Cyber-security is an issue that affects companies both large and small – but despite the growing threat faced by companies everywhere, many treasurers do not currently see this area as a major priority within their own roles. Unfortunately, it’s not a question of if, but when, your organisation will be targeted.
PwC’s 2019 Global Treasury Benchmarking Survey, Digital Treasury – It takes two to tango, found that only 15% of respondents said their organisations were not affected at all by payment fraud attempts. Four out of ten said they were affected on at least a monthly basis, with 9% reporting they experience attacks every day.
However, the survey noted that while three quarters of CFOs see cyber-security as a critical concern, only 28% of treasurers do the same. The report suggests several reasons why this might be the case, including a lack of clarity over risk ownership and a perception by treasurers that cyber risk is the domain of IT or finance, rather than treasury. “This is a cautionary finding from this year’s survey that should be a wake-up call to the treasury community,” the report warns.
François Masquelier, Chairman of Association of Corporate Treasurers of Luxembourg (ATEL), likewise questions whether treasurers are as concerned about cyber risk as they should be. “Cyber-security should keep treasurers awake at night, shouldn’t it?” he comments. “However, I don’t think it does.”
It’s clear that many treasurers do not feel fully prepared to combat a possible attack. The FIS 2019 Treasury Modernization Survey, for example, found that less than a third of treasury departments consider themselves to be very effective at managing cyber risk – although this is hopefully changing.
“In 2020, we’ll see more efforts and investments from treasurers and IT to reassess financial operations, identifying potential areas of exposure and addressing those,” comments Andrew Bateman, SVP, Buy-side Solutions, FIS. “The best-protected treasury departments have educational programmes for employees, processes for mitigating fraud and technology from reliable providers with strong security offerings.”
What are the threats?
A key challenge when it comes to managing the risk of cyber-attacks is that the methods used by fraudsters tend to evolve much faster than the measures adopted by their intended victims. Nevertheless, some threats are more prevalent than others, so it’s important that treasurers stay abreast of the latest developments in this area.
“Treasurers have to work with IT and third-party technology providers to stay informed on all types of threats,” says Bateman. “While certain types of fraud, such as cheque fraud, have remained steady, other types of fraud are growing in popularity, including targeted phishing, malware, ransomware, data and identity theft, and others.”
The rise of ransomware
Where today’s threatscape is concerned, Joseph Krull, Senior Analyst – Cyber-security at Aite Group, points out that attackers tend to go for the path of least resistance – and currently, he notes that ransomware is an issue that is causing particular issues in the US.
In 2018, for example, the City of Atlanta was hit by a ransomware attack that wreaked havoc and disrupted city services. The attack, which left some departments having to use pen and paper to carry out their jobs, hindered revenue collections and resulted in the loss of years of dashcam footage. In May 2019, Baltimore’s local government was targeted by hackers, locking employees out of their computers and preventing local residents from paying bills and taxes. Recent weeks have also seen numerous attacks on school districts and colleges, bringing considerable disruption and closures.
Other high-profile ransomware attacks include the 2017 WannaCry attack which wreaked havoc on the UK’s National Health Service (NHS), as well as targeting Spanish utilities companies and educational institutions in China. And while there were reports that ransomware incidents were declining last year, a report by cyber-security company McAfee found that incidents increased by 118% in the first quarter of 2019.
The recent attacks in the US have cost millions of dollars to rectify – and Krull warns that further attacks are likely. “Ransomware is endemic today,” he says. “As a treasurer, I would be concerned about that – an attack could not only bring the business to a halt, but could also cause the loss of critical data needed to do things like regulatory filings, tax filings and issuing invoices. Ransomware can really ruin your day.”
Beware BEC attacks
In addition, business email compromise (BEC) attacks – in which the attacker impersonates the CEO or other senior officer to convince staff to make a payment – continue to be a threat. The FBI’s 2018 Internet Crime Report found that over US$1.2bn was lost as a result of BEC scams last year – up from US$676m in 2017.
Despite the name, Krull says that this type of attack is not only carried out by email, but can also be issued using other channels such as phone and instant messenger. “Attackers rely on two things for this type of attack,” he explains. “One is a sense of urgency – they will say that the payment has got to be made right away. And the second is that they will impersonate the highest person in the organisation in order to have that horsepower and convince people that they need to do the transaction.”
Krull says that education is the primary defensive tool when it comes to combatting this type of attack. He also notes that banks are taking steps to reduce the risk of loss by adding a waiting time before transactions flagged as high risk are executed.
Addressing the threats
Understanding the types of threat companies face is only the first step in safeguarding the organisation – businesses also need to have measures in place to address the possible threats. Sharman says the three key risk areas that need to be addressed are identities, user access and security configuration.
“With the rise in threats around mobility and cloud, it is however also essential to put additional security measures in place to protect the overall solution environment, including people and processes,” he adds. “Taking control of your solution environment means that you need to extend the boundaries beyond the core areas to include infrastructure, database, operating system and connected applications. Only by securing and mitigating risk in the full solution stack and surrounding IT environment can you truly be in control of your organisations data, IP and resources.”