Although it is larger security breaches that tend to make the headlines, businesses of all sizes and from all industries are now targets of cyber-attack. But what are the main threats and from whom? Also, what is the role of the treasurer in helping to protect the company – and its assets – from cyber breach?
As technology becomes more and more commonplace in corporate life, and criminals become increasingly sophisticated, the risk of cyber-attack is only increasing. Moreover, it’s now happening to all kinds of corporations – whether for financial, political or even ideological reasons.
In February 2015, for example, it was reported that millions of names and Social Security numbers of customers and employees of Anthem Inc., the US’s second-largest health insurer had been stolen by cyber criminals. Hackers managed to evade security measures in order to raid the firm’s database which reportedly contains the personal information of around 80 million individuals, including those of the firm’s own CEO, Joseph Swedish.
And in 2014, hackers obtained credit card data, names, addresses, phone numbers and e-mail addresses for around 70 million customers of the Target retail group in the US. Cyber criminals also stole records from luxury department store, Neiman Marcus, and from JPMorgan Chase, Experian, eBay and Home Depot, to name but a few.
Perhaps the most high profile cyber-attack of recent times, however, happened at the end of 2014 when Sony Pictures was targeted by politically motivated hackers who destroyed data and released details of private internal correspondence to the media. The company set aside $15m to investigate the reasons for and to remediate the damage. However there is a personal cost too. After news of the hack emerged, Sony Pictures’ co-chairman, Amy Pascal, whose compromising emails were amongst those that were leaked, decided to relinquish her position as a direct result of the intrusion.
What the Sony incident highlighted is the true cost of cyber theft – it can mean the loss of intellectual property and competitive advantage, reputational damage and loss of trust, and for some individuals, it can mean a loss of employment. Of course, the financial risk implications are also vast.
As such, whilst cyber security might seem like the domain of the IT department, treasurers must be vigilant. In May 2015, for example, Treasury Today reported about a new form of malware successfully used to target corporate bank accounts. Cyber crooks allegedly used sophisticated ‘Dyre Wolf’ malware to insert fraudulent requests in Ryanair’s payments system and made off with a six figure sum.
Malware is just one type of cyber risk to be aware of though. Others include:
Stealing of confidential data/information – through obtaining access credentials and dispatching a virus.
Distributed denial of service (DDoS) attacks – flooding a server or connection with information requests using all capacity, leaving none for intended use.
Advanced persistent threats – multi-layered and multi-stage cyber-attacks that can stay in a system for years without being detected.
Ransomware – a form of malware that encrypts all files it can access, making them inaccessible until decrypted. Functionality is returned to normal only after a ransom (monetary or political action) is paid.
Phishing – sending emails to large numbers of people asking for sensitive information (such as bank details) or encouraging them to visit a fake website. These attacks are becoming increasingly personalised and targeted, which is called spear-phishing.
Water holing – setting up a fake website or compromising a legitimate one in order to exploit visiting users.
Cyber subverting the supply chain to attack equipment or software being delivered to the organisation.
Other potentially weak points that might increase the risk of cyber-attack on your organisation, according to the findings of Greenwich Associates’ 2014 US Large Corporate Finance Study, include:
Weak authentication – non-complex passwords without additional authentication factors are easily bypassed.
Unpatched vulnerabilities – cyber-attackers rely on known and unknown vulnerabilities in operating systems and other common software to gain entry and glean data.
Comprised vendors – whereby vendors are targeted for their access to clients’ systems, either directly or through products they provide.
Social engineering – employees throughout the organisation are at risk, as cyber-attackers utilise seemingly legitimate communications.
According to a 2015 whitepaper produced by the UK government, entitled ‘Common cyber-attacks: reducing the impact’, the following are the main groups of potential attackers:
Cyber criminals interested in making money through fraud or from the sale of valuable information.
Industrial competitors and foreign intelligence services, interested in gaining an economic advantage for their companies or countries.
Hackers who find interfering with computer systems an enjoyable challenge.
Hacktivists who wish to attack companies for political or ideological motives.
Employees, or those who have legitimate access, either by accidental or deliberate misuse.
With the increasing risk posed to all companies, Treasury Today spoke to Phillip Pettinato, Chief Technology Officer at Reval, a Software-as-a-Service (SaaS) Treasury and Risk Management solutions provider. Pettinato shares his top five tips for treasurers to take in order to safeguard their department from attack, especially as treasury technology continues its evolution to cloud-based systems.
The first order of business for treasurers should be to engage with their company’s IT security team and their provider’s security team. These should be dedicated teams, ensuring that each is prepared for any threats posed by cyber-criminals, and that they are proactive in minimising these. If these teams wait for threats to be identified or breaches to occur before acting then it may already be too late and a significant amount of damage may have already been made.
A fundamental step that all treasury departments can make to protect themselves from attack is to make sure that the correct security programmes are in place. Engagement will again need to be made with a treasury’s own IT department and also with their Software-as-a-Service (SaaS) provider to ensure the correct security framework for defining policies, procedures and controls is in place.
Treasury departments are continually engaged in activities which can have a material impact on the business, such as booking transactions and moving money. It is therefore important that IT departments and providers frequently employ internal and external parties to carry out audits. It is particularly useful to use third-party security experts to assess potential areas of treasury security which could be exploited and may be missed by internal IT teams. The security infrastructure should also continually be “attack and penetration” tested. With frequent testing and auditing of policies and procedures, IT departments and providers can make sure payment processing, for example, has the right workflows, right user controls, right authentications, signatures, PINs, and encryption, making sure the data flows the right way and is secure.
It is vital that companies do not stand still regarding cyber security. Both the IT department and SaaS providers should be continuously improving their security management from a risk management and assessment perspective. They should employ the latest security technologies and ensure that these are continually updated to maintain their effectiveness. When choosing third-party vendors and even banks, treasurers would do well to include cyber security measures as part of their RFP.
If a treasury adapts a legacy technology to work with new technologies such as mobile devices, this can create areas of risk in the different technology layers. True SaaS solutions that are designed from inception to connect easily with new technology such as mobile devices, ensure that the right level of security is built into the new features right from the beginning. It is therefore important when implementing new technology into the treasury department to ensure that it integrates with the current system; otherwise, data could be exposed should a device fall into the wrong hands, for example.
In addition, it is important for treasurers to keep up-to-date with trends in the cyber-attack landscape to know what to look out for – in particular the various social engineering techniques that may be used to trick someone into allowing a cyber-attack to propagate. This can be achieved by attending cyber security training or information sharing events/groups.
It is also important to identify the most critical or sensitive information/data/processes under one’s control and relay this information to IT departments so that cyber security efforts can be prioritised. Lastly, treasurers should understand or encourage the development of internal cyber security policies in their firm, for example clear reporting lines in the case of a cyber-attack.
In order to align treasury procedures with the most efficient security standards, the following outline some of the fundamental procedures to check you have in place:
Do you have a security programme in place, either with treasury’s own IT department or a provider?
Are they working to ensure the correct security frameworks are in place for defining policies, procedures and controls?
Have you engaged with all relevant security teams (your company’s and any providers)?
Are they proactively minimising threats posed by cyber criminality?
Are regular audits and tests being carried out?
Is the department aware of the latest security technologies and continually updating security procedures to maintain effectiveness?
When changing legacy technologies, are security measures being adapted to integrate new solutions (mobile devices, for example)?
Should the worst happen do you have business continuity plan in place?
According to a recent study by the Business Continuity Institute, cyber-attacks are now regarded as the top threat to business continuity. That’s why ways to react to cyber risks are increasingly being integrated into companies’ business continuity (BC) plans.
A business continuity plan is a means of enabling companies to help prepare for the worst and to recover and sustain operations during and after an event as quickly and cost-effectively as possible. Essentially, a BC plan is a fully-documented agreement between management and key personnel (with the buy-in of all staff) that is taken in advance and which covers the steps the organisation, and particular individuals, must take to ensure critical operations are protected.
At its most fundamental level, a BC plan may be the difference between survival and failure. But even in purely commercial terms, being prepared limits the possibility of having to call for assistance in a state of desperation (always very expensive) and goes a long way to maintaining or even enhancing client confidence. In essence, a BC plan needs to be a living, evolving and regularly tested strategy that will give a business the best chance of survival if the worst happens.
A vital part of a BC plan is a series of functionally-specific disaster recovery (DR) plans. These are commonly IT-driven, focusing on recovery of software, hardware and data to at least allow resumption of critical business functions following an event. A BC/DR plan must also consider the effect on each function of the loss of key personnel by providing a contingency plan.
Whilst the potential advantages of mobile technology in the treasury department, to initiate payments or check balances on-the-go, for example, are largely undebated, security remains a concern. Treasury Today spoke with Ireti Ogbu, Head of Payments and Receivables EMEA for Citi, to discuss the best ways of addressing lingering security concerns:
Firstly, it is in the treasurers’ best interest to be proactive regarding security concerns. It is their responsibility to address any misconceptions and to keep up-to-date on the details around mobile technology security. For example, the perception it is inferior isn’t entirely accurate: the same security exists in the mobile and tablet world as does when using desktop computers. Information is carried using the same bandwidth and, with the exception that a mobile device does not have a fixed IP address, security measures are applied in largely the same way. “The other point is that there should be no data stored on the mobile device, in order to eliminate the risk of information being accessed if the device is stolen or lost,” says Ogbu.
The responsibility does not fall solely with the corporate treasurer; banks are there to help. Citi, for example – in addition to the built-in security controls for mobile applications – believes it is important for banks to train their clients on cyber security and fraud awareness. In fact, “our corporates are asking for this,” says Ogbu. The bank, like many of its peers, runs numerous educational workshops and has created a training toolkit which includes videos and presentations on best practice security procedures.
It is typical nowadays for mobile solution applications to have a level of custom-specifications built in; solutions can be adapted to suit the needs of corporates. But there are some security essentials treasurers need to ensure their application has. The level of entitlement a user has on a desktop, for instance, must be the same on the mobile device. “You need to have the same level of encryption on the mobile as you do if that user was accessing their account from a desktop. How a user’s entitlement has been set up shouldn’t be able to be changed in any way from a mobile device,” explains Ogbu.
Outside of the treasury function, companies would do well to have advice on safe technology usage – and, even better, an employee training programme on security. Security is also about heightened levels of staff vigilance. This can be (partially) achieved through training – to ensure employees use websites responsibly and can spot the signs of embedded attachments, for example. If a corporate trains its staff to recognise attempted infiltrations and socially engineered attacks, it means that they are able to mitigate that risk somewhat – and could even help prevent an attack.
Even with the most stringent security processes in place, a treasurer can’t sit back and relax. Ogbu explains: “In terms of the monitoring of transactions, Citi has a platform, an analytics tool, that reviews transactions against their previous transaction history and reports any transactions that are unusual. The tool helps corporate clients detect risky activity.” What’s more, the bank (like other providers) is developing another detection and alert tool which uses algorithms to create proactive analytics. These can highlight whether there is something not quite right before a transaction is executed.
According to DisasterRecovery.org, an independent organisation that provides guidance and information on disaster recovery, a plan must include the following stages:
A policy statement, stating the goal of the plan, the reasons for it and the resources required.
A risk assessment will identify the situations that are most likely to occur.
A business impact analysis, describing how a catastrophic event may impact the business practically, financially and in other ways. It should also try to identify any preventive steps that can be taken.
Recovery strategies must explain how and what needs to be recovered and with what priority/speed.
The plan development stage will require documentation of the plan and implementation of elements as required.
Plan buy-in and testing is essential to ensure everyone knows and understands what the BC/DR plan is, what to do and when.
Plan maintenance and testing is important to ensure it is relevant and that it works.
Whilst third-party system vendors should be included in any BC/DR planning process to ensure they have the capacity to deliver when they are needed most, they should not be seen as a ‘get out of jail free’ card. Asking the right questions of them is an essential part of taking responsibility for DR/BC planning. Key points to raise (and include in any Service Level Agreement) would include: how long will it take to recover operations following an event (referred to as the Recovery Time Objective), how much data could potentially be lost (Recovery Point Objective) and the reliability (proven up-time) of the platform.
Properly executing, these stages can provide a business with reassurance that it is prepared for the worst. However, a common problem, says Reval’s Pettinato is that within a company there is often no clear ownership of DR. “A lot of business operations people – including treasury – think IT will take care of it,” he notes. Whilst this may be the case, those IT people may not always fully understand how critical each business operation is. This suggests a lack of co-ordination which, when creating a plan, is unhelpful at best. “Each business operation is responsible for ensuring it has a clear plan but that does not mean it can build and execute it on its own,” states Pettinato.
Of course, a SaaS-based TMS provider such as Reval should have a responsibility to its clients to provide DR as part of the deal, but it is the clients’ responsibility to know what to do in the event of a disaster. The same goes for the vendor in consideration of its own operations. Although Reval’s own IT function co-ordinates these plans, with guidance from an internal audit operation, ownership is very much accorded to each business unit. This ensures each is able to identify its own critical systems and operations and to put in place and test an effective plan so that everyone knows what to do and when in a co-ordinated manner.
Rather than isolating BC/DR processes, Reval tries wherever possible to bring them into its daily operations. By making them into “a second alternative to operating our business” and by actually using that alternative periodically they become ingrained into the collective consciousness of the staff, explains Pettinato. “Once a month or once a week we will operate using our DR platform; this is tied into the production platform to make sure it is operational.” He cites having seen companies build up “impressive DR and BC platforms, test them a couple of times and then forget about them”. But it is important to keep those platforms and procedures up to date and make them part of your operations. “If you are using it regularly you will know it works.”
Reval’s practical BC plan for its own business operations (as distinct from its client operations) allows it to operate from a number of different offices and even virtually, with staff able to connect remotely if necessary. It has all of its core infrastructure and systems in professional co-location facilities that offer redundant power supplies, communications links and so on, and it also replicates all of its data in real-time using two different data centres connected but situated in geographically diverse locations.
However BC/DR is managed, simply backing up data every day and sending it over the internet to another location may have been okay a few years ago, but in a world of Big Data and complex analytics, losing a day’s worth of data is a big deal for many businesses. “Any company that believes it can get away with running a simple daily backup and restoring from that is clearly running a huge risk,” comments Pettinato.
When cyber disaster strikes, ‘keep calm and carry on’ would be a suitable adage for treasurers, but it would be hoped that the banks would play their part in keeping the machine moving. Routine operations such as making payments and checking cash positions become a serious challenge should a host-to-host banking platform be unavailable following a major event.
Banks are cognisant of this fact and in this situation many will advise clients to use the bank’s online banking platform as a means of carrying on in the interim. “If a client cannot send a file to us, they can go online to initiate urgent payments, including payroll,” says one bank specialist. “If a client receives its banking intra-day and prior-day statements host-to-host, we can put those statements, in the same format, online as part of a disaster recovery plan.”
Incorporating mobile solutions into DR/BC planning is sensible but requires preparation. Accessing online banking requires the right people to have the security credentials and tokens necessary to function but they also need to know how to execute transactions in an emergency. “We recommend our clients test the process at least annually so that they know how to release manual payments,” advises the specialist. It is also essential to have a process in place to avoid duplication of manual payments that may be contained in the original files if those files eventually make it through to the bank via the normal channels.
Whilst inclusion of banking in DR plan is crucial, corporates are curiously quiet when it comes to checking the preparedness of their key partners. There is an expectation nowadays that bank products will conform to BIS (Bank for International Settlement) principles and stand up to any DR scenario. Rules, such as the minimum acceptable distance between a bank’s data centres, exist to give a level of common comfort for clients.
Banks must provide security and demonstrate that they can function whatever happens. To this end, there is increasing market interest in the sustainability of platforms, business models and processing capabilities. The industry is also seeing more co-sourcing of technology and more platform investment.
Yet, despite the banks’ and vendors’ best efforts to help clients to avoid cyber-attack, or to recover as swiftly as possible from a cyber-breach, ultimately, the treasurer must take responsibility here. This means working with all business partners – internal and external – to ensure that any threat to the company’s finances is minimised.
Sponsor Interview: Marie-Laurence Faure and Karine Amas, BNP Paribas
Cybersecurity: be prepared