Criminals thrive on turmoil, so it should come as no surprise that treasury exposure to cybercrime has increased over the course of this year. The latest Journeys to Treasury report produced by BNP Paribas, EACT, PwC and SAP refers to an upsurge in electronic fraud, with one contributor advising corporates to stress test their business continuity plans to mitigate the impact of a successful cyberattack.
This represents an acceleration of a trend highlighted in the 2019 AFP cyber risk survey, which found that 88% of corporate practitioners’ organisations had been targeted by cybercriminals over the previous 18 months.
When it comes to preventing cyberattacks, identity and access management is vital. Detection modules in treasury management systems detect anomalies in account use, for example if an unusual request is made.
Another basic control principle is ensuring that the endpoint of the user connecting into the cloud system is encrypted across the network, explains the Chief Information Security Officer at treasury management solution vendor Kyriba, Eric Adam.
“If a user is connecting from a public space, an attacker would be able to listen to all the network traffic using security software tools and if this traffic was not encrypted they could analyse it for password and account information,” he says. “We are therefore constantly refining our encryption technology, running penetration and network tests and assessing the vulnerability of individual devices.”
Many organisations have different levels of control so if an attack was made on an internal business system it would not affect the applications they host or allow the attacker to extract data from these applications.
“Application level security is vital to ensure treasury applications are not vulnerable to attack,” says Adam. “However, regardless of how the corporate structures its cybersecurity system, consistent policies are enormously important. If your business solutions require 15 character password access you want to keep this as consistent as possible across all applications.”
A survey of IT professionals in the US, UK, France and Germany conducted by Tanium Security found that 90% reported an increase in the frequency of attacks after shifting to a distributed workforce. Visibility of new devices; overwhelmed IT capacity due to virtual private network (VPN)requirements; and increased security risks from video conferencing were the top three security challenges identified for staff working from home.
According to Martin Schlageter, Head of Treasury Operations at multinational healthcare company Roche, working from home in itself doesn’t make it harder to protect treasury teams from cyber threats. However, he says, it does require different solutions (for example, highly sophisticated web application firewalls) as the existing measures don’t scale to such an unprecedented increase in traffic and remote working.
“Firewalls and anti-virus protection may not be up to scratch on home PCs, so employers should ensure that only approved and tested communication devices are used for business and that these devices are not open to use by other family members,” says Len Jones, Senior Accountant at property services firm Wincham Group.
Adrian Rodgers, Director of treasury consultancy ARC Solutions observes that corporate IT departments have spent a lot of time and money on creating hermetically sealed, safe computing environments for employees. “Staff using their own machines in shared space with family members is not going to improve the security situation, but this is not really the vendor community’s problem,” he says. “Responsibility for the development, propagation and validation of safe work from home practices lies with corporate IT departments.”
In the office, treasury professionals will be protected by the corporate firewall and their IT colleagues will often be in close proximity, so if they receive a suspicious email, for example, they can quickly check if it is genuine. The networking equipment they use provides a further layer of protection. However, when they are working from home they will be using different routers and have different software controlling their devices’ hardware, while their physical separation from IT staff makes them more vulnerable.
The first step for a corporate looking to boost its cybersecurity is ensuring it has enough VPN connections so that when staff connect remotely they are doing so through an encrypted private network. “They should then ensure that laptops and other devices being used at home are updated by the IT department,” says Adam. “Making IT staff available to answer queries promptly is important, as is phishing training to prevent employees downloading malware.” Jones says most potential cyber threats can be identified by a robust risk assessment, which will show the risks facing the overall organisation and its treasury staff. “It is clear that employee behaviour and IT literacy have a crucial role to play,” he says. Corporations need to build resilience to constant cyber threats while still being able to operate. Knowledge is the key and many large corporates have employed ethical hackers to penetrate their internal systems and operate as audit and assurance police.”
A common form of attack is social interaction, which can lead to identity theft. Hackers may also impersonate CEOs or people in senior positions and use language which causes the recipient to initiate a payment. “Even with additional layers of authorisation this can be problematical as hackers may have access to other co-signatories on the accounts,” says Jones. “Criminals will also hack into client emails and impersonate the business in order to have the corporate pay them rather than the legitimate company. Multi-step verification processes and internal controls are crucial here so that no one person has complete control of the payment process.” Another step corporates can take to improve their cybersecurity is to establish protocols around how email addresses are structured so that phishers can be identified. Given the level of fine that can be levied by the ICO, companies should already have robust controls in place to protect sensitive information.
Cultural organisational issues should be at the forefront here because data is a resource that has value and must be protected. User behaviour must also be modified so that apps and programmes are not downloaded indiscriminately, while the usual internal controls regarding passwords and user access (including past employee access) is essential.
When asked how treasury cybersecurity technology vendors keep pace with the evolving threat from cybercriminals who are constantly developing new methods of attack, Adam explains that it starts with analysing the types of attack that are made to get an understanding of what the cybercriminal is trying to achieve.
“We also ensure that only permitted communication is allowed between different corporate systems, which links back into the issue of access control,” he adds. “When we analyse major cybersecurity breaches, we can often trace the source to non-observance of a basic principle.”
The authors of the Journeys to Treasury report observe that while treasurers rarely ‘own’ responsibility for cyber risk, they can play a major role in preventing attacks, given the sensitivity of the data and scale of financial transactions and holdings managed within their departments.
It would be unusual for treasury departments to have dedicated cybersecurity systems or processes distinct from those of the wider organisation. However, because these departments deal with a small number of high value transactions they are at particularly high risk of attack.
Schlageter suggests treasury systems not only require much stricter controls than most other information systems, such as ensuring the identity of the user and mapping every action and connection to that user and device. “Due to the potentially high financial loss in case of a system breach, they also require dedicated cybersecurity systems for security incident and event monitoring,” he says.
“We expect treasury cybersecurity technology vendors to keep up with evolving threats by running a security lab with full-time security researchers and offering professional services such as security penetration tests and consultancy as well as participating in and running security conferences,” he adds.
Stephen Lane, Chief Financial Officer at mechanical engineering firm Xtrac, reckons any business would be well advised to look at cyber security in ‘the round’ while acknowledging that there may be certain nuances required to protect the financial elements of the business. “The role of the chief technology officer/chief information officer has been rapidly evolving to ensure that businesses invest appropriately in modern equipment and security that offers suitable protection,” he adds.
“There are certainly opportunities for cybersecurity vendors, but I think there is also a very clear opportunity for proactive management of a company’s IT estate such that protection can be developed as efficiently as possible within a pragmatic and financially sensible framework.”
The challenge for corporates is how to take a more focused approach to treasury if their cybersecurity processes are applied uniformly across the whole organisation says Dino Nicolaides, Managing Director, Head of Treasury Advisory UK&I at Redbridge Debt & Treasury Advisory.
“I have seen clients address this issue through stricter processes,” he says. “For example, some treasury departments are not allowed to accept payment instructions via email, even if the authorisation appears to come from the very top of the organisation. This would require payments to be verified by phone.”
In other cases the corporate might impose a policy of not accepting payments made to a supplier that is not already onboarded on the system, or insist on a pro-forma being provided before any invoice is submitted for payment.
Of course, in the pre-coronavirus era a payment instruction could often be verified in person. With so many treasury staff working from home this is no longer possible, although Nicolaides says corporates have responded by reviewing cybersecurity processes and procedures to tighten controls around remote access. “This remains a work in progress, but progress has been made.”
Nicolaides believes corporates are making greater efforts to keep treasury staff updated on potential cybersecurity vulnerabilities.
“Treasury cybersecurity technology vendors react quickly when new forms of attack emerge and we have noticed an increase in attempted attacks since the start of the pandemic,” he says. “Corporates have been more proactive in reminding their treasury staff of the main threats and risks and the techniques used by cybercriminals to ensure they remain alert and don’t ignore suspicious activity.”
Rodgers offers some reassurance for corporate treasurers by suggesting that banks’ systems now incorporate many of the lessons learned from decades of experience in producing payment systems and portals.
“For treasury, multi-level approval layers – tailored to the risk involved – will underpin a robust control environment,” he concludes. “It is probably even more important to create and widely publicise the payments rulebook in order to avoid the dangers of ‘Friday afternoon’ fraud and similar social engineering attacks.”