Painful lessons teach treasurers in Asia that humans—not technology—pose the greatest risks to data security.
Relentless cyberattacks and growing awareness of their potentially disastrous consequences have raised the pressure on treasury teams to take more action to mitigate the damage done by phishing scams where bad actors impersonate trusted contacts, by malware used to obtain data and extort ransom, and by other forms of hacking. This awareness means multinationals can no longer avoid the need to adopt cyberincident response plans to deal with the reality that humans within organizations pose significant risks to the security of data and financial assets.
Those conclusions and other takeaways emerged at a recent meeting of NeuGroup’s Asia Treasury Peer Group in Singapore where members shared some of their hard-learned lessons and an expert from a leading international bank outlined some of the risks and prudent countermeasures.
Business email compromise (BEC). Members described incidents underscoring the risks posed by employees, suppliers, customers and cloud service providers who fail to recognize emails often designed to facilitate a fraudulent payment. Here’s a hypothetical example based on several cases discussed at the meeting: A former employee of a key supplier convinces a member’s shared service center team to update payment account information just before a large delivery. Two days later, the supplier calls looking for the payment. A rapid investigation shows that the money went to the wrong account. The banks involved are contacted immediately. But thanks to vastly improving payment systems, the money has already been transferred to another jurisdiction with no cross-border judicial assistance. The money is gone and recovery unlikely.
Battling BEC. The expert’s presentation advises mitigating BEC risk by developing a process that can potentially detect the registration of malicious lookalike internet domain names used by cybercriminals. But realize that if a vendor’s email is compromised, fake messages may come from the correct domain. So be wary of any requests made by email and confirm all changes in payment instructions verbally.
The best defense. The expert argued that because people are the weakest point in guarding against cybercriminals, the best defense is to remove people and manual processes and use technology to automate controls and payment systems. While it might seem that hackers stand a better chance of foiling technology-based processes, the expert said robust technology is harder to hack than entrapping humans using manual means to make and receive payments.
The bottom line. Far too many companies have not prepared a risk management plan whose effectiveness is regularly tested. Every organization’s incident response plan should be grounded on these five basic concepts:
- Identify. Know who poses risks to security and what methods they use, including phishing and malware.
- Protect. Attack your employees to find weak links, get independent assessments, implement controls.
- Detect. You will be attacked; to minimize damage, detection is more important than prevention.
- Respond. Engage in scenario planning, conducting tabletop drills to simulate emergencies.
- Recover. Learn the best methods to a) reduce the chances of repeated incidents and b) recover assets.
Critical questions. Treasury teams bolstering their cybersecurity must ask if they have:
- Prepared a risk management plan based on a realistic scenario?
- Established with IT and compliance departments effective policies and procedures?
- Ensured that policies and procedures remain adequate and cover financial information such as payments instructions?
- Checked that spam filters are turned on, protection software is active, data backups are fully effective?
- Verified that the identity of staff with significant delegation of authority is protected?
- Tested all aspects of their defenses?