Ensure the treasury has adequate controls in place to fend off cyber-threats.
Look to employ a fraud detection solution that can help spot potentially fraudulent payments.