Hackers are making hay as digitalisation of organisations gather pace and regard treasurers as very high value targets for attack.

Rapid ongoing digitalisation of organisations globally is now widely recognised as being in itself a major factor driving the explosion in cyberattacks on firms, and as guardians of their companies’ finances, treasurers are increasingly being targeted by hackers.

Indeed, for Joe Collingwood, CEO of UK-based cyber-security expert Cysure, the biggest risk to treasury departments is their employees. Therefore it is critical, he says, that they appreciate the cunning and increasingly sophisticated strategies hackers employ to compromise them.

“Cyber criminals use social media to identify people who work in treasury and then actively target them with quite complex scams. There have been many instances over recent years where, for example, email servers have been targeted for hacking so that company personnel, suppliers or clients can be impersonated to enable the hackers to create and submit false invoices and payment instructions.

“Companies that have distributed banking systems, multiple accounts and complex banking processes are at greater risk than companies with simpler systems that are easier to monitor and protect,” says Collingwood.

His top tips for treasury and finance executives looking to minimise their exposure to attack include identifying and simplifying banking processes and reducing the number of accounts wherever possible. Critical technology and process areas should undergo a risk assessment of all potential vulnerabilities.

Treasury departments also need to develop holistic cyber risk mitigation strategies: “This task should not be seen as a responsibility for just the IT department. It should involve both IT and treasury or finance personnel as they will view risks in different ways. For example, critical servers will need to be regularly scanned for vulnerabilities and have security updates applied on a more frequent basis in line with the risk and impact assessment than perhaps other not so critical IT equipment.”

Collingwood also urges firms to be cautious when actioning large transactions: “They should consider implementing payment procedures for large amounts that requires a test transaction with a follow up telephone call with the supplier or client to ensure money is being paid into the correct account first.”

Other top cyber-security tips for treasurers include:

• Ensure all personnel involved in treasury are issued clear guidelines that are reinforced on a regular basis and that they are familiar with the processes of the company’s information security policy.
• Increase regular awareness training so that personnel are constantly reminded of potential scams or tactics being used to trick them.
• Employ a specialist penetration testing organisation to conduct regular penetration tests to ensure training and policies are effective and working.
• Review contracts and policies with suppliers that are part of the treasury payments process to ensure that they implement an accredited standard for cyber-security for themselves and their suppliers to protect the supply chain.
• Have an up-to-date incident response plan that is practiced regularly so that employees know what to do when they suspect there is an attempted breach or if an actual incident occurs.
• Consider cyber insurance to cover potential losses and remediation/forensic costs.

Business imperative for SMEs

It is now widely recognised that among business segments, rapid digitalisation of organisations is leaving SMEs especially vulnerable to attack. Collingwood says they are more at risk from data breaches than large organisations because cyber criminals recognise SMEs do not have the money or resources to launch a legitimate defence and therefore are easy prey.

According to the UK government’s Cyber-Security Breaches Survey 2018, 42% of small businesses identified at least one breach or attack in the last 12 months. Many SMEs struggle to muster investment for cyber-security but Collingwood argues it is now a business imperative for them: “In a rapidly evolving landscape of cyber threats, SMEs which understand the risks and have a robust cyber-security strategy are more able to recover business operations when a breach happens.

“This ability to demonstrate cyber resilience is becoming a contractual requirement to many large organisations that rely on a vast network of agile SME suppliers and partners within their supply chain. SMEs that invest in cyber-security can show they are less likely to be a conduit for criminals to access a larger organisation, and are better placed to demonstrate their ability to recover business operations and performance in the event of an attack, therefore protecting the supply chain. While no security strategy can stop 100% of attacks, the aim must be to mitigate the risk as much as possible.”