Tackling cyber risks in treasury

by James Henderson, Director within Barclays Corporate Banking & Member of the European Association of Corporate Treasurers Cyber Security Working Group

 


On January 14, 2019, the Association of Corporate Treasurers (ACT) alongside the European Association of Corporate Treasurers Cyber Security Working Group hosted an event to discuss current trends in the cyber security space and ways of mitigating cyber risks. The event featured a panel session with a line-up of speakers from companies including the City of London Police, Standard Chartered, Global Cyber Alliance, Steelcase and Barclays.  


The source of many headaches 


As companies continue to evolve digitally, they also become increasingly more vulnerable to cybercriminals deploying more sophisticated attack methods. Daniel Piper, Detective Inspector from the Cyber Crime team at the City of London Police, explained that criminals have been exploring potential targets for centuries and now, they can do it from the comfort of their own home. For hackers that are learning new tricks, they can simply use a search engine to improve their knowledge. If that is too hard, then it is possible to find sites online that look as professionally as those of a high street brand, offering to take a website offline, provide fake IDs, offer cloned cards, as well as a raft of other services.

Ludwig Keyser, Director of Joint Operations Centre, explained that the most common attacks seen across the Barclays network are phishing scams, through which cybercriminals send malicious emails to gain access to networks and personal information. Nina Paine, Global Head of Cyber Partnerships & Government Strategy at Standard Chartered, emphasised this fact revealing that 80-90% of cyber attacks still come through victims clicking on a link. 

Personalised attacks


Daniel explained how the rise of digital footprints are also enabling cybercriminals to become smarter with their tactics, with more information available online to use when personalising their malicious attacks. Ludwig elaborated that social media platforms are key target areas as users will often post information relating to the company they work for, their department and potentially even what treasury platform they use, all of which can be used to make mail spam look realistic. 
 
Finding a way in


With many large corporates investing more heavily into their cyber security defences, criminals are now searching for areas of weakness to find the next target.  Digital connectivity between companies means that smaller companies are increasingly targeted as a backdoor to access larger businesses.  Nina Paine recalled that a cyberattack on a major US retailer had originated from the compromise of one of their suppliers, an air-conditioning and refrigeration firm.


Protecting your company


Anne-Catherine Sailley, EMEA Treasurer from Steelcase, emphasised the importance of working together to mitigate cyber risk. Treasurers alongside internal audit, technology and information security need to work together and build a strong control environment. She suggested an audit of the company’s current set-up can help focus attention. Nina explained a common approach was to consider risk based on the level of confidentiality of data, the need for data integrity and the required availability of systems.


Andy Bates, Executive Director for the United Kingdom, Europe, Middle East & Africa at Global Cyber Alliance, felt it was important to keep technology departments focused on the basics. As part of a review of treasurers within Europe, the Global Cyber Alliance found that 88% of companies had not turned on a simple email configuration, called the Domain Message Authentication Reporting and Conformance (DMARC). As such, hackers are able send an email from any of these companies’ email addresses without needing to hack onto the company’s network. Andy also highlighted an example where a hacker was able to instruct a bank to complete a fraudulent payment even after the bank had correctly identified it as fraudulent, because the client had not turned on DMARC.


The panel discussed how companies migrating services onto cloud computing software could gain access to more advanced controls. Ludwig, however, expressed the importance of not relinquishing your own control requirements, citing a number of companies that turned off two factor authentication when they went live with a cloud solution and were subsequently breached.
 
Changing behaviours


Nina revealed that there is a clear correlation between Board commitment to cyber security and leading cyber security practices. This an issue that needs to be filtered down throughout the company, as staff are the front line of defence in reporting malicious emails or potentially identifying the next attack. For example, in the Bank of Bangladesh heist, where cybercriminals attempted to steal $1 billion dollars in total, $20 million was stopped by a bank employee, who identified the cybercriminals’ spelling error on a payment. Nina also suggested that staff could be incentivised through colleague “rewards” to positively encourage continuous awareness. Anne-Catherine highlighted that the focus needed to be broad within the organisation and not just focus on the highest risk roles. 


In addition to procedural training, Dan reflected on the importance of making people aware that their digital footprints might be used against them or their colleagues in the future. The panel also recommended enforcing a healthy scepticism into teams, such that if they receive an odd request, they recheck the instructions. For example, if an employee receives an email with an unusual request, they respond by telephone rather than email. A member of the audience suggested that personal relationships can prove critical to understanding and validating inbound requests.


Help if it goes wrong 


Daniel’s team provides help if you are targeted, and incidents should be reported through Action Fraud. The process is quick and only requires information the user has available. Even if users do not fall victim to a cyber-threat, it is important that they are logged, as friends and colleagues may not be so fortunate. 


Andy explained that corporates should also consider sharing information on threats with other businesses. Nina concurred that many financial institutions take part in this form of industry collaboration and it has helped them prevent credible attacks.


Want more?


If there is a cybersecurity topic that you would like to better understand, please send the query into the EACT Cyber Security Working group so we can investigate it for a future article.


Our email address is: cybersecurity@eact.eu

 

Another Useful Article


Cyber threats are keeping Mark Carney awake at night. But are treasurers worried?

Anne-Catherine's Top Tips

  • Maintain controls across all channels (ERP / TMS / Web banking tools).

  • Implement 4 eyes checks 

  • Activate 2 factor authentication

  • Don’t allow people to share accounts; it makes it harder to monitor behaviour.

  • Only give people enough scope to do their job.

  • Implement detective controls such as reconciliations and account monitoring

For more information see: https://eact.eu/news/108/is-your-company-protected-from-cyber-threats/

 

Resources to help design training


Content from Barclays that could be used for internal training:  https://www.barclayscorporate.com/insight-and-research/fraud-smart-centre.html


A tool that can tell you how long it would take to hack your password: https://howsecureismypassword.net/


A tool to identify if an email was part of a previous major database hack: https://haveibeenpwned.com/

 

Reporting an attack

Use the following link to report an attack:

https://www.actionfraud.police.uk/