Continuing our look at cybersecurity in treasury, we speak to James Richardson, Head of Market Development – Risk & Fraud, Bottomline Technologies about why effective threat defence involves a mix of people, processes and technology.
As we’ve discussed on The Global Treasurer recently, cybersecurity is a major worry for treasury teams – with good reason 78% of treasury organisations say they were hit with payment fraud in 2017.
While many organisations are turning to tech to fight the growing cybersecurity threat, this is just one part of the multi-faceted approach needed, according to James Richardson, Head of Market Development – Risk & Fraud at Bottomline Technologies.
“You can’t rely just on technology,” he says. “General education is vitally important in helping people know what to do – there needs to be a general attitude to shouting abut something that doesn’t look right. For example, the culture has to be in place that makes it OK to question a transaction and double check.”
For this to happen, teams need to be aware of the risks, says Richardson, who goes on to add that this begins with ensuring processes and controls are robust enough – and sufficiently up-to-date.
“If you haven’t looked at your controls for more than a year it’s worth looking at them. You can’t fall behind the curve because it’s really hard to make lost ground back, given the rapidly evolving threat landscape.”
According to Richardson – and the results of a recent Bottomline sponsored survey – control and education are where treasury is starting to make real strides when it comes to cybersecurity. Indeed, this is leading to increasing corporate confidence in security, the survey suggested. While practitioners consistently feel that the threat of fraud increases year-to-year, many also indicate increasing confidence in their security controls.
However, the survey found that treasury is slow to embrace the tech element of cybersecurity, as Richardson explains. “People are feeling more comfortable about them. Interestingly, the bit that hasn’t caught up is the adoption of technology. It’s definitely an emerging trend, but it hasn’t quite caught up with the other elements of cybersecurity yet.”
Traction is still understandably far behind more established security techniques according to the survey. For example, while 91% of organisations were leveraging physical tokens such as key fobs or USBs when accessing payment systems, only 12% employed biometrics and 21% used tokenisation.
On the banking side, where new security practices tend to be implemented fairly quickly, biometrics saw use across 25% of the population and tokenisation by 46%. But while the use of both biometrics and tokenisation is subdued compared to other security techniques, keep in mind that these components are still relatively new entrants to the security landscape.
As we’ve discussed earlier in our cybersecurity series, there appears to plenty of reliance on Blockchain to boost banking and payment security. However, Richardson says that this focus is concerning.
“I worry that as soon as someone starts talking about blockchain, all the issues will go away. Yet, there’s not widespread adoption. If treasurers are to rely on blockchain it could be years away. If they don’t close gaps in the meantime they’ll suffer. That worries me. Yes, it’s an it’s an interesting space to look at – we’re all looking to see if it will deliver on its promises at scale – but it’s not there yet.”
This leads us on to another of Richardson’s major concerns – that too many treasury teams risk behind left behind by failing to adopt technology – or waiting for technology to sort it out for them.
“If you were to think of fraud as a balloon, it’s getting squeezed into the laggards. The leaders who are adopting technology and taking this seriously, rightly feel that they are in a good place. They’re identifying problems early and stopping them.
“If you’re at the tail end of the movement the problem will get exponentially worse. You will become the bigger target. By definition, it will be easier to spot those who get left behind. At the very least, you must keep up with peers.
“Fraudsters are making a business of cyber attacks,” concludes Richardson. “If you’re the one being left behind you’ll feel the pain the most.”