A recent survey of corporate treasury and finance professionals found that cybersecurity was the most feared operational challenge. According to the TD Bank poll, along with payment fraud, cyber risk is the thing that’s keeping treasurers awake at night. But what are the main risks causing the sleepless nights?
Andrew Beckett, MD of Cyber and Investigations at Kroll, the corporate investigations and risk consultancy, says: “Treasury departments are no different to any other business in terms of the threats they face – what changes is the objective and the determination of the attackers.
“‘Slick’ Willie Sutton, the prolific US bank robber from the 1940s and 50s, was famously asked why he robbed so many banks, and his response was ‘because that’s where the money is’. Treasury departments are targeted for the very same reason, by individuals wanting to get money, by more determined organised crime gangs as part of a systematic campaign, and by Nation States trying to accumulate foreign currency (notably North Korea and Iran, for whom sanctions are making access to foreign funds increasingly difficult).”
Andrew points out that the main avenues of attack include:
- ‘Zero-day’ vulnerabilities: Modern software can be made up of hundreds of thousands of lines of code, and there can be problems in the code that are unknown to the developers, but which are discovered by hackers. They can attack a system using a zero-day vulnerability before the developers know it exists, and before they can fix the problem. Fortunately, these are relatively rare but they are traded on the dark web for significant sums of money and therefore tend to only be used in the biggest of attacks.
- Unpatched systems: Where the manufacturer of a system develops a security update (a ‘patch’) for software, the patch has to be applied to be effective. If a patch is not applied, the vulnerability that the patch addresses remains. Patches are sometimes not deployed because they cause other problems to an organisation’s systems, but more often because the person responsible for updates is testing the effects of the patch, is not available (for example on vacation), or where the availability of a patch is not known.
- Successful phishing or social engineering: Unfortunately, some phishing attempts or related forms of social engineering are so well designed that employees or vendors reveal their access credentials to criminals. This is a common form of attack in Business Email Compromise which is used to misdirect funds in payment of invoices.
- A weak device in a network: With everything from light bulbs to video cameras now connected to the Internet (and making up the ‘Internet of Things’) the risks associated with these devices can open a vulnerability into a network. Some of those devices have fixed access credentials that cannot be changed, so that their presence in a system may represent a back door waiting for a hacker to attack it.
- Human error: In some cases, the vulnerability that gets exploited to carry out the intrusion is caused by a mistake. A systems administrator misconfiguring a server is an example.
Insider cybersecurity threats
Another major cybersecurity threat facing treasurer departments is the insider threat.
Mark Rodbert, CEO of identity access risk firm idax Software points out: “With an estimated 90% of tech crimes being committed by employees, one of the main cybersecurity threats facing financial services organisations is insider threat.
“Most data breaches are simply about access and opportunity. 75% of employees say that they have access to data they shouldn’t and 25% of employees are willing to sell data to a competitor for less than $8,000. Critically, the threat from insiders is often overlooked, as organisations focus their defences on stopping attackers from getting in. Treasury departments are particularly vulnerable as they represent a rich target within any company.
Tom Martin-Ball, Security Sector Manager at Alcumus ISOQAR, a UKAS accredited certification provider, adds: “The greatest risks are the ones you don’t think about. Cybersecurity is often portrayed as a fortress under attack from outside, creating a false impression of real risks. In fact, most risks are ‘inside jobs’. It stands to reason that employees within your organisation are a bigger risk, these are not always a result of malicious actions, however, threats can often be the result of ignorance, bad training or poor organisation. This can commonly be more difficult to identify as someone within your organisation who has made a mistake might not notice until it’s too late.
As well as cyber crime becoming more prevalent, James Richardson, Head of Market Development – Risk & Fraud at Bottomline Technologies points out that attacks are becoming evermore sophisticated.
“The growing threat is the far more highly customised fraudulent attempts taking place on organisations with treasury departments,” he says. “Five years ago, we’d be laughing at the emails from Nigerian princes promising riches – we got that. However, the fraud market has moved on massively, to the point where it’s now a business within its own right. Fraudsters have their own sales and marketing departments using social media to identify high profile targets within treasury departments. For example, they’ll use Facebook to learn if someone’s on holiday.
“Today, fraud is all about customised attacks. Criminals are thinking about their audience and becoming cuter. That means attempts can go unnoticed. Fraudsters are making requests look normal – it mirrors the usual flow of communication within a treasury department.
Richardson continues: “In response, treasury needs to be able to recognise this. Reports detailing the transactions that took place earlier in the day are too late. From a tech perspective, technology exists now that will help treasurers detect what abnormal transactions look like, before it’s too late. Profiling, machine learning and so on will help them know about fraud before it leaves the door.
“In a market that’s all about faster payment this is of paramount importance. It’s also harder than ever to recoup payments, which makes prevention vitally important.”
Don’t miss: Part 2 of our look at cybersecurity will discuss how the risk can be managed. Click here to read more.