In this the third episode of our Expert Voices podcast series we look at cyber-security, undoubtedly one of the biggest challenges faced by corporates and financial services firms. We tap into academic expertise in the field and find out how treasurers view the challenge of cyber-security and the strategies they are employing to protect their organisations against cybercrime and online fraud.
Listen to podcast
Barely a week goes by without another story emerging of a large-scale security breach suffered by a global household name company. We are all aware of the importance of cyber-security and levels of education around it are ever increasing. However, as Treasury Today found out over the course of this story, this is not a threat that is staying still. No sooner have we improved our security processes than the threat itself has evolved, as hackers across the world learn more and grow in confidence and skillset. This challenge is coupled with human error which for companies remains their largest weakness. So, what can we do and how can we share best practice in a space that many are still so reluctant to discuss?
To answer those questions Treasury Today spoke to an academic expert in the field, a treasurer for Goodyear Orient Co and a cash management expert from Deutsche Bank.
To help set the scene and understand the drivers behind the challenge that cyber-security poses Treasury Today first talked to Professor Kwok Yan Lam, Professor of Computer Science at Nanyang Technological University in Singapore. We spent some time with him at the university to understand his work in this space and find out what he believes the treasury community should be focusing its attentions on. His research specialities include homeland security, biometric cryptography and cyber-security.
How would you sum up the main developments over the last ten years in the cyber-security space?
Professor Lam: The attackers are getting more and more sophisticated and we have seen the rise of highly organised state funded cyber-attack programmes. For the corporate world there are two major trends over the last ten years to worry about. The first is the massive adoption of mobile and the second is the widespread use of open source software. The combination of the two means that if there is any security loophole due to design problem or implementation oversight, then a problem will spread to all the applications that are relying on that open source. For the attackers, it is potentially very lucrative and relatively easy to look for those vulnerabilities to target for attack. For the victim, the impact can be quite large and catastrophic in scale.
Treasury Today: Unauthorised access to data and electronic transactions is obviously of concern to corporate treasurers. What other targets should they be aware of?
Professor Lam: Being focused on data and transactions in terms of security is no longer enough. Corporates need to consider their entire system and network. Hackers are now very smart and getting smarter. A lot of the attacks are not about breaking encryption, they are more intent on finding loopholes in the software design, loopholes in the network configurations that allow hackers into the system and roam around it undetected.
Treasury Today: How would you sum up the threat posed by mobile specifically?
Professor Lam: It is a relatively new challenge. The security community spent decades developing the expertise and methodologies that we now have, to deal with security issues with servers and PCs. But these techniques are not necessarily applicable to our mobile devices as they are much more limited in computing power. Even if your phone was powerful enough to run sophisticated antivirus software tools, the demands on the battery of running them would likely be too much. These are some of the resource constraints of mobile devices that lead to them being more vulnerable to attack than more conventional computing devices.
Treasury Today: What risks do you think corporates’ increasing adoption of cloud represents?
Professor Lam: In terms of security design or philosophy it is a major shift from traditional ways of protecting your data. It’s convenient for firms – they can access and update data in the cloud via their enterprise account for instance. So if there is any security attack or data leakage of the cloud then they would know pretty quickly. But even here there is the possibility of things going wrong because of the human factor – the single biggest challenge in cyber-security. People can have the strongest possible encryption but keys and passwords can be misplaced, forgotten or stolen.
Treasury Today: We are in an era of constant disruption and technological advance but, as you say, humans still remain at the centre of all of our businesses and are the biggest factor in cyber-security. Looking ahead five to ten years, do you see this becoming more and more of an issue or do you think that we might reach a breakthrough and become more secure again?
Professor Lam: Based on what we’ve seen in the past 30 years, it will become more and more of an issue until we get to a point that there is a really disastrous incident. The internet was not designed or implemented for security protection. It was originally developed for enabling communications among a group of mutually trusted academics or researchers. So, at its absolute origin it started with the design philosophy to optimise performance rather than security.
Now we are making a big effort to redesign certain security or communication protocols that can put security as a design criterion up front. But it’s a constant game of catch up. You can design security solutions very fast but users also move very fast and we see this often when people have a new business idea and immediately they want a proof of concept. And then the moment they see it as valuable or useful, they want to launch it, turn it into a revenue generating product or service and the warnings about security by design get ignored or downgraded. So yes, if we deal with the next ten years like the way we handled the past 30 years I think the problem will only get worse.
Armed with Professor Lam’s thoughts, Treasury Today asked if corporate treasurers are taking cyber-security as seriously as he advises, and, if so, what strategies are being put into place to protect their firms from cyber attack. We talked to James Ho, Regional Treasury Manager and Compliance Officer for Asia Pacific region at Goodyear Orient Co.
Treasury Today: So James, do you feel that cyber is a threat that can be controlled?
James Ho: The cyber-security threat is real and relevant. We are constantly battling with cybercrime and we need to stay vigilant. If we manage it carefully, adopt an effective strategy, and ensure we have the resources, the cyber threat can be controlled.
Treasury Today: To what extent do you think it is the responsibility of treasury to educate the rest of the business about cyber-related financial crime?
James Ho: Treasury for us has a key role here because we manage all the company’s financial activities. We are the gatekeeper for things like the payments process – we are the ones who review and resolve them. We also have an expert focused on security. So, given our knowledge and our responsibilities, we in treasury do have an obligation to play a key role in educating and informing the wider business about cybercrime.
Treasury Today: And what are you doing at the moment to contain the threat?
James Ho: In our company we work as a team across all departments to combat cybercrime – it’s a holistic approach to facing down the threat. Our goal is to protect the company across all mission-critical applications and online presences. Goodyear also allocates resources for a dedicated global cybersecurity team to enforce the company’s cyber-security policy. That is the defensive side of our strategy.
We have a proactive approach to the problem too that includes dedicated training for staff to help ensure there is high awareness of cyber-security threats like phishing email.
We also have very rigorous procedures and control processes. We would never, for instance, allow any changes in the beneficial address that breaches company policy and protocol. Any such master change requires approval and further checks. We constantly share all new findings and best practice relating to cybercrime via our internal communication email.
As James illustrated, treasuries are operating in interesting and challenging times. Treasury Today next spoke to Suman Chaki, Managing Director, Regional Head of Cash Management for Corporates APAC at Deutsche Bank to find out how his organisation is helping to support its treasurers in the fight against cyber fraud and hear his thoughts on the challenges for institutions more broadly.
Treasury Today: From a banking perspective, do you think the threat of cybercrime is one that is becoming more manageable these days?
Suman Chaki: Definitely. Banks and other financial players today are probably better prepared than they were a couple of years back. But that doesn’t mean that we can be comfortable because this is a constantly evolving threat, with predators becoming more and more sophisticated and the attacks more complex.
The level of awareness amongst employees, who are the first step in the control and management of the cyber threat and probably the most vulnerable link in an organisation’s chain, is a lot better today than it was two years back or even a year back. That helps to really strengthen an organisation’s protection scheme. But it’s a continuous process of training of our employees – reiterated every three to six months.
Treasury Today: What specific threats are you working on right now for your corporate clients?
Suman Chaki: There are three kinds of threat that one gets exposed to, generally speaking. One is obviously protection of confidential data, because banking is all about having client data and anything that can potentially lead to it being compromised or unlawfully exposed is a big threat.
Number two is fraudulent transactions and this is a problem that is becoming increasingly prevalent and poses a very serious risk to the bank and its clients. The third one concerns the “insider threat” whereby a predatory external party manages to get access to our corporate system, starts posing as an insider and starts creating havoc.
Here is a real-life example: about three weeks ago the MD of a large global client received an email from the international CEO of the company to pay half a million in consulting fees to a beneficiary name. The transaction came into our bank through absolutely bona fide means.
But a couple of hours later the MD realised the email was fraudulent. The company contacted us immediately although by then the transaction had already hit the beneficiary’s account in another jurisdiction. So we got in touch with the bank where the beneficiary account is held, and we filed a police complaint. As we speak now, we are trying to get an update on where we are. The money is still in the beneficiary’s bank account but it has been put under lock by the police in that jurisdiction.
That kind of fraud occurs quite often. It reinforces the fact that employees are our very first line of defence, from junior level right up to the senior levels. Very often these fraudulent instructions target very senior levels because then the attackers get the weight, the authority behind the transactions.
The case also shows how simple the attacking tools can be. This was no sophisticated launch of a software into somebody’s ecosystem, it was a simple email that was manipulated. Constant vigilance is needed by organisations: everything that comes must be scrutinised, and processes put in place to approve a finance transaction must be very tight.
Treasury Today: To what extent is, or should the client be responsible for their own cybersecurity?
Suman Chaki: Everybody across the chain has to take responsibility for their part. In this particular example the client cannot blame the bank because the bank received a properly bona fide transaction. The fraud has been perpetrated at the client end so to that extent the client has full responsibility to create awareness across the rank and file of the company, to ensure they understand the implications of this kind of thing.
But this particular attack, is less about cyber-security – it is between cyber-security and fraud. There is an interesting piece of data collected by a survey we did back in December 2016 which found that 99% of cyberattacks against organisations were triggered just by opening emails – it is a very weak link in defences.
That is why at our bank we are very keen on training. Every one of us has to go through it, every three months, to make sure we remain alert to phishing emails. That is the level of training that corporates need to undertake.
Banks are a bit more advanced in all this because they deal with a lot of sensitive information and are heavily targeted, but increasingly corporates are coming under greater threat. They too need to constantly undergo training, understand that the cyber threat is real and that they need to do their bit to protect themselves.
Treasury Today: What role do you play as a bank in promoting that awareness?
Suman Chaki: A significant one. Banks have generally been early investors in the cybersecurity space. We ourselves have four cyber-security hubs around the world that are monitoring the bank’s system for all kinds of external and internal threats 24/7. It is almost a kind of responsibility to ensure that we pass on this level of training and awareness to our corporate clients who, generally, are coming to this space much later than us.
We hold regular seminars at our cyber-security centre to which we invite corporate clients. We simulate a real-life environment on how a threat might look and develop, pass on simple tips that the clients should bear in mind and suggestions about the kind of training they should be doing.
Treasury Today: In such a hostile cyber environment do you think that treasurers should be insuring themselves against cyber losses?
Suman Chaki: Clearly it is an area that they should look at, see what is really available. But it is a very, very evolving space – it is not like a developed insurance market where you know exactly what you are covering.
We cover ourselves against cybercrime losses because for us, as a bank, it is a very real risk. At the moment though, cyber risk is categorised as a non-financial risk for insurance purposes. The big question is, will cyber in the very near future be as big or even a bigger risk for us than conventional financial risk?