Attacks are inevitable, so communication, detection and preparation are critical.
Treasury is where the money is—or where it goes on its way somewhere else—making treasury a prime target for cybercriminals. So it’s no surprise that cyber risks are causing treasurers to lose sleep. To help them rest a bit easier, the global head of cyber intelligence at a major bank and the head of corporate information security at a leading technology company gave members of NeuGroup’s Treasurers’ Group of Mega-Caps (tMega) timely insights about cybersecurity during discussions at their spring meeting.
INSIGHTS FROM THE CYBER TRENCHES
1) Communicate with key players. It’s imperative that treasury teams establish relationships and exchange mobile phone numbers not only with their company’s chief information security officer (CISO) but also the head of cyber intelligence (if they have one), who understands, interprets and advises on cyberthreats. Ideal is the situation one member enjoys, where the information security team reports to the company’s CFO, promoting closer coordination with treasury on bank and payment-related risks.
2) Avoid opening the door to criminals. Treasury is an obvious target for phishing scams, which might account for about 80% of all cyberattacks, according to the bank intelligence expert. That’s why smart companies use red teams to try to trick their own employees into clicking on a bogus link, and then focus on training the “victims.” Treasury needs to instill habits of good cyber hygiene practices, including doing callbacks to vendors and others when bank account numbers and electronic payments are involved. And this word of warning from the CISO who spoke: The CEO will never ask you to wire money while he’s on vacation. Ever. Yes, he said, the security team will help if you fall for this ruse, but, “We will laugh at you.”
3) Preparation, not perfection. One of the cyber experts said that despite all the time and money corporates spend on prevention, the “bad guys will get inside of the company.” That means “it’s not about being perfect, it’s about how fast can you stop them from achieving their objective,” he said. With that in mind, treasurers need to understand their role in a crisis and to conduct tabletop exercises with business units based on various what-if emergency scenarios. You need to develop a plan, map out responses and make sure the head of crisis management calls you when something happens.
4) Detection and response. The CISO underscored the importance of detection and response as opposed to prevention. Prevention is important to cut down the noise to better detect intrusions and respond. Yet most companies spend most of their money on prevention and not enough on detection and response.
5) Know your stages. Understanding the stages common to most attacks will strengthen detection and response. Attacks involve these stages:
- Profiling. An attacker profiles the company and its employees, figuring out how to phish them.
- Exploration. Once the attacker has penetrated the company, he moves around in an attempt to find the most valuable data, including passwords. The CISO said the average amount of time the bad guys are inside the company is 240 days. In other words, plenty of time to detect them.
- Execution. Once the attackers have found the thing they want, your defenses are completely ineffective, the CISO said. The criminals “can do it in seconds, at the speed of light,” he said.
6) Scout the opposing players. Here are the so-called bubbles or players in the cyberworld the CISO described:
- Security researchers. They try to find weaknesses in the system, the digital open windows and doors. Some, but not all of them are nefarious, and most are employed by companies.
- Exploiters. These are the people who explain how to get through the open window and point it out to others; think of them as the bomb assemblers.
- Attackers. These range from a group of individuals or fanboys looking for info on new product releases, to organized attackers who commit fraud based on the original business model of the company, to nations states with unlimited resources that cannot be stopped from invading.
7) Stop that payment. If, after doing all the above and more, your team authorizes a wire transfer to a cybercriminal, the good news is that your bank can still put a stop to it. Their ability to do that is much greater if the funds are still in accounts at the bank. After that, you’re at the mercy of the bank that received the money. So, it’s good to know the best person at the bank to call and to call them fast. The cyber intelligence expert says if the two banks have a good relationship, chances are still good that the transaction can be stopped.
8) Be smart. It’s always better to question a payment or funds transfer before the money leaves your building. Don’t be afraid to question something that doesn’t follow the normal process or feels out of place.