Read any treasury journal, blog or website and you will notice that cyber security continues to be a concern for corporate treasurers. Cyber security is not just a payments problem nor is there a simple technology solution. A holistic approach to cybersecurity management requires discipline across several areas including: the governance structure, risk culture, processes, the training and awareness programme and technology control.
Laying the framework for a cybercrime prevention programme rests with strong corporate governance structure. Writing, communicating and auditing clear policies – that define risks and provide guidance on acceptable behaviours – is critical to mitigating internal and external fraud.
Every organisation should have a Data Protection Policy in place that identifies what data is sensitive, and how and where it is stored. The policy should also lay-out roles and responsibilities for data owners and users. Other aspects of this policy can include parameters for penetration testing and intrusion detection. Finally, the policy should explain remediation and disaster recovery plans.
Other key policies that should be considered include the Payment Policy and Counterparty Risk Management policy. The Payment Policy should pay particular attention to how payments are processed and approved. The Counterparty Risk Management policy should require technology partners and suppliers with access to sensitive data (or that help move sensitive data) to have robust cybersecurity programmes in place themselves.
Creating the most effective organisational structure to manage the cybersecurity programme is also important. Establishing a dedicated cybersecurity team is the cornerstone of a robust cybercrime prevention programme.
Creating a culture where the responsibility for mitigating risks around cybercrime is not borne exclusively by IT is essential. Every employee in the organisation plays a role and shares a responsibility for safeguarding the firm’s assets.
Culture can be sculpted by the behaviours and attitudes of the people within the organisation. This typically begins with senior leadership. The board and senior management must raise cybercrime prevention as a serious corporate-wide priority with clear and consistent messaging. Employees should be encouraged to scrutinise payment requests that appear out of the norm or look suspicious. Employees should understand the responsibility they carry and the impact they make on developing a secure environment. Finally, employees should feel empowered to think and question information, transactions and requests that appear suspicious and should never be penalised for attempting to protect the organisation’s sensitive assets.
Greater automation, with less manual touch, mitigates the risk of internal, manual fraud but increases vulnerability to cybercrime as more information and transactions are electronic, digitised and web- or cloud-based. Processes should be reviewed and redesigned (if necessary) at least annually to ensure the latest fraud prevention techniques and technology are incorporated into process and procedures.
Particular attention should be paid to the Procure-to-Pay cycle since most cybercrime has been directed at fraudulent payments. Protecting the supplier’s banking and account information is important to prevent payments being directed to a fraudulent entity. Access to vendor master data should be restricted to a dedicated team responsible for vendor master set-up and management. All changes to vendor master data, regardless of how the request is submitted, should be verified by calling the vendor using the contact information originally stored in the vendor master module. For payment execution, there should be clear segregation of duties between who can request, approve and execute a payment. Dual approvals (or more) are considered safer than a single approver. Payments facilitated through SWIFT in XML format are still considered the most secure. Reconcile all payments daily to spot any irregularities immediately.
Always be suspicious of payment requests that are sent with a sense of secrecy and urgency. Do not hit “reply” to respond to an emailed payment request. Instead, call the sender or create a new email to the sender to verify its authenticity. Be aware that fraudsters can gain a wealth of information about the roles of various people within your organisation and may even know when key payment processors are out of the office. More attempts occur on the days leading up to a holiday weekend when back-up staff may be processing payments and may be less familiar with cybercrime prevention processes.
Training and awareness
Once the appropriate governance structure and processes are in place, employees need to be trained on these procedures. No fraud prevention programme will be successful if employees cannot detect fraudulent activity and know how to respond appropriately. General cybercrime awareness training should be completed at least annually by all employees, interns and all contract and temporary labourers.
Given the ubiquity of business email compromise-related (BEC) attacks, all employees should be well trained on email usage. Only work-related communication and transactions should be conducted over email. Never open any links or attachments in suspicious email as this may contain malware that allows fraudsters access to the email system. Never send passwords or other credentials via email, text message, or chat. Send suspicious emails to IT for diagnostic purposes. Send test emails to employees to gauge the effectiveness of email training and target additional training as needed. Ensure employees know to never use unsecure wifi networks when logging-in remotely.
Another key area for general training relates to the use of computers and other hardware. Ensure that only the IT department can facilitate software downloads on laptops and other devices provided by the organisation. Disable the USB, CD and other ports to add a layer of protection on the device. Or, if USB ports are needed, have IT supply employees with scanned, safe and secure external storage devices. All software should require frequent password resetting and “strong” password requirements (at least 8 alpha numeric characters). VPN, tokenisation and encryption are critical. Passwords and other log in credentials should never be shared among employees.
Up-to-date technology is critical to preventing cyber crime. In general, all software should include strong authentication requirements, IP filters and referrer logs. Fraud prevention also requires a review of data storage – examining where and how data is being recorded and stored and who has access to it.
Fraud detection and obstruction is equally important and requires effective malware detection software. Fraud systems are designed to analyse and self-learn patterns in order to detect fraud and stop it when it slips past the initial preventative measures. This technology has been augmented by the use of Big Data as a tool for identifying anomalous or abnormal patterns indicating suspicious activity.
Work with security technology partners to perform periodic risk assessments and test existing systems for weak access points and remedy as needed. Have a redundancy plan in case of a dedicated denial of service (DDoS) attack. Encrypt all sensitive data at rest and in transit. Ensure firewalls are in place between distinct networks. Consider establishing separate networks, servers, LANs for different parts of your organisation to limit the impact of a successful intrusion.
Bank interfaces and other treasury connections are especially sensitive and should be deeply evaluated. Rationalising bank relationships and bank accounts is a first step in minimising the access points that can be attractive to fraudsters. Consider a 3SKey solution for efficient and standardised communication with your bank partners. Despite recent news headlines, SWIFT and XML format are still considered the safest and most efficient way to send payments. Consider a separate, dedicated terminal for your treasury workstation that is contained to its own network and server. Always contact your bank representative if you are asked to update bank software or log-on credentials via email or via the web.
Maintaining security in the digital world requires more than just the right technology. By viewing cyber security from a more holistic framework, the chances of a successful attack are mitigated. The human firewall is critical, therefore the proper risk culture and training programme is critical. Senior leadership sets the tone with consistent messaging on the importance of shared responsibility when it comes to protecting all of the organisation’s sensitive information, assets and cash.
Director, Working Capital Advisor, Global Transaction Banking at Deutsche Bank
Sign me up
Register for exclusive insights
relevant to your area of
Manage your profile and
preferences to receive exactly
what you need