Who might attack you?
According to a 2015 whitepaper produced by the UK government, titled ‘Common cyber-attacks: reducing the impact’, the main groups of potential attackers are:
Cyber-criminals interested in making money through fraud or from the sale of valuable information.
Industrial competitors and foreign intelligence services, interested in gaining an economic advantage for their companies or countries.
Hackers who find interfering with computer systems an enjoyable challenge.
Hacktivists who wish to attack companies for political or ideological motives.
Employees, or those who have legitimate access, either by accidental or deliberate misuse.
Steps to cyber-security
Against this backdrop, CSEG, the National Technical Authority for Information Assurance within the UK, recommends frequent reviewing of your organisation’s overall cyber-security strategy, and the following nine specific areas, in order to protect your business:
User education and awareness. Companies should provide user security policies covering the acceptable and secure use of all systems. Part of maintaining user awareness is establishing a staff training programme. Security is largely reliant on heightened levels of staff vigilance; ensuring employees use systems, websites and apps responsibly, and can spot the signs of embedded attachments, for example, the business can mitigate risks somewhat.
Home and mobile working. Similarly, a policy for mobile working is needed to protect data in transit and at rest elsewhere. The level of entitlements users have on mobile devices, for example, should be the same as if that user was accessing their files from a desktop.
Managing user privileges. Indeed, processes for managing all accounts should be established. CSEG advises that privileged accounts should be limited.
Secure configuration. Security patches that ensure the secure configuration of all IT systems should be applied and maintained.
Removable media controls. Companies may use various types of removable media (CDs and USBs, for example) and whilst these should be limited, a policy is necessary to control the remaining access. CESG also advise scanning all media for malware before importing on the company system.
Incident management. Incident response and disaster recovery capability needs to be established. Please see disaster recovery section below for more advice.
Monitoring. A strategy and capabilities for monitoring all systems and networks is necessary to analyse any unusual activity and log those which could indicate a potential attack.
Malware protection. Relevant policies and anti-malware defences should be established that are applicable for all business areas.
Network security. Managing the company’s network perimeter helps project against internal and external attacks as any unauthorised access or malicious content can be filtered out. It is important that security controls are frequently tested.
Mobile services – on the up?
The above points provide a solid foundation, but treasury has some specific concerns. Payments, for instance, should be treated with extra care – especially when made on-the-go using mobile devices. For some professionals, the payment approval process on mobile should be limited to low-value general office expenses. Others are more open to the convenience and flexibility that using mobile devices to approve or make payments remotely offers – provided the security is there. And rightly so. Corporates are dealing with transactions of significant value so a lot of reassurances with respect to security are required. The result: developments aimed at corporates are inevitably, albeit appropriately, slower.
Persuading treasurers to become avid mobile users could take a while but as technology matures, processing power increases, and data integration deepens (and as the so-called ‘digital native’ generations – those who have been brought up with this technology – assume control), the value for corporates will increase. The true added-value, however, will always come from the skilled corporate treasurer. Ultimately, it is up to them to decide whether and how mobile channels will influence their strategic decision-making going forward.
Advice from the experts
As cyber-security has become an ever-pressing issue for corporate treasurers over the years, Treasury Today has spoken to numerous industry experts. Here are some of the key things they have had to say:
Martin Tyley, Partner, Cyber-security, KPMG:
“It is important to identify that cyber-security isn’t about having an inward-looking approach and believing you are safe. The most effective departments are those who understand that it is a collective responsibility. The most ineffective are those who believe that it is just an IT issue and their responsibility to clean up. The key therefore is to be able to harmonise people, processes and technology and if this can be achieved there is a much greater chance of protecting the treasury department and the organisation.”
John Salter, Managing Director, Global Corporate and Financial Institutions, Client Coverage/Origination, GTB, Lloyds:
“Cyber-criminals do not discriminate against company size, location or industry sector, as long as a profit can be made. Cyber-criminals will attack the weakest in the herd so ignorance to threats actually makes you increasingly likely to be attacked.
Cybercrime is also becoming increasingly professional and globalised and the scope and sophistication of attacks should not be underestimated. Treasury departments should therefore be aware that an attack may stem from any corner of the world and in many cases may be disguised as legitimate business dealings. Furthermore, overseas associates may not have adequate controls in place which can leave your company exposed to attacks.”
Anupreet Singh Amole, Senior Associate, Freshfields Bruckhaus Deringer LLP:
“Clearly, there is a place for spending on specialist technical security advice and software. However, one must not see that technical element as a panacea. Instead, and perhaps somewhat counterintuitively, it is the human element that is crucial. Again, a cross-functional approach is required.”
Rohini Tendulkar, Senior Economist, IOSCO:
“For treasurers, it is important to keep up-to-date with trends in the cyber-attack landscape to know what to look out for – in particular the various social engineering techniques that may be used to trick someone into allowing a cyber-attack to propagate. This can be achieved by attending cyber-security training or information sharing events/groups. It is also important to identify the most critical or sensitive information/data/processes under one’s control and relay this information to IT departments so that cyber-security efforts can be prioritised. Lastly, treasurers should understand or encourage the development of internal cyber-security policies in their firm, for example clear reporting lines in the case of a cyber-attack.”
Banking: the treasurer expects…
With the cybercrime wave reaching tsunami-like proportions, more treasurers are turning to banking partners for help. And, for the banks, security is increasingly the selling factor for the products they offer. One of the key findings from a recent survey published by BNP Paribas (BNPP) and the Boston Consulting Group, is that what is important for corporate treasurers today is not product enhancements but solutions that are dependable and, above all, secure in the face of a growing cyber-threat.
With transactional banking products becoming ever more commoditised, cyber-security may begin to evolve into a new area of competitive focus. Noting the mounting costs of cyber-attacks, banks like BNPP say clients will need all the help they can get in the coming years.
“This is definitely an area in which banks have an opportunity to develop a true commercial offering,” Jacques Levet, Head of Transaction Banking for Europe, Middle-East & Africa at BNPP told Treasury Today. “But they need to develop solutions that will deliver real added-value for their clients and that could help them differentiate from competition.”
Levet believes banks could help in several different ways. “What corporates suggested in the survey is that banks could for instance provide some form of external certification on the robustness of a treasury’s internal control procedures and IT infrastructure,” he says. “Because of their recognised expertise in this field, banks are indeed seen as potentially preferred providers of such security services as transaction and network traffic monitoring mechanisms as well as staff training.”
BNPP’s survey notes that treasurers see their banking providers as the ‘gold standard’ in IT security, given the requirements they must adhere to in their own operations. Such is the level of regard many of those surveyed signalled they would look favourably on banks that proactively share their expertise and internal best practices. Some of the surveyed treasurers are quoted as saying they would be more than happy to pay for such services too.
Business continuity and disaster recovery in a digital world
Of course, it’s not just cyber-attacks that corporate systems and processes face – there are innumerable threats to the status quo. These must be managed as far as possible to avoid turning a threat into a disaster. Risk mitigation in this context is no mean feat.
You may believe that you have the most secure and dependable technology known to treasury-kind but the fact is, there are no infallible systems on the market. Should the worst happen, those who are prepared will obviously fare the best. For treasurers, the key questions that should be asked are: ‘are you aware of the risks, and will you be ready to deal with the outcome?’
There will be a number of immediate concerns to tackle and the absolute prerequisite is “to avoid, under every circumstance, panic and uncontrolled action”, warns Thomas Stahr, Managing Partner of Stahr Treasury Consulting and a senior treasurer of many years’ experience. This is where robust planning comes into force. In practical terms, the first task is to convene an emergency meeting with the most senior responsible personnel. “Designate an immediate task-force, ensure clear definition of tasks and responsibilities and enlarge it where appropriate and necessary,” he advises. This and all subsequent direction should form part of the business continuity plan (BCP).