With high-profile cyber-attacks continuing to make headlines, treasurers cannot afford to ignore the importance of cyber-security. But should this area be viewed as a straightforward necessity, or can it be approached as a business enabler?
The risk of cyber-attacks was a major theme in 2017, with a number of high-profile incidents underlining both the breadth of attacks taking place and the scale of possible losses. In February, US$81m was stolen from Bangladesh Bank in an attack which had attempted to steal almost US$1bn. In December, Yahoo revealed that a data breach from August 2013 had affected a billion users.
Even when the figures are less staggering, the impact of a cyber-attack can still be considerable. According to Cisco’s 2017 Annual Cybersecurity Report, 29% of security professionals said that their organisations experienced a loss of revenue as a result of cyber-attacks, with 38% saying their revenue loss was 20% or higher. Twenty two percent of organisations said they had lost customers as a result of cyber-attacks, while 23% said they had experienced a loss of business opportunity.
From data breaches to distributed denial-of-service (DDoS) attacks, businesses may be at risk from many different types of cyber threat. Linda Coven, Senior Analyst at Aite Group, points out that the threat of a cyber-attack has grown beyond the account takeover to the potential for stolen company secrets and intellectual property. She notes that these attacks can take the following forms:
Social engineering fraud using network breaches and stolen credential information.
Nation states – sponsored attacks, which may be politically, economically or militarily motivated.
Continued DDoS attacks of significant volume and frequency against financial institutions, often to cover fraudulent activities.
Extortion (ransomware) – demands for money or other ‘payments’ from a business.
Espionage against governments and business intellectual property.
Business Email Compromise – accessing executives’ accounts to gain credentials or spoof email to elicit a funds transfer.
It is clear that these threats are becoming more severe as cyber-criminals refine their techniques. “Are the bad guys getting more sophisticated? Absolutely,” says Mike Lamberg, Chief Information Security Officer at OpenLink, and the former VP of Information Security at the NYSE. “Social engineering, or the practice of getting someone to trust you and do things you want them to do, continues to increase and be the prevalent method of infiltrating an organisation and doing harm.” Lamberg points out that this could take the form of a legitimate looking email, enticing website ad – “or a simple phone call leading to a loss of confidential information, or causing an inappropriate funds transfer, for example.”
Where corporate treasury is concerned, the most significant concern is the risk that a fraudulent payment will be made. This is a very real risk for companies around the world. The 2016 AFP Fraud Report found that 73% of American companies were targeted by payments fraud in 2015 – up from 62% in 2014. While cheques were found to be the payment method most often targeted by fraudsters, the research also found that 64% of businesses were exposed to BEC scams, while 48% were exposed to wire fraud.
Increasingly, sophisticated spear-phishing attacks are being aimed specifically at finance and treasury staff. “Recent sophisticated attacks on systems and services that offered weak overall security have directly targeted the treasury and payments systems that sit at the heart of a modern corporate treasury,” says Andrew Bateman, Head of Corporate Liquidity and Bank Treasury at FIS.
The strategies used by criminals continue to evolve. Bateman notes that “social engineering attacks through phishing and/or spear-phishing attacks as a vector for installing malware, or other advanced persistent threat (APT) components, remains a significantly high component of the threat.” The nature of the APT components is changing in sophistication year on year, as is the professionalism of the most sophisticated phishing attacks. Bateman adds, “We are seeing more targeted attacks on financial systems and finance employees.”
But despite these threats, treasurers may not be doing everything possible to protect their businesses. Bateman says that treasurers are “probably not yet as concerned as they need to be”. He adds, “While we are seeing a clearly strong and growing awareness amongst treasurers of the risks that cyber-attacks place on their businesses, the active engagement that is required to address it is lagging a little.”
According to Bateman, this lag may be attributed in part to the “legacy view” that treasury remains somewhat isolated from the outside world – although the targeting of treasury staff demonstrates that the reality is changed.