Is Your Company Protected from Cyber Threats?
By Anne Catherine Sailley and James Henderson, Members of the CyberSecurity Working Group of the European Association of Corporate Treasurers (EACT)
Today's treasury infrastructure is changing and, with it, the associated risks of data loss or fraud have multiplied. Within the security community, it is often said that it is not a matter of ‘if’ but ‘when’ you are going to be affected by a security breach. Treasurers need to ensure that controls are in place to protect the corporate assets and, as such, should take a lead role in protecting the company from cyber threats. Securing your company is not a one-time exercise; it is a journey that needs to be reviewed regularly and adapted to new threats.
You can’t do it alone
It is unlikely that treasurers have the expertise to protect the company on their own. Therefore, it is best to create a cross-business team with technology, information security and internal audit to jointly protect the firm. Working together and utilising collective expertise, the team can audit risky processes, run security penetration tests, and then jointly assess the levels of risk to the organisation before determining an action plan.
In addition, this is not something that only the leadership team needs to be aware of. To best prepare the organisation, the employees need to be aware of the latest fraud attack vectors and techniques, and receive proper training on how to successfully identify, prevent and respond to attacks. This training must be provided regularly, so as to keep pace with the constant evolution of the cybercrime landscape. It is a good idea to test the effectiveness of the training through internal mock phishing exercises to ensure the employees follow the proper policies and procedures.
Protecting the treasury infrastructure
There can be numerous entry points into a company’s infrastructure. For some, all it takes is an employee plugging in a USB stick they found on their way to work, or an unintentional click on a website (even legitimate ones) to open the infrastructure up to risk. It’s a good idea to review these potential entry points with your technology team to understand what controls you have in place. The following topics provide a good starting point for these discussions:
- How is your treasury infrastructure (servers, switches, storage, routers, modems, leased lines, etc.) physically protected against tampering?
- Do machines with access to the treasury infrastructure have unused ports and external access ports (e.g., USB) blocked to prevent someone installing malware? Do any machines on the network have access to the internet or email where someone could accidently download a virus/malware? If so what mitigations are in place to reduce the risk?
- Do all the systems in the network use a firewall, antivirus, have up-to-date operating systems and antivirus signatures?
- What level of authentication is used for key users (e.g., admin or payment authorisers)? Is a username and password sufficient or should two-factor authentication be considered?
Minimising the risk from external connections
You need to protect the information not only whilst it is within your environment but also when it leaves your estate. To do this, the key is to instigate encrypted channels and protocols throughout the information flow. There are a number of weak points to consider:
- Does your system extract the data from the ERP system and then encrypt it, or does the data come out encrypted? If it is extracted unencrypted, who has access to the folders where the data is stored?
- If you have any systems on the cloud, is your cloud provider ISO 27001 certified? Does your cloud provider transfer data to unsecured servers at any point? Are employees from the cloud provider vetted?
- If you are using a SWIFT service bureau, do they have certification from SWIFT to operate and can they provide a SAS70 type II audit report? Are they compliant with the latest version of SWIFT SIP Release to attest their level of security?
- If third party vendors have access to your network, are their cybersecurity controls and incident response appropriate for the services they provide and access they have?
When considering regular penetration tests, you should think not only about your treasury infrastructure but also that of supporting systems and your external service providers.
Manual interactions within most systems are inevitable. When they do arise, the key is to ensure there are the appropriate levels of control around them. Utilising features such as user profiles, workflow limits and four-eyes approvals help. However, for controls to be effective, you also need to ensure users have just enough latitude to complete their jobs. When determining where controls are required within the workflow you should think creatively. For example, whilst the payment details obviously require a high degree of control, what about suppliers’ phone details? If someone first modified a supplier’s phone number and then changed the invoice details, would you call a number that you know and trust to check if the supplier’s details are correct?