“By sharing what you see about incoming attacks, you are stronger”
An interview of Andy Bates, Executive Director, United Kingdom, Europe, Middle East & Africa - Global Cyber Alliance
First, may I ask to introduce your professional background until you join the Global Cyber Alliance (GCA)?
I have always worked in telecoms and often on large secure networks for governments, hence the cyber background. However, I have worked on large retail and corporate networks and had roles such as product development director, IT Director and CTO.
You joined the CGA in September 2017 as Executive Director for the United Kingdom, Europe, Middle East and Africa. Could you please explain us more the goal of the CGA and your mission / role in that organization?
First, GCA is a non-profit organization, its role is to reduce the causes of cybercrime. We do this by developing solutions which can be globally adopted and make them free to use. In this way, everyone gets protection rather than those who can afford it. My role is to run the EMEA organization; we are growing in this area and have just employed a full-time person in Brussels. We are funded by altruistic donation and so much of my role is to find people who want to fund our projects either for the altruistic benefit or for their own provided others benefit as well. Finally, as part of the executive team, we are all looking for the new cyber challenges and solutions, as it is a dynamic market.
You are convinced that Corporate Finance professionals need to share information about cyberattack. Companies would normally consider attacks as an internal matter, why would they share this type of information?
Firstly, not sharing with your fellow treasurers is a risk. Cyber attackers will attack you all, using the same techniques. By sharing what you see about incoming attacks, you are stronger as a whole and as a profession, this is why EACT is so interesting to me.
The attack is often from an external source so logically an attacker will attack many companies to achieve its goal. By sharing attack sources or techniques, the community is stronger. Everyone would love to be told of the source of new threats but that means that someone must give that data to the community in the first place.
Could you give us a specific example of sharing information on attacks helping other professions / businesses protect themselves?
For example, the CDA (cyber defence alliance) in the UK is the best example I have seen. It is 8 major banks who work together and second staff to the CDA to act as one unified front. CDA’s mission is to build and promote a global cybersecurity commercial ecosystem, which will be able to establish cyber security guidance and best practices. The London-based CDA was created to facilitate sharing of information following cyber security incidents.
Has this information sharing not just made those companies more susceptible to further attacks?
Realistically all companies are vulnerable, the statistics speak for themselves. The bad guys already share and sell intelligence on their victims on the dark web. Arguably, if you have been attacked it suggested you will be attacked again and again more frequently. By sharing in a closed community such as EACT you can defend against this new assault.
If we assume that IT departments are doing the right things in terms of protecting companies in our activity as treasurers today, what do see as the main cyber risk?
You have to be protected at home too. When you go home, your PC, your child’s phone, your home assistant or open smart home devices can all be used to track your work. It is illegal to listen in on your conference call at home via your home network and hear your discussions about the transactions you are working on.
When you work at home, you may not be authorized to make high value transactions and so you feel safe. The point is that in many cases the knowledge of a forthcoming transaction is also valuable. It is easier to get this data than to hack into a treasury system and harder to trace the bad actors’ actions. I would agree that there are many data to process to find the right person but the bad guys are using AI techniques now to assimilate data and find the right person to spy for valuable information.
Have you seen the last few years more commitment toward cybersecurity by companies and do you think this level of attention is enough to fight it?
Yes & yes, but on the 2nd yes sometimes the effort is miss-placed. We see many people spending time and money on cyber and looking at “cool” things like AI when they haven't done the basics, this is often where we come in. I would say spend more time on cyber but then the costs of cyber defence become an issue. Yet we know that the UK alone suffers a loss of £ 29 bn per annum according to UK Cabinet Office and Detica. This large figure suggests people cannot be doing enough, but I argue that they aren't doing the right things, as the simple free basics.
Could you give us via a practical example what GCA promote as a solution to help treasurers in their daily work?
Today more and more companies are subject to email-born phishing attacks. GCA has focused on decreasing the risk of email-born phishing attacks through its tool that enables organizations of all sizes to deploy the Domain-based Messaging Authentication, Reporting, and Conformance (DMARC).
Anyone can send an email pretending to be you if you don't have DMARC. We surveyed 130 EACT members and found that 7% had DMARC properly configured, this means that for the remaining 93% someone could use email and pretend to be you or your CEO, imagine the danger that can produce.
All emails have a field where the administrator can configure the “from address” and the “reply to address”. If you google “How to send spoof email” it says that your mail may get ejected or go to spam if the receiver has configured SPF/DKIM or DMARC. Essentially these check that the IP address of the sender is the same as your IP address, without this anyone can simply configure the “from field” and pretend to be your boss.
Read more on GCA:
Interview by Nadine Grevaz, member of the EACT Cybersecurity Working group. Nadine is working for Bobst as Group Cash Manager.