Note to our readers, iTreasurer will publish at reduced pace through the New Year. Happy holidays and all the best in 2015!
Cyber security is critical these days; secure databases and take advantage of bank tools.
Cyber thieves’ recent theft of Sony Pictures’ proprietary information and upcoming releases, like earlier incidents at J.P. Morgan and Target, reiterates the need for companies to encrypt not only data sent to other organizations such as banks but also resting comfortably in supposedly protected databases.
“The Target data that was captured earlier this year wasn’t encrypted and was accessible to someone outside,” said Jeff Dorio, principal at Treasury Strategies, during an online technology briefing December 11, 2014 titled “Cyber Risks to Treasury.”
Mr. Dorio added, “Even if [Cyber thieves] break through a company’s firewalls, if its data is encrypted while at rest in your systems, it will be of no use to them.”
Also involved in the briefing were Linda Haddad, senior vice president, product management at Bank of America Merrill Lynch, and Bob Stark, vice president of strategy at treasury management system (TMS) provider Kyriba.
Encrypting data in-flight as well as at-rest was one of the panel’s general recommendations to reduce the risk of Cyber attacks. Other measures, Mr. Dorio noted, include controlling who has access to data and permission to initiative data transfers, as well as reviewing physical security controls. He added that developing a Cyber defense plan requires partnering with the company’s IT group as well as internal and external auditors.
“We had a client in the Midwest that was about to start sending out lots of electronic payments, and after an internal audit it discovered its controls weren’t strong enough, and [the client] held off making those electronic payments until they put proper controls in place,” Mr. Dorio said.
Mr. Stark said IT departments generally endorse moving TMS systems and the relevant data to the cloud, because it physically separates the data from the company’s employees, given they’re often the perpetrators of fraud. He reiterated the need to encrypt in-flight and at-rest data, and he said encryption should be applied to sensitive as well as nonsensitive data, since the line distinguishing them can become hazy.
Also critical for securing TMS systems is making sure data centers and pertinent software are Service Organization Control or SOC1 certified, although SOC2 certifications may also be appropriate. Both certifications, which are accounting standards that measure a service organization’s control of financial information, have type 1 and type 2 versions, with the latter more appropriate because it measures control over a period of time, usually a year, Mr. Stark said.
“It’s very rare a type 1 report would be accepted by an auditor or folks in treasury, because it just gives a picture of a point in time right now,” Mr. Stark said, adding, “It’s generally better to have picture over a period of time to be sure all the possible scenarios can be evaluated.”
Mr. Stark also recommended the separation of employees’ duties and other policy-driven protections to restrict access to the infrastructure of data hosts and client data, as well as numerous firewalls to protect data from internal and external threats. He added that it’s wise for a company to hire a third party to try to hack into its systems, pointing to McAfee and Qualys as two of several firms providing that service.
In terms of employees accessing a company’s treasury systems, Mr. Stark said, even a complex password coupled with a user ID is insufficient. Two-factor authentication, in which access requires a second, randomly generated password that is sent to the user typically by email or SMS, provides a base level of additional security. Additional security measures can include restricting by IP address the devices to access the systems and implementing virtual private network between the treasury-system hosting provider and the company.
Mr. Stark emphasized that companies must make sure the controls they put in place to make payments are standardized across their banks, since “anytime there is an exception it creates an opportunity for Cybercrime.” Not every bank supports digital signatures, but if that’s the case it’s still a good idea for companies to use them for their own internal workflow before instructions are sent to the bank.
Companies using SWIFT to transfer funds should also examine their SWIFT access provider, whether a SWIFT bureau or the messaging service’s Alliance Lite2 product, looking for SWIFT certifications as well as information from third-party audits, Mr. Dorio said. He said companies should be sure bureaus have sufficient technical and operational expertise, to handle events such as SWIFT’s yearly system enhancements.
Ms. Haddad emphasized the importance of companies talking to their banks about the tools they provide to bolster transmission and content security. She noted client self-service tools as an area where banks can be most innovative, enabling clients to monitor payment file activity transmission status, mobile and online payment approvals, and separation of duties and entitlements.
Often times, bank security measures require USB or thumb drives to access their portals.
“I think most corporate treasuries have a bag full of dongles to get into their banks …” Mr. Dorio said.
Upon requests by corporates to resolve this dilemma, SWIFT developed the 3Skey, which consolidates those devices into a single device that can be issued to an individual. Consequently, a specific executive can be entitled to make payments to a bank up to a certain level, while another executive an make payments beyond that level.
“When [an executive signs] it with the 3Skey it’s sealing the entire payment file, and if it’s ever tampered with in transit that seal is broken and the bank will reject it,” Ms. Haddad said.