According to a recent survey of corporate treasurers and finance professionals, the risk of payment fraud/cybersecurity is the most feared operational challenge. What’s more, the survey suggested it’s a rapidly growing headache – the number of respondents who identified it as a major threat increased by 14 per cent year-on-year.
Are treasurers right to view cybersecurity as the major risk? Absolutely yes, they are, according to Bart McDonough, CEO of managed IT and cybersecurity specialist Agio, which works closely with financial services organizations – not least because the threat environment is rapidly changing.
“If we go back 15 years, the macro threat and cyber security was very different,” comments McDonough. “We’ve progressed from cyber activism and cyber vandals, because cyber criminals started realizing they could monetize cyber-attacks. They worked out that they can take their activities and really turn them into revenue producing activity. While they still attack health records, for example, the focus moved to how they could get money quickly and easily.
“At the same time, they realized that finance professionals are great targets because they either have direct access to the money, or they’re a conduit for it. That’s why this group of individuals is so targeted. If you combine that threat intelligence, with the idea that, if you exclude the top 10 banks, the rest of the financial services industry, from, a multi-billion dollar hedge fund all the way up to your larger sell side institutions, sometimes their cyber security departments are either non-existent, or they might have two or three or five people. Everyone wants to talk about Citi or Bank of America, how they’re led by former FBI agents, and they have 1,000-person cyber armies defending them. That’s the rare exception. So, you have this target that is very rich, from a from a financial standpoint, but barely protected from a cyber resource standpoint. That’s why the cyber threat is so real.”
Despite this rather concerning summary of the latest threat landscape, McDonough says treasurers needn’t panic.
“I always say that cyber-attacks are like playing the lottery without having to buy a ticket – you would if you could. Attackers just keep on playing. If you start making it harder for them to get a free ticket, they move on. If you can make it hard enough for attackers, they’ll turn their attentions elsewhere. If you can make it just one step harder than the next institution, you’re going to be that much safer. There is a game that is played – you see it on the hacker chat rooms – where once they reach a certain degree of difficulty, they simply move on to their next target. In medieval times, that was about having a higher fence than your neighbor! Incrementally improving your defenses exponentially decreases your risk profile.”
Taking that that analogy, what can treasury departments do to increase the height of their proverbial fence?
“One, I think they need to have really rich intelligence in order to understand the threat,” explains McDonough. “They also need end-user training so they understand how threat actors will approach them, whether that’s phishing or whatever. That’s the baseline. If you know you’re walking through a neighborhood where there’s a high history of pickpocketing, you’re going to take defensive actions. If you’re not situationally aware, you’ll leave yourself more open to crime.
“Next, let’s practice good basics. Let’s make sure that there’s multifactor authentication enabled on all systems. At one point this year, we had dealt with 17 different cyber breaches for an organization. All 17 would have been prevented had the organization enabled multi-factor authentication.
“Then, we need to make sure that systems are patched in a very timely manner. There are all kinds of statistics out there about the number of breaches that occur as a result of poorly patched systems. Just those three things will provide treasury departments with much greater security and will encourage the threat actors to move on.”
Given much of the above involves people – and security is only as strong as its weakest link (person), how does McDonough think organizations can about instilling a true culture of cybersecurity?
“I think communication is key,” he says. “If you asked people to write down what they need to do in order to be cybersecure, they would generally know what to do. It’s like health. People know they need to eat fruit and vegetables, sleep better, exercise more and so on. However, what fails is the implementation. If people don’t understand the risks, they won’t take care. So, making them aware of the risks through communication is vital. To me, it’s less about knowledge and more about motivation. And I think we’re seeing the shift in the industry, where we move away from cybersecurity education and awareness, towards real threat awareness and so on.
“Over and above communication, there needs to be a considerable amount of testing, what we call Red Team exercises, penetration tests, phishing tests. You need to test the controls you have to see how effective they are on a regular basis.
McDonough continues: “As a treasury department, you can hire a social engineering group to just test your users. Are they susceptible to getting tricked on a phishing email? Or they susceptible to falling victim to a phone call where someone pretends to be someone else? You can you can test these things, and then use the results of those tests to help educate your group?
“It’s worth noting that this motivation needs to be company-wide, although clearly treasury is central, because it’s such a conduit to critical information. Sometimes we deal with large organizations and they say, listen, we have budget to educate 200 users, who should we prioritize? And Treasury is often the winner, along with some of the other groups that control sensitive data or have access to capital.”
Seeking cybersecurity expertise
Given the size of the threat and the well-publicized pressure on resources, treasury teams are increasingly turning to external vendors in order to shore up their cybersecurity. How can they, as non-professional tech and security buyers, ensure they end up with the right vendor?
“I think they need to understand the technology, and the service,” says McDonough. “When you have a construction project, you don’t go to the tool manufacturer, you go to a general contractor, and they pick the best tools for the job based on their experience. What we encourage people to do is focus on the service and on the people that know cybersecurity, particularly the threats. I don’t care how good your internal team is, one of the challenges that having these services in-house is a lack of environmental awareness. We, for example, see the threat profile across hundreds of clients. When we notice a threat trending for some of our clients, we’re able to provide protection to all our clients.”
McDonough suggests that there are a series of questions an organization can ask when selecting a vendor:
- What is the environmental awareness that a vendor can bring to you?
- Do they understand your business?
- Do they speak your language?
- Do they understand the culture of the demands?
- Do they know your vertical?
- Do they fully understand treasury, your workflows and your systems?
It’s clear talking to McDonough that the cybersecurity challenge is only going to increase, but he concludes by saying that treasurers needn’t feel overwhelmed to the point where they just give up.
“At the end of the day, treasury teams can’t let perfection to be the enemy of progress. They need to take incremental steps. The reality is that a little bit of improvement can go a really long way. Yes, it might be very difficult to fully stop the most sophisticated, advanced attackers, but that doesn’t mean we shouldn’t try.”