Cyber-security has raced up agendas in boardrooms globally over the last few years as organisations pursue digital transformation but struggle to cope with security issues generated by new technology and processes.
A recent World Economic Forum survey of 12,000 executives in 140 countries found that cyber-attacks were the top concern for businesses in Europe, Asia and North America. An Accenture survey of 1,700 CEOs and C-suite executives, meanwhile, reckons cybercrime could cost companies US$5.2trn over the next five years unless significant improvements to internet security are made.
The cost of being compromised may not be just financial. There is reputational damage to consider; attacks may target intellectual property or customer data; and firms can be fined by regulators for security failures.
Corporate treasurers as guardians of their companies’ finances, intellectual property and customer financial data are highly exposed to attack by hackers. While learning to cope with the rapidly evolving cyber threat landscape may seem daunting to treasurers, Jan De Blauwe, Chief Security Officer at BNP Paribas Fortis, and Jan Dirk van Beusekom, Head of Strategic Marketing at BNP Paribas Cash Management & Trade Solutions, assure that, based on BNP’s own efforts in developing effective security for both itself and clients, cyber-resilient treasuries can be realised via strategies that are neither costly nor difficult to implement.
Understanding and appreciating the clever techniques hackers use is a key starting point. There are plenty of examples now of firms falling foul of identity theft, false instructions and spoof emails that fool treasurers into executing financial transfers. “To help minimise such a risk firms should adhere rigidly to dual payment approval processes, beneficiary account controls and always be circumspect with regards to authenticity in communications that aim to trigger transfers. Vigilance is key,” says van Beusekom.
Direct attacks on firms can come in many flavours but an arguably even more cunning strategy employed by hackers involves infiltrating vendors for major firms being lined up for attack first. The 2013 data breach of US retail giant Target is a classic example of this type of attack. Using credentials stolen from a third-party HVAC vendor, hackers gained access to Target’s computer gateway and customer service database. Malware then captured full names, phone numbers, email addresses, payment card numbers, credit card verification codes, and other sensitive data.
Along with affecting 41 million customer payment card accounts, the breach affected contact information for more than 60 million Target customers. As well as suffering reputational damage, the breach cost the company US$18.5m in settlements.
Van Beusekom says a powerful way for organisations to mitigate such intrusions is to segment their computer networks so that each one is visible only to users who have the appropriate access rights and is not visible to unauthorised users. Unlike the ease with which they comprised Target’s easy-to-penetrate “flat networks”, hackers who take on segmented enterprises are confronted with a series of “locked doors” that present increasingly more secure barriers, with the most sensitive data benefiting from the most vigilant defence tools.
De Blauwe says such strategies require firms to develop “risk-based, zero-trust” approaches to cyber-security, with a range of customised solutions that depend on the level of protection needed for data sets rather than the traditional “castle and moat” solutions that rely solely on perimeter defences like firewalls and are unsupportive of today’s mobile and cloud first world.
For both De Blauwe and van Beusekom, the overriding imperative for treasurers is to embrace “co-ordinated defence”. Cybercrime has become structured and organised, so the defence needs to be similarly structured, they argue. As such, IT, finance and the technology partners that support treasury must work together closely to identify threats and weaknesses and resolve them collaboratively.
Van Beusekom is also keen to stress that treasurers need to look beyond payments: “Bank account details, financial and commercial counterparty settlement instructions, employee details and financial data about the company are all valuable assets to hackers. These need to be protected with the same degree of care as payments.”
And lastly, they point out that good training is crucial in order to ensure treasury staff are equipped to fend off evolving cyber threats.
Van Beusekom says banks too have an important role to play in helping treasurers to safeguard their operations and assets, with BNP Paribas itself investing heavily in its channels to ensure they remain robust and cyber-security awareness training for corporate clients.