Treasury cybersecurity: Dealing with the growing threat (part 2)
In part two of our look at treasury cybersecurity, we hear from experts in the field how treasury departments can protect themselves from the growing threats.
In part two of our look at treasury cybersecurity, we hear from experts in the field how treasury departments can protect themselves from the growing threats.
It goes without saying that the cybersecurity threat to treasury departments is a growing one. A prime target for cybercriminals, treasury is having to deal with more attacks that are becoming increasingly sophisticated – as we discovered in part one of our look at the problem.
With that in mind, how can treasury departments protect themselves from the growing threat?
According to Tom Martin-Ball, Security Sector Manager at Alcumus ISOQAR, a UKAS accredited certification provider, it starts with implementing a clear strategy, built around being hacked.
“All organisations need strategy and this is based on knowledge,” he says. “A good first step is a Penetration Test (PEN test). In this, an ‘ethical hacker’ attempts to infiltrate your system. There are a variety of these including internally, where they are given access to your network or externally, where they attempt to infiltrate your system without admission being granted.
“Less common are ones where they physically try and gain access to the organisation or ‘social engineering’ by conning their way into getting information. However, beware not all PEN testers are the same. Some are simply lists of open ports and unpatched software, where they don’t give background and context in terms of what these problems mean in practical terms. It’s often worth paying a little extra for these services to ensure you are given valuable information. Plus, it goes without saying but ensure the ‘ethical hacker’ is bona fide.”
Stephen Cockcroft from Cyber Security Professionals adds that treasury departments can effectively tackle cybersecurity by looking at the major threats in turn and devising a response. In addition to the PEN testing mentioned above, this could include:
Fraudulent payments
78% of treasury organisations say they were hit with payment fraud in 2017. This is one of the most common issues facing corporate treasurers and can take many forms. Hackers are sometimes able to impersonate CEOs or authority figures in a business to coerce employees into signing off large payments sent directly to the hackers. Criminals can also intercept emails to clients and even impersonate your business in order to have clients pay them instead of you.
Ways to avoid this include having robust protocols that all treasury staff are aware of on signing off payments whereby payments must always be approved first or pass through a two-step verification system. A way to keep your email communications secure with clients is to inform them of how your email addresses are structured so they can identify discrepancies from phishers.
Stolen data
In the wake of GDPR, stolen or compromised data is one of the biggest dangers to businesses from hackers. Given that the ICO now has the power to hand out fines of 4% of previous years’ turnover or £4 million, whichever’s larger, companies must do everything they can to protect sensitive data to avoid liquidation.
High-quality antivirus software, regularly updated machine software and encryption on all devices are all ways to keep client data safe. Given that 90% of cyber crimes are caused by poor user interaction, i.e. your staff, training in cybersecurity and GDPR awareness is one of the best pre-emptive measures you can take. This will ensure that all staff, not just those in the treasury department will remain vigilant to phishing and viruses and keep a united front against invasion by malicious users.
Cyber insurance
The introduction of GDPR has resulted in cyber breach complaints increasing by 160% and data crimes now feel like a part of business as usual. While you can try your hardest to proof your business against significant danger, hackers are getting more sophisticated by the day. Insuring your business can help with GDPR fines and can protect you against lawsuits from clients whose data has been mismanaged or compromised.
A growing cybersecurity problem facing organisations – and the larger the firm the bigger the potential risk – is that of insider threats.
“Insider threat doesn’t mean that all your staff are maliciously trying to steal your data,” explains Mark Rodbert, CEO of identity access risk firm idax Software. “What it does mean is that your staff are often the weakest link, being vulnerable to phishing, impersonation, or lacking a basic understanding of the risks involved.”
A large-scale culture shift may be the only way to combat the insider issue, moving to a culture where everyone in the organisation – from the CEO to the worker on the shop floor – feels that protecting your data and systems is their responsibility.
“To kick start this process immediate action can be taken,” adds Rodbert. “This can involve the implementation of a solution to analyse access rights to see which employees are most likely to become unwitting threats. This could, for example, look at what access staff have and tells you which of those access rights are unusual compared to their peers, and to the rest of the organisation.
“Through identity analytics, organisations can prevent potential threats or vulnerabilities before they are even on the horizon.”
Technology plays a crucial role in the success of this approach according to Rodbert, who adds that the right tool simply analyses which staff have access to what data, without the need for any background information about the company. The technology provides preventive rather than detective controls – that is, it looks at what employees have access to and what they potentially could do, rather than what they have done.
“I would add that the user interface (UI) of the solution is a critical and often overlooked aspect of any technical solution,” he says. “In order to catalyse the culture shift necessary to tackle insider threat, solutions need to be accessible and easy to use for non-security experts. After all, you can throw all the analytics you want at a solution, but if people aren’t engaging and using the results to make good, informed decisions, there’s really no point!”
Ed Vergalen, Head of Business Development at GOOSE VPN agrees that the inside threat is a growing one. “Many financial institutions or businesses working in the financial sector understandably invest significant sums of money to protect sensitive data, including financial results and other data held in treasury/finance departments. What is surprising, though, is how easily some of these precautions can be undermined by simple acts such as using unsecure networks, public WiFi or even by former employees.
“An increasing trend is management being hacked by employees and ex-employees. Unfortunately, it is fairly easy to learn how to hack a WiFi network for example; all that is required is the hardware, which can cost under £100. Many of the hacks are quite innocent, such as employees who are curious what management is talking about, but it can also become much more serious with some cases of extortion having been reported.
“Whether it’s to mitigate the risk of hacks internally or ensure employees’ data is encrypted when using public WiFi, such as at coffee shops, treasury and financial departments should be using a mobile VPN service. A VPN will encrypt your data when using the internet, making sure it is not easily seen or hacked. Interpol also recommend both businesses and individuals should use a VPN on their devices. It really should be the default stance for businesses across the world.”
Following on from that point, Oz Alashe, CEO of the intelligent cybersecurity awareness platform, CybSafe, points out that training and awareness must be part of any cybersecurity solution.
“Just knowing a threat exists isn’t the same as knowing how to recognise and respond to a threat when it presents itself, and to that end, training and awareness programmes are crucial. Unfortunately, an ‘anything will do’ approach won’t cut it. Reading through a cybersecurity ‘best practices’ manual or attending a one-off session is unlikely to make you or your colleagues any safer. Training that doesn’t consider the way we learn and consume knowledge is never going to work.
“Instead, finance professionals need to turn their attention to modern training and awareness solutions that make proven, tangible differences to behaviour.”
No article about cybersecurity would be complete without raising the subject of blockchain – a digital solution that many think will enhance security. At a recent briefing, Peader Mac Canna, EMEA Co-Head Trade Finance, Treasury and Trade Solutions at Citi told us: “Cyber risk is a big topic, whether you’re talking about blockchain or traditional channels, where clearly there’s much more volume going through. The threat is constant. Blockchain is just like our existing platforms – it’s a chain that’s only as strong as its weakest link. That may not be within our own operating environment, or it may be. If you’re relying on a warehouse manager in some country to update their platform, which in turn connects to a blockchain, you’re still relaying on somebody somewhere to do something.
“The important thing is assessing what the risks are and how important that information is – and then looking across the whole solution to see where it’s stressed, regardless of what that solution or platform is. That’s why we invest very heavily in this space and also in educating our clients because they’re operating on our own platforms and providing information. We also invest heavily in the recovery side, which shouldn’t be overlooked.”
So, while blockchain will certainly help drive transparency and provide records, it seems it’s still only as strong as its weakest link, which leads us nicely into a concluding statement from Andrew Beckett, MD of Cyber and Investigations at Kroll, the corporate investigations and risk consultancy. He says: “The reality is that there is no such thing as 100% protection. That’s why having monitoring in place to detect incidents and quickly respond to them is so important. The evolution of cybersecurity to recognise the realities of the risk is moving in the direction of continuous monitoring, use of data leakage control systems, increased training and awareness and similar strategies.
“All of these steps should be educated by a robust risk assessment which will identify the risks facing and organisation of business unit (such as Treasury) and will allow the focused allocation of defensive resources.”
That seems to sum it up perfectly.
Cybersecurity: Dealing with the growing threat (part 1) can be found here.