Cyber-criminals continue to develop ever more sophisticated techniques, with some companies experiencing attacks every single day. Yet many treasurers do not regard cyber-security as a critical concern. So what threats should treasurers be particularly aware of in the current environment – and how can they protect their organisations?
Cyber-security is an issue that affects companies both large and small – but despite the growing threat faced by companies everywhere, many treasurers do not currently see this area as a major priority within their own roles. Unfortunately, it’s not a question of if, but when, your organisation will be targeted.
PwC’s 2019 Global Treasury Benchmarking Survey, Digital Treasury – It takes two to tango, found that only 15% of respondents said their organisations were not affected at all by payment fraud attempts. Four out of ten said they were affected on at least a monthly basis, with 9% reporting they experience attacks every day.
However, the survey noted that while three quarters of CFOs see cyber-security as a critical concern, only 28% of treasurers do the same. The report suggests several reasons why this might be the case, including a lack of clarity over risk ownership and a perception by treasurers that cyber risk is the domain of IT or finance, rather than treasury. “This is a cautionary finding from this year’s survey that should be a wake-up call to the treasury community,” the report warns.
François Masquelier, Chairman of Association of Corporate Treasurers of Luxembourg (ATEL), likewise questions whether treasurers are as concerned about cyber risk as they should be. “Cyber-security should keep treasurers awake at night, shouldn’t it?” he comments. “However, I don’t think it does.”
It’s clear that many treasurers do not feel fully prepared to combat a possible attack. The FIS 2019 Treasury Modernization Survey, for example, found that less than a third of treasury departments consider themselves to be very effective at managing cyber risk – although this is hopefully changing.
“In 2020, we’ll see more efforts and investments from treasurers and IT to reassess financial operations, identifying potential areas of exposure and addressing those,” comments Andrew Bateman, SVP, Buy-side Solutions, FIS. “The best-protected treasury departments have educational programmes for employees, processes for mitigating fraud and technology from reliable providers with strong security offerings.”
What are the threats?
A key challenge when it comes to managing the risk of cyber-attacks is that the methods used by fraudsters tend to evolve much faster than the measures adopted by their intended victims. Nevertheless, some threats are more prevalent than others, so it’s important that treasurers stay abreast of the latest developments in this area.
“Treasurers have to work with IT and third-party technology providers to stay informed on all types of threats,” says Bateman. “While certain types of fraud, such as cheque fraud, have remained steady, other types of fraud are growing in popularity, including targeted phishing, malware, ransomware, data and identity theft, and others.”
The rise of ransomware
Where today’s threatscape is concerned, Joseph Krull, Senior Analyst – Cyber-security at Aite Group, points out that attackers tend to go for the path of least resistance – and currently, he notes that ransomware is an issue that is causing particular issues in the US.
In 2018, for example, the City of Atlanta was hit by a ransomware attack that wreaked havoc and disrupted city services. The attack, which left some departments having to use pen and paper to carry out their jobs, hindered revenue collections and resulted in the loss of years of dashcam footage. In May 2019, Baltimore’s local government was targeted by hackers, locking employees out of their computers and preventing local residents from paying bills and taxes. Recent weeks have also seen numerous attacks on school districts and colleges, bringing considerable disruption and closures.
Other high-profile ransomware attacks include the 2017 WannaCry attack which wreaked havoc on the UK’s National Health Service (NHS), as well as targeting Spanish utilities companies and educational institutions in China. And while there were reports that ransomware incidents were declining last year, a report by cyber-security company McAfee found that incidents increased by 118% in the first quarter of 2019.
The recent attacks in the US have cost millions of dollars to rectify – and Krull warns that further attacks are likely. “Ransomware is endemic today,” he says. “As a treasurer, I would be concerned about that – an attack could not only bring the business to a halt, but could also cause the loss of critical data needed to do things like regulatory filings, tax filings and issuing invoices. Ransomware can really ruin your day.”
Beware BEC attacks
In addition, business email compromise (BEC) attacks – in which the attacker impersonates the CEO or other senior officer to convince staff to make a payment – continue to be a threat. The FBI’s 2018 Internet Crime Report found that over US$1.2bn was lost as a result of BEC scams last year – up from US$676m in 2017.
Despite the name, Krull says that this type of attack is not only carried out by email, but can also be issued using other channels such as phone and instant messenger. “Attackers rely on two things for this type of attack,” he explains. “One is a sense of urgency – they will say that the payment has got to be made right away. And the second is that they will impersonate the highest person in the organisation in order to have that horsepower and convince people that they need to do the transaction.”
Krull says that education is the primary defensive tool when it comes to combatting this type of attack. He also notes that banks are taking steps to reduce the risk of loss by adding a waiting time before transactions flagged as high risk are executed.
Addressing the threats
Understanding the types of threat companies face is only the first step in safeguarding the organisation – businesses also need to have measures in place to address the possible threats. Sharman says the three key risk areas that need to be addressed are identities, user access and security configuration.
“With the rise in threats around mobility and cloud, it is however also essential to put additional security measures in place to protect the overall solution environment, including people and processes,” he adds. “Taking control of your solution environment means that you need to extend the boundaries beyond the core areas to include infrastructure, database, operating system and connected applications. Only by securing and mitigating risk in the full solution stack and surrounding IT environment can you truly be in control of your organisations data, IP and resources.”
The CIA triad
In the security industry, the acronym CIA is used to outline three key components of information security, namely confidentiality, integrity and availability. This may be referred to as the CIA triad or the CIA principle. These three principles should be guaranteed in any kind of secure system.
Carl Sharman, Director, Financial Advisory at Deloitte, explains the attributes of the three areas and the types of threat that can arise in each of them:
Confidentiality – protecting an organisation or individual’s information. Threats include:
- Data breaches, in which confidential information leaves an organisation in an unauthorised way.
- Non-compliance with GDPR.
- System compromise, leading to accessing confidential information.
- Segregation of duties/access issues in which conflicting or critical access provides access to confidential information.
Integrity – ensuring something performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorised manipulation. This includes both system integrity and data integrity. Threats include:
- Non-compliance with GDPR from a data integrity perspective.
- Disaster (eg malware loaded onto SAP servers could manipulate business data and transactions).
- A lack of clearly defined business processes and controls resulting in unauthorised or partial transactions.
- The ability of users with privileged access to bypass processes and controls.
Availability – making sure systems that support critical business processes are available 24/7. Threats include:
- Systems compromise, meaning employees/clients can no longer access the system.
- Environmental events leading to power outages.
- Denial of service attacks, achieved by sending a specific set or high number of requests to a server so it stops responding.
- Incorrectly designed or provisioned access rights, resulting in a system being unavailable for end users.
In practice, companies may not give all three areas the same level of focus. Joseph Krull, Senior Analyst – Cyber-security at Aite Group, notes that while everyone understands the need to protect confidentiality, “what we don’t understand is that we’re also charged with the integrity of the data. So we don’t want people changing data to be able to hide things or manipulate capital markets. And when it comes to availability, if you can’t get to the data, the data is useless. If you can’t get to your systems, you can’t conduct business.”
What can treasurers do?
While responsibility for this area can be held by different job roles in different organisations, it’s clear that treasurers have a particular need to protect the organisation from the risk of cyber-attacks. This should include having suitable policies, processes and controls in place.
For example, Sharman says treasurers should focus on the following points in order to mitigate the risks:
- Ensure the necessary controls are embedded in treasury processes.
- Review and manage privileged accounts and privilege escalation.
- Monitor processes and transactions to detect anomalies.
- Review and manage system access and segregation of duties.
- Segregation of duties lifecycle management.
- User access management.
- (Controls) business process controls design and implementation.
- (Data) continuous control monitoring.
While it’s important to be able to mitigate the risk of cyber-attacks and detect any fraudulent activity, the ability to respond appropriately to any attacks is also essential, as Sharman points out. “While the ability to detect attacks on your information is key, being able to respond effectively is often the real differentiator between an incident being a line item on a management report and potentially being front page news,” he warns.
And beyond key treasury processes and controls, treasurers may also have a role to play in building awareness of cyber risks both within treasury and across the organisation, as well as ensuring appropriate training is carried out:
- Phishing exercises. Krull says that any organisation should be carrying out phishing exercises, whereby employees are sent simulated phishing emails. “In the first instance you do this company wide and see what percentage of the total employees clicks on the email,” he explains. “I’ve seen some companies where 50-60% of employees have clicked. But the real goal is to catch the repeat offenders – so if an employee clicks on two different phishing exercises in a row, you immediately move them out to specialised training.”
- Training. Training should also be deployed to teams that are particularly at risk of falling victim to a cyber-attack. Procurement, for example, interacts with vendors and could therefore fall victim to malicious requests to change vendors’ bank account details. Likewise, Krull points out that no one should be permitted to make ACH transfers or B2B payments without completing mandatory training on the proper processes and thresholds.
Krull also warns that when consumer products companies launch innovation programmes and digital initiatives, it’s important to make sure the security implications of those initiatives have been fully assessed. “If I’m a treasurer or financial controller, I want to make sure that the security team or a trusted third party has had a chance to review those initiatives before they get into the mainstream,” he says.
How can technology help?
Deloitte’s Sharman notes that while technology can act as a catalyst for improving processes, “every technology requires a human intervention at a minimum, to start and finish it. The human intervention is often the weakest link – and the quickest to fall – and many incidences blamed on ‘system failure’ are often instigated this way.” Sharman cites the US$81m loss suffered by Bangladesh Central Bank in 2016, noting that this included “the possible involvement of some of the employees.”
Despite this caveat, Sharman says there are a few areas where technology can make a big difference – such as “creating a security baseline (a minimum set of security requirement for your most important applications), as if you can’t access it, you can’t exploit it.” He notes that the principle of segregation of duties is “based on shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department.” Sharman notes this ruleset is “the most critical component that impacts how access risks are identified and managed within the security design.”
Sharman also notes that malicious source code is the source of security issues, adding that “this technological input can be both solution-orientated and preventative.” While he says that code review – especially of custom code – is a time-consuming process which is not feasible without the use of tooling, “code reviews help to identify these errors and prevent misuse”, using specialised software to extract the custom code and automatically analyse it for insecure programming constructs. Sharman says the results of the scans are then collected and further analysed, with manual validation performed to filter out false positives and observations that do not possess any relevant risk.
Treasury technology and security
Where treasurers are concerned, the selection of technology partners should be carried out with close attention to security.
“Treasurers should select treasury technology partners that will ensure the safety of their data and treasury operation,” comments FIS’ Bateman. “Before partnership agreements are made, treasurers should ask technology providers to demonstrate their expertise and commitment to the security of the chosen solution, as well as explaining the role the vendor will play in advising and protecting the client.” He notes that FIS partners with “leading industry and key governmental security and enforcement agencies to capture, analyse and assess threat intelligence to help defend ourselves and our clients from cyber-attacks.”
Looking forward, the FIS Treasury Modernization Survey predicts that “Adoption of cyber risk technology will grow in conjunction with cloud solutions”, with companies that seek cloud solutions expecting providers to package cyber risk prevention technology within solutions.
While the issue of cyber-attacks continues to present a considerable threat for companies around the world, it’s clear that for many treasurers there is more that could be done to address the risks. “Cyber risks response requires discipline and rigor that are unfortunately often missing,” says Masquelier. “Treasurers should remain prepared as the worst to come is never far away.”
While overall responsibility for this area may be unclear in some organisations, there is much that treasurers can do to protect their own processes, systems and activities from the risks. As Deloitte’s Sharman warns, “Vulnerabilities will always exist, and you do not want your treasury solution to be your weakest link.”