Treasury departments are the prime target for cyber-criminals, and it’s a treasurer’s responsibility to work alongside the IT department to ensure defences are as strong as they can be. However, with the weakest link in almost every company being the staff not recognising social engineering emails, it poses the question: how can treasurers build a defence with such a high risk of human error?
A recent survey conducted by RSM, a global network of audit, tax and consulting firms, with over 597 responses, has investigated digital transformation of businesses and how it has impacted the cyber-security of middle market firms across 33 European countries.
According to a study conducted by a Clark School at the University of Maryland, a hacker attack happens every 39 seconds. According to RSM’s study, not only do 72% of businesses that responded believe that they are at risk from cyber-crime, but 50% of businesses either agree or strongly agree that the more technology you implement, the more at risk you are of a cyber-attack if adequate controls are not put in place. Despite this alarming figure, 21% of leading European businesses do not have a cyber-security strategy in place, and out of the businesses that do, only 48% are sure that it will prevent a cyber-security attack.
RSM found that human error is still the main point of weakness in cyber-defence issues, with 64% of businesses saying the key challenge they face is “ensuring staff company-wide are appropriately trained to prevent human error”. Yet, 22% of businesses don’t provide staff training on cyber-security issues. This is integral to a successful cyber-defence, especially in the treasury department where they are most at risk of attacks.
RSM asked the question of who respondents think is responsible for cyber-security and GDPR compliance. Twenty percent believe it is the IT manager who has overall responsibility and only 31% think the responsibility ultimately sits with the CEO. The CEO is the person who is liable in the case of a breach, meaning that cyber-security is a senior executive responsibility. In spite of this, 54% say that the threat of cyber-crime and the need for increased security is only occasionally discussed at board level.
Sixty five percent of businesses say that cyber-security needs to be discussed more at senior management level, and 59% commented that once they experienced a breach, senior management prioritised cyber-security more. RSM points out that cyber-security cannot be a priority only after a breach and that firms need to be more proactive in their approach both prior to and during any breaches.
Firms need to have an effective incident management system in place to not only help contain any cyber-security breaches, but also to limit any reputational or financial impact they could have on a firm. Doing nothing is simply not an option. According to RSM, effective incident management could include:
Training users to identify a potential attack and know who to inform.
Having tools and technology in place to identify and prevent malware.
Having regular monitoring in place over systems and infrastructure.
Having a formal and tested process for dealing with incidents, to contain and resolve them as quickly as possible.
When it comes to reasons for investing in cyber-security systems, responses varied; 68% said GDPR requirements were their main reason, and 55% cited their increasing amounts of customer data holdings. With the GDPR requirements having been in place for over a year at the time of this survey, it might be surprising to learn that 26% of respondents don’t believe their business is fully compliant yet.
RSM explain that the legal threats that came with GDPR, along with potential reputational damage, spurred businesses into action that was long overdue. However, the pressure placed on businesses by the press, industry bodies, and stakeholders had the effect of inducing “GDPR fatigue”, meaning some businesses simply just gave up and reverted back to their previous working practices where they could. They focus on just ticking the boxes they legally have to, meaning that there is much less protection given.
RSM explains that cyber-security cannot be just about meeting GDPR requirements and ticking boxes, but about protecting key business assets on a wider basis. For treasurers, this is especially important as cyber-attackers target where the money is, leaving them far more at risk than the rest of a company.
It’s not only social engineering scams that leave treasurers at risk, however. Treasury departments with complex systems in place, such as a large numbers of bank accounts, are more exposed to cyber-attacks. Therefore, a treasurer needs to not only ensure that their own knowledge and training is up-to-date, but that the treasury department as whole is prepared as well.
RSM found that when a breach unfortunately did occur, 75% of companies did not make it public knowledge, and only 19% did. Furthermore, 34% don’t actually know when they should inform the Data Protection Authority. Out of their employees, only 39% knew if their company had ever had a security breach, 24% knew they had not, 30% were unsure, and 7% didn’t think it was their position to know.
In the case of a breach the most popular short-term response was introducing immediate communications with staff, with 66% of firms doing this. Whilst this is important as staff are the biggest risk in a cyber-defence strategy, it’s somewhat concerning to know that only 23% informed regulators, 21% informed customers and 4% actually paid the ransom demanded by hackers.
The most popular long-term solution was investing in new security technology, with 61% doing so. The amount investing in staff training however, dropped to 51%. Meanwhile, only 27% searched for, and found, further vulnerabilities, and 26% developed or updated their crisis planning to include security. According to RSM, this doesn’t bode well for the majority of organisations as it leaves them in the same place they were in before the breach occurred.
So, what does RSM recommend to help with cyber-security, and the catch-22 that comes with digitisation? Here’s just a few of their suggestions:
Report the breach as soon as possible. If firms aren’t aware that breaches are a real threat, they’re less likely to keep updating their cyber-defences in preparation of a possible attack. The more that happen, the more businesses will understand the risks.
Make it a board-level issue to review all policies and procedures as well as provide education and training.
Keep staff aware of their responsibilities towards cyber-security, making sure they know what to look for in suspicious phone calls, emails or texts.
Check security certificates and inform your IT department immediately if you spot anything unusual.
Treasurers have a special, and arguably more important role than most, to play in cyber-security for their organisation. Not only do they work with the IT department to decide which defences to invest in, but they also have to be extra vigilant themselves, as they’re so often the target of cyber-attacks. Cyber-security is as important as ever in an increasingly technological world, and it’s important that all firms do as much as they can to protect themselves from threats in all forms.