Rather ironically, it was just the kind of incident that would have seemed right at home in the script of a Hollywood blockbuster. A top film studio cancels a major theatrical release starring big name actors after hackers, who had compromised the studio’s systems, threaten violence in movie theatres. The Obama administration declares it to be a national security issue and blames North Korea for masterminding the attack. So what began as a cyber-breach in a famous Japanese conglomerate quickly became an international incident with the corporate caught in the middle.
Given the scale of the hack targeted against Sony Pictures and the level of negative media coverage, nobody should be too surprised that cyber security is once again back at the very top of the list of corporate concerns. After all, if cyber criminals could breach the systems of a company as technologically sophisticated as Sony – and, as it is rumoured, remain inside there for as long as a year without detection, then surely it could happen to anyone.
This realisation might just lead to a significant change in the way corporates perceive the relative safety of different technological set-ups. Everyone knows that in treasury, adoption of cloud technology has, to date, been hampered by reservations around security. That’s understandable. Tell a treasurer that his or her department’s computer systems, used to move money around, store financial data and manage risk, are going to be migrated to remote data centres accessible over the web, then security concerns are likely to be raised immediately. Local systems are not exactly impenetrable, of course, but there is always a tendency, when so much is at stake, for people to conclude ‘better the devil you know’.
Yet, paradoxical as it might seem, some commentators believe this same technology of which businesses have been so wary, may just be the solution that prevents other companies from suffering the same fate as Sony. This is because, when it comes down to it, cloud services providers know much more about security than the typical company. And given that their whole business model depends on customers trusting them with their data, they always take great pains to secure their services from such attacks. Maybe, then, it’s time for those treasurers who have been hesitant about cloud technology to give it a second consideration.
Putting the security issue aside for one moment, the question must be asked: why has there been such a large influx of cloud-based providers in the treasury services market? When this question is put to various cloud providers with a presence in the treasury space, each has their own unique perspective. They all agree on one thing, however: that the cloud offers a much more cost-effective way for a business to obtain the technology it needs to manage its finances.
“The reality [of a cloud service] is that you are subscribing to it,” says Dave Jones, Cloud Solution Marketing Manager of Hyland, creator of enterprise content management platform OnBase. “You are not spending money upfront, there’s no big capital expenditure. You are not making an investment in your in-house infrastructure, buying servers and hiring new staff. You are essentially outsourcing a portion of your IT.” Better value is also created by allowing companies to tailor their solution to their specific needs with minimal fuss. “You’ve got the ability to turn users and/or functionality on and off, and you can scale the amount of storage they want up and down according to their needs very quickly,” says Jones.
Richard Manson, Director and Co-founder of e-invoicing provider CloudTrade concurs. Offering a cloud-based service does, in fact, have several advantages for a company in this particular sector. Although e-invoicing – and the workflow solutions often deployed in parallel – are not, by any means, a new idea, uptake has been sluggish. Until recently. Back at the beginning of the millennium, when Manson began working in the payables space, the first solutions to arrive on the market were delivered at a cost that priced out all but the biggest multinational corporates. If you weren’t a company the size of Unilever or Shell you might as well forget about it.
But thanks to the cloud, large capital expenditure is no longer necessary in this area and, as such, the pool of companies that can use e-invoicing has grown considerably. “What we haven’t got now is a world where we go in and install software locally anymore,” says Manson. “A company simply pays for the service they use rather than buying a big piece of kit, installing it and having to maintain it themselves.”
Supplier adoption rates have benefited too. Although Manson believes providers will never fully do away with the need to pick up the telephone to on-board some suppliers, CloudTrade and many of its competitors have been able to take advantage of the cloud to bring suppliers on board in a more automated fashion, sending out programmed communications and directing suppliers to self-register if the supplier’s volumes are of too low a level to justify a more supplier specific approach.
So the inexpensive nature of most cloud solutions has, at the very least, helped to level the playing field in the treasury technology space. Once there used to be a huge gap between what the biggest, most sophisticated companies could achieve with their treasury technology and, say, a £100m revenue company based in Manchester, UK. Now, thanks to the cloud, capabilities are much more equal. And there are even, as we will hear in a moment, some areas where functionalities available in the cloud surpass that of traditional, in-house solutions.
Ahead in the cloud
Traditional treasury technology is, by its very nature, bulky and complex. Making modifications in order to address specific problems or challenges can be quite a lengthy, cumbersome process therefore. Take a typical ERP system, for example. These solutions are designed to help businesses create financial statements as well as collect, store, manage and interpret data from a range of other business activities. But what if the treasury department wishes to tailor the technology to pull specific data in order to address a particular problem? If you’re working with a local ERP system, you would probably need to bring in a consultant, and design a customised side-programme to solve the problem. One would be looking at six months to a year, at least, before anything near to a solution is reached.
Solutions in the cloud do not suffer from this disadvantage, says Wolfgang Koester, CEO and Founder of the cloud-based FX exposure management solution, FiREapps. “The depth of actual solutions beyond treasury workstations and ERP systems is a big advantage for any treasury solution in the cloud,” says Koester. In fact, Koester is adamant is that his company would not be able to offer the same quality of analytics around their FX exposures without the cloud.
All treasurers will be familiar with just how challenging it is to get visibility into their various currency exposures around the globe without the right technology in place. Of course, there are some static reports that can be pulled but these, in Koester’s eyes, are rarely of the standard necessary to achieve the desired results. By leveraging the power of the cloud, on the other hand, FiREapps are able to pool data from lots of different sources and then, by applying rules-based data processing and analytics, get them to the answer they want in a much more expedient fashion with little to no internal IT support require.
Cheaper, lighter and more flexible solutions are certainly something treasurers should be in the market for, providing that security is not compromised as a result. And although many cloud-based treasury providers say they are registering less anxiety around the concept of cloud technology from prospective customers than they did a year or two back, the fact of the matter is that, for some corporate professionals, cloud-security still sounds like an oxymoron.
A survey of 613 US-based IT and IT security practitioners conducted by the Ponemon Institute in June 2014 underscores this fact. A substantial majority of respondents (66%) said that by using cloud-based services, their organisation’s ability to protect confidential or sensitive information was ‘diminished’. A further 64% believed that it’s more difficult to secure business-critical applications as a result of their organisation’s use of cloud-based services.
Of course, the cloud industry believes that the reality about security is very different from the common perception. To Koester, for instance, it is utterly unfathomable that any cloud-based business service would be more vulnerable than an in-house platform. It is quite the opposite, he argues. “Our entire business model, and that of all true cloud-based providers, is predicated on the highest level of data security. I think that security, for genuine cloud-based providers, is actually an advantage.”
Chart 1: Does the use of cloud-based services affect the likelihood of a data breach?
Source: Ponemon Institute 2014
A ‘world without walls’
Phil Huggins, Vice President of cyber security experts’ Stroz Friedberg’s London office agrees that most cloud providers, at the least the ones he is familiar from doing business with, take security issues with the utmost of seriousness. After all, like Koester says, any cloud-based provider of treasury solutions that was not cognisant of security issues wouldn’t be in business for very long. A certain amount of “buyer beware” is to be expected though, he explains, especially considering that there are known instances in recent years in which treasuries have been specifically targeted by “pieces of malware”.
Regardless of whether or not they are warranted, Huggins believes that in the long run the shift of business systems to the cloud will not be impeded by treasurers’ security concerns. Sooner or later, he boldly predicts, almost everything that corporates do – especially in their back offices, if not in their production environments too – will be using the cloud in some form or another. This seismic shift, he says, is going to demand a new way of thinking about security from corporate finance professionals.
“Traditionally, businesses have treated themselves like a castle, occasionally letting down the drawbridge for other people when they have to deal with them,” he says. But in the new world Huggins describes there are no walls. “The business is actually in other peoples’ system and the drawbridge is down all the time because of connectivity.” This is not necessarily a bad thing, however. Cloud providers have to automate quite a lot, and manual processes are much more likely to be at the source of a security breach. “So they catch a lot of the problems, purely because they automate so many things,” says Huggins. “That is one of the reasons why all the cloud providers that I’ve dealt with have provided a better level of security than many of the businesses I know of that have dealt with security internally.”
This is not saying that treasurers can now afford to relax when it comes to IT matters. The risks have not gone away, Huggins explains, they are simply manifesting and concentrating themselves in new areas of the IT infrastructure such as the web browser. That the web browser is one of the most hacked parts of any computer is something of which treasurers should take note.
“The web browser and the browsing habits of treasury staff suddenly matter a lot,” he says. “Traditionally, malware might come in through some malicious web or email route to target a treasury application installed locally. Now there is effectively one less step. In terms of security, it is about understanding, clearly, that the PCs that the treasurers use and the user accounts they have within the business are high value targets. Where they prioritise their security activities in terms of managing risk, in terms of monitoring issues, they are a high value asset that the organisation needs to spend some time thinking about.”
Is the future still in the cloud?
Back in 2011, in the aftermath of the first high-profile hack to which Sony fell victim, there was much speculation about whether such incidents would cause businesses to rethink plans to move to cloud-based computer systems accessible over the web. The Wall Street Journal, no less, ran a story with the headline “Sony hack casts cloud over cloud computing”. And they were far from being the only media outlet to ponder the future of the technology at the time.
Yet it is notable that in the aftermath of the latest Sony hack there has been very little of this kind of talk, despite the incident being far greater both in terms of its scale and its severity. It shows, perhaps, just how far we have come in the past few years.
Cloud computing is now no longer a radical, esoteric technology existing on the fringes of the corporate world. Of course, there is still a degree of reticence amongst some corporate professionals to the cloud, as recent surveys demonstrate. But increasingly it is entering into the mainstream and, as it does, one would expect these fears to continue being quelled through experience.