Cybercrime has existed in numerous guises since the emergence of technology in the workplace and it is an ever evolving space. As a result of this evolution the threats to businesses are multiplying and becoming increasingly complex, seeing cyber-security creep to the top of business leaders’ minds. In this article, Treasury Today explores the changing threats and what treasurers can do to help fend off cyber-criminals.
It is widely accepted that cybercrime poses a huge risk to businesses, and if you are not concerned about cyber-security, then you should be. The numbers speak for themselves: cyber-attacks cost companies around the world $7.7m a year on average in losses, according to the 2015 Ponemon Institute of Cyber Crime Study of 252 companies. These attacks did not discriminate against company size, industry or location.
Many businesses, perhaps in light of some recent high profile cyber incidents, have woken up to the risk. As a survey conducted by PwC, titled The Global State of Information Security 2016, highlights that 91% now have risk-based security frameworks in place and 24% have boosted their security budgets. Despite this work, breaches still occur and at great cost. The reason for this being that a business can only be as strong, in cyber terms, as its weakest link, and in a multinational with thousands of staff there are many potential weaknesses.
When put in these terms, it may seem that protecting the company’s financial data and assets from cyber-criminals is an impossible job. However, with the right education, culture, technology and processes in place, a company can go a long way to achieving this. And a prudent place to start is to understand the threats and from where they originate.
Shadow corporations
Unfortunately, the threats corporates face are multifaceted, and their origin is frequently shifting. Once cyber-attacks were largely perpetrated by nation states, or by tech-savvy individuals and hacktivists, today cybercrime is big business. In fact, it is often not understood just how profitable an industry it is.
Information security company Trustwave have looked to lift the lid on the industry, conducting a study into the potential returns a cyber-criminal can expect to make and the numbers are staggering: Trustwave estimate that cyber-criminals receive on average a return on investment of 1,425%. With returns such as these it is unsurprising that cybercrime is becoming increasingly commercialised. As George Quigley, Cyber Security Partner at KPMG explains: “We like the phrase shadow corporations to describe these organisations, because although they are not ethical or legal, they operate much in the same way as any other company, with a management structure and various departments that look after different areas of the operation.” Some shadow corporations may have copywriting departments, for instance, that look to craft professional looking phishing emails – rather than those littered with spelling mistakes and dubious URLs of yesteryears. Some have even gone so far as to offer healthcare and pension plans to its employees, it has been reported.
To further maximise revenue, shadow corporations are now offering ‘crime-as-a-service’ (CaaS), building sophisticated solutions that can be sold to other criminals looking to get a slice of the action. The most advanced of these have an enterprise feel to them with cloud based access and 24×7 support.
Sophisticated attacks
Just as the threat actors are changing and growing in sophistication, so are the methods. A recently published Threat Report by McAfee Labs outlines this, stating that: “We have seen a change during the past two years, with a significant increase in the number of technically sophisticated attacks. Many of these have been designed purely to evade advanced defences. They are infiltrating in pieces, hiding in seemingly inert code, and waiting for an unprotected moment to emerge.”
And once inside a company’s system, there are then a number of ways that cyber-criminals can look to generate revenue. “Some hackers will simply extract sensitive information and send a small portion of this back to the company, demanding money in return for safe passage of the rest of the information,” says Quigley. Other methods can be more debilitating. “We are seeing the re-emergence of ransomware that can lock users out of the system,” he adds. “For treasury, this may cause a problem in terms of being able to access information and authorise transactions.” Another similar method Quigley sees returning is the distributed denial service attack, where a threat actor floods the network with traffic, bringing it down. In both of these examples, the criminals will demand a ransom fee to stop the attack.
There is little the company can do in instances such as this. In fact, the FBI have stated that in the case of such an event it may be prudent to simply give into the criminal’s demands – which the FBI say the overwhelming majority of institutions do. Interestingly, according to reports, there seems to be some honour amongst thieves. Joseph Bonavolonta, Assistant Special Agent at the FBI’s CYBER and Counterintelligence Programme in Boston, told Business Insider that ironically the fact people are paying the ransom is keeping the criminals’ demands low, and that in the vast majority of cases access is returned upon receipt of payment.
…And unsophisticated attacks
Cyber-criminals are also becoming smarter in how they prey on human frailty to breach a company’s defences. “There is a plethora of information about a company and its people, freely available online, affording cyber-criminals the opportunity to digitally track employees (think social networks) and then launch an attack at an opportunistic time,” says Quigley.
A prime example of this is when a member of staff is on holiday, but still keeping half an eye on work, explains Quigley. “Often attacks are planned over a period of 12 to 18 months and in cases such as these a cybercriminal can follow an employee’s social media account and find out when they are on holiday,” he says. “Once this opportune moment arises the fraudsters can send a phishing email, impersonating somebody from the business they have also been following, asking to approve something – a transaction, for example. The hope being they will do so without suspecting any wrongdoing.”
‘Friday afternoon fraud’ is another arguably less sophisticated attack. Here, cyber-criminals look to take advantage of the rush to complete work before the weekend. Again, the hope is that not enough attention is being paid to what is happening and a transaction of some sort is approved. This was something that occurred to an employee at Fortelus Capital Management LLP, who received a call late on a Friday from somebody claiming to be from Coutts, the investment bank, claiming that there was fraudulent activity on Fortelus’ account. To rectify this, the employee used the bank’s smart card security system to produce codes for the caller to cancel the suspicious payments. When he returned to work on Monday, $1.2m had been stolen.
Building up the barriers
So how can corporates protect against the plethora of cyber risks? Unfortunately, there is no silver bullet; best-in-class cyber-security comes from a mixture of technology, process and people. That being said, technology can go a long way in protecting the business, and a corporate’s IT team must ensure that they have a robust firewall system in place and various other technical defence mechanisms.
But digital barriers can only be built so high, and it cannot be assumed that these are impenetrable. As Simon Viney, Director, Security Science at Stroz Friedberg states: “You can invest millions in your cyber-security, but there only needs to be one error, or one misconfiguration, for the criminals to take advantage.”
As a result, Viney is seeing corporates dedicating greater resources to penetration testing, where outside experts are hired to attack the network and highlight areas the security falls short. There is also a greater investment in threat intelligence tools that are able to spot patterns in data, and highlight any nuances that may be potential threats – data flowing to an unfamiliar IP address in a location the business doesn’t operate in, for instance – providing the opportunity to spot these early and take the necessary action.
Outside parties are also able to provide some layer of protection. Banks, for example, have invested heavily in their fraud detection software and are able to spot irregular payments, based on size, destination, time and a whole host of other parameters. In cases such as these, the bank is able to contact the treasury team and ask if this is a legitimate payment before pushing it through, potentially preventing a significant financial loss.
Security in the cloud
Technology works both ways, however. Whilst corporates are investing in their cyber-security, they are also investing in innovative technology, such as the cloud – creating further attack surfaces and areas of concern for corporates. But cloud also offers its advantages, as Philip Pettinato, Chief Technology Officer at Reval, explains: “One of the main benefits I see in cloud technology is that corporates get the benefit of knowing that the other companies they are sharing the platform with have gone through their own extensive audit and penetration testing to ensure that it is secure,” he says. “Thus creating a more secure environment for everyone involved.”
Holding financial data in the cloud can also outsource the burden of cyber-security and, in some cases, offer greater protection compared to leaving it on the company’s own servers. “Most corporates today have security measures in place and they are doing a lot of the right things,” says Pettinato. “Cyber-threats are changing quickly, but the tools we are using to maintain an advantage are up to date and constantly evolving in response to these changes.”
Step by step
Whilst technology can certainly help protect the business, it is not infallible, particularly when a mistake is unwittingly made by a human. It is therefore vital to ensure that the company has robust processes in place to mitigate the risk of cybercrime and that this is backed up by the education of all employees about the risks. The aim: to create a cyber conscious culture.
In regards to processes, the changes do not have to be dramatic. Take, for example, a member of the treasury department receiving an email from the CFO asking for the account number to be changed on a regular payment. In this instance, it would be wise to question this request and make a phone call to the CFO asking if this is legitimate.
“The treasury team needs to be empowered to question these items,” says Cindy Murray, Head of Platform Transformation, Digital Channels and Client Experience for Global Transaction Services at Bank of America Merrill Lynch (BofAML). “And this should feed into a broader, more robust, segregation of duties in the treasury department. When we see fraud, it is often because the company is enabling a single person to approve and initiate a payment. No matter what security layers are in place, if a cyber-criminal hacked into their desktop and made payments, there would be little way of identifying this payment before it is too late.”
Murray and her team therefore promote a strong segregation of duties to all their clients. However, sometimes a treasury team may be too small to do this effectively. “There is technology that can support corporates with this challenge,” adds Murray. “For instance, we offer two-factor authentication when making payments and also a solution that requires the CFO or senior treasurer to digitally sign the payments before they are approved and initiated by the treasury team.”
The issue however, as mentioned earlier, is that a company is only as strong as its weakest link. And even though a treasury team may follow all the correct processes and have technology in place to mitigate the risk of cybercrime, if somebody in another department mistakenly provides a cyber-criminal with access to the company’s servers, they may be able to make their way into the treasury department’s systems undetected. In fact, such an incident occurred in recent months at an Austrian manufacturing company where $54m was transferred out of the company’s bank accounts with attackers able to access authorisation credentials for conducting a wire transfer using the corporate treasury systems.
“Education is vitally important and everybody in the company needs to understand the risks, helping to create a cyber-conscious culture,” says Stroz Friedberg’s Viney. “Board engagement is critical in this respect and the culture has to be driven from the top down. If anyone opts out, then the risk grows.”
Dealing with a breach
Regrettably, even the companies that do this best may still be prone to cyber-attacks. As a result, experts advise that a company never rest on its laurels, and be prepared for an attack to be successful. And if the worst does happen, then time is of the essence. “Corporates should immediately contact the bank,” says BofAML’s Murray. “We can very quickly trace the payment and attempt to reverse it. But cybercriminals know this, and will try to move the money on as quickly as possible. Therefore, the longer it takes for the bank to be notified the less opportunity we have to recover the payments.”
The corporate treasury department can play a big part in ensuring that an illegitimate transaction is spotted quickly by regularly reconciling its accounts. “Many years ago corporates reconciled monthly. If this was still the case, there would be little chance of recovering an illegitimate payment. Today, corporates are adopting best practice and reconciling daily, and many even intra-day. This is enabling any issues to be identified in good time and further escalated should need be.” In addition, Murray also highlights that banks now offer numerous reports, advice, and acknowledgements that corporates can utilise in order check their payments and ensure that fraud is not occurring.
A team game
Using this information may become of even greater importance due to the increasing digital connectivity between businesses in the 21st century. For instance, a large corporate is likely to be digitally connected to a vast number of counterparties on both the buy and sell side, up and downstream, and each one poses a potential cyber risk. “We have rushed into an interconnected world, and it is nearly impossible for an organisation to be responsible for, or even understand the security, that is being operated by its counterparties,” says KPMG’s Quigley.
The awareness of the cyber-risk posed by third parties undoubtedly increased following the Target incident – where the company’s network credentials were stolen from a third-party vendor. And this is beginning to have an impact on how companies do business, with some looking to shorten their supply chains. “Companies are also analysing the risk profile of the supply chain from a cyber perspective and assessing how they interact with each other and if these channels are secure,” adds Quigley.
The complexity of businesses in the 21st century means that this is no mean feat, particularly when so many organisations are reluctant to share their information. “Companies need to understand the importance of sharing data,” says Stroz Friedberg’s Viney. “Cyber-criminals are sharing their information to gain an advantage. So should corporates.” The message is clear: cyber-security is no longer a siloed activity, it is a team game and one that corporates may lose if they don’t work together.