Technological evolution has become necessary to ensure companies remain relevant, efficient and capable of absorbing volume business.
However, with cybercriminals becoming more sophisticated and determined by the day, the need to put in place relevant controls and preventative measures is pressing.
We need look no further than the two recent ransomware attacks to see the devastating potential of cybercrime.
The WannaCry attack in May spread to more than 100 countries. In the UK, 61 NHS bodies fell victim to an attack that immobilised entire networks, and FedEx in the US and Renault in France were hit too, among others.
In June, the Petya virus hit infrastructure and transportation companies. Seemingly originating in the Ukraine and targeting gas, oil and shipping companies, it hit corporates in Russia, the Netherlands, Norway and the US.
The weakest link in an entity’s operations can bring an entire organisation to a halt, affecting anything from supply chain to manufacturing to banking.
So where do cyberattacks come from? Insider attacks usually originate with people who have access to security and transactional systems, and who have the potential to redirect funds, gain confidential data and commit fraud. They may be trusted and valued individuals.
A clear internal treasury policy that outlines responsibilities within treasury and the wider group is vital
IT security technology in many companies can use behavioural analysis to establish anomalies such as unusual log-in times, and to evaluate audit trails, including asset-tracking and looking at the originating IP address and location of unusual transactions or communications.
These techniques can be deployed to identify attempts at sabotage, data theft or deliberate destruction of data.
Outside attackers broadly fall into three groups. ‘Hacktivists’ tend to be motivated by a political agenda, rather than money, and aim to cause embarrassment or tarnish their target’s corporate reputation. A second group is cyberterrorists, who compromise systems with the aim of laundering money.
Perhaps the most sinister outsider group is government-sponsored hackers, who use their attacks to humiliate target countries and leaders. Methods of attack are diverse, but what they have in common is a willingness to use illicit means to gain access to records and data to target unsuspecting victims and cause mayhem and chaos.
While recent events have underlined the critical importance of cybersecurity, the basic principles around securing corporate technology have not really changed. Understanding the threat is the first step towards neutralising it, which means developing a robust cybersecurity system and a set of processes to help spot and counter the ever-changing threats.
Common sense is also a powerful tool. Now is the time to remind colleagues to avoid using social media in the workplace and to reaffirm all agreed procedures around access to bank accounts. Accepting email invitations and clicking on shortened URLs is unwise.
So is giving out sensitive information to known and unknown individuals.
Using antivirus software and regularly updating browsers and systems are simple and good preventative measures – ones that should extend to any personal devices that employees use to access company platforms or execute transactions.
Treasurers should ensure they have sufficient internal controls to safeguard assets and deploy appropriate monitoring around critical assets and systems.
Working towards greater cash visibility, centralised payment processes, a streamlined bank account structure and bank connectivity, and higher levels of automation are additional measures that will enhance security but may require additional investment.
At a minimum, it falls to treasurers with managerial responsibility to ensure effective employee education around cyberthreats.
Preventative measures to help treasurers avoid issues around phishing and fraudulent calls include:
Additionally, with online banking, it is important to encourage employees to look out for unusual screens or pop-ups asking them to input passwords or security codes at an unusual stage.
It is important that you alert your staff to the risk of devices becoming infected, and tell them not to carry out online banking from free or open wi-fi connections. If users see any errors that suggest the site is not secure, they should stop and report the problem without logging on or completing a transaction.
With CFO and CEO email frauds a continuing concern, those in managerial roles need to ensure they promote sound procedures, as well as a culture where questioning one-off payment requests is the norm. Employees need to feel comfortable when checking with colleagues if they are uncertain about a payment.
It is good practice to:
A clear internal treasury policy that outlines the roles and responsibilities within treasury and the wider group is vital. Treasury processes should be formalised and communicated to all personnel.
Implement processes to follow, but explain the ‘why’, as well as the ‘what’, to ensure full understanding. Have a robust joiners, movers and leavers process to manage access and ensure access is removed when no longer needed. This could include further segregation of duties, to require two or more people to complete a transaction.
It is important for line managers to create a culture that makes it easy to report suspicions of fraud, but that also protects innocent employees from unfounded accusations.
Ensuring treasury processes are reviewed regularly is also good risk governance. Work with IT. Implement checks that ensure your controls are being complied with.
Educate your staff about password security and ensure they create strong passwords on both company-owned and third-party systems used for business purposes (ie banking and payment sites).
Individuals should not use the same password on different external sites or use internal passwords on external sites. They should be familiar with the company’s ‘user acceptable use policy’ and have regular reminders about password protocols.
Effective cybersecurity risk management by treasury can help strengthen relationships with customers and suppliers, build trust with investors and protect the organisation’s brand.
Not only will the organisation be better equipped to defend itself against known threats today, but it will be better positioned to anticipate the risks of tomorrow too.
Dee Kothari FCCA AMCT is a treasury consultant.
This article was taken from the Jul/Aug 2017 issue of The Treasurer magazine. For more great insights, log in to view the full issue or sign up for eAffiliate membership