Fighting Cybercrime in the UAE: Building a Treasury Game Plan
Published: August 01, 2019
Do you know who to call if your ERP is hacked? How will you make payments if treasury systems are disabled? Is cyber insurance the best form of risk mitigation? These questions and more were answered during a recent roundtable discussion hosted by Abu Dhabi Commercial Bank (ADCB) – which saw corporates, industry experts and ADCB executives share best practices on keeping treasury secure in the digital age.
Isaac Thomas Head of Transaction Banking, ADCB
Cybercrime activity in the UAE is on the rise, with malware and phishing attacks being the most prominent vectors. In fact, the UAE now ranks eighth in the most cyber-attacked countries in the Middle East and Africa region. Electronic fraud cases are also increasing in the UAE, and although the government is imposing heftier fines for cybercrime, the perpetrators remain extremely difficult to track – and can be working from anywhere in the world.
In an increasingly digital world, treasury needs to be on the front foot when it comes to cybersecurity. This is precisely why ADCB hosted roundtables in Abu Dhabi and Dubai on this topic in April 2019, led by Isaac Thomas, Head of Transaction Banking, ADCB and Sherie Morais, Head of Business Development, Transaction Banking, ADCB.
Building on a successful Digital Innovation Debate in 2018, these interactive cybersecurity sessions kicked off with an update on market conditions from Monica Malik, ADCB’s Chief Economist. Then the baton was handed over to Mimecast’s Jeff Ogden, GM Middle East and Hany George, Technical Specialist, to bring the cybersecurity topic to life. Mimecast provides email security and cyber resilience solutions.
“There are an enormous amount of cyber breaches happening around the world on a daily basis,” began Ogden. It is not only the growing number and scale of these attacks that is a concern for treasurers, he explained, it is the fact that cybercriminals are now attacking all sectors – the majority of bad actors are simply looking for organisations that are easy to hack.
“Over the past year, we’ve seen many SMEs coming under attack,” Ogden explained. “But all companies are at risk – and this is now becoming a boardroom issue. The challenge is that boards often do not know how to tackle cybercrime, or they underestimate the seriousness of the situation, so fail to take the appropriate action.”
Top cyber concerns
Understanding the nature of current threats is key to grasping the true risk potential. According to a recent survey carried out by Mimecast, the top threats companies in the UAE are concerned about are: ransomware; supply chain attack; CxO fraud; and phishing.
Sherie Morais Head of Business Development, Transaction Banking, ADCB
“Ransomware is now pervasive in the corporate sector, where cybercriminals can charge higher ransoms,” said Ogden. “The good news is that ransomware is declining globally as organisations are becoming wiser to the attack vector and putting better protection and back-ups in place. Consumers and companies are also learning that paying the ransom doesn’t necessarily guarantee that your data will be unencrypted – or not within a rapid timeframe, at least.” One audience member commented here that best practice advice from cyber insurance firms now suggests that treasurers do not pay ransoms, for the exact reasons stated above.
While ransomware may be declining as an attack vector, supply chain attacks are on the rise. These involve hackers exploiting weak points in the company’s buyer-, supplier- and partner ecosystem in order to compromise the individual or organisation. “Many e-commerce sites have been impacted by this, with British Airways (BA) being a prime example. Browser code inserted into the company’s website led to customer credit card details and personal information being stolen. Over a two-week period, 380,000 of BA’s customers were hit,” Ogden explained.
This makes conducting due diligence on suppliers even more critical. “You have to think about all of the relationships in your supply chain and probe them for weaknesses. Clear expectations must be set in terms of cybersecurity expectations and procedures to follow in the event of a breach,” he advised.
More of a concern than ransomware, according to Mimecast’s survey is so-called CxO attacks. These are impersonation rackets that involve fraudulent communication and can involve any C-suite member, from the CEO and CIO to the CFO. “Eighty-five per cent of organisations we have surveyed in the past year in the UAE have suffered an impersonation attack. And seventy-three per cent of those experienced a direct loss as a result – ranging from data loss to loss of jobs within the organisation,” Ogden warned.
“These attacks are becoming much more sophisticated. It’s no longer a question of spotting fake emails because of spelling mistakes. The hackers are very smart and patient. They will sit inside an organisation for months, gathering information, profiling the executive in question, learning how to impersonate them, reading their emails, looking at their calendar, and waiting for the right moment to strike.”
Treasury under fire
From a treasury perspective, these attacks typically involve receiving an email from the hacker – pretending to be the CFO – requesting an urgent payment to be made. This should always be a red flag for the treasurer, regardless of how authentic the request appears. Gut feel plays a large part in stopping these attacks, as do proper processes for approving payments, especially exceptional transactions.
Jeff Ogden GM Middle East, Mimecast
The largest cyber concern for UAE-based organisations, however, is phishing. Circa 90% of those surveyed by Mimecast have seen a phishing attack and 65% of the hacking groups tracked by Mimecast use spear phishing and phishing as their primary attack vector. Of those successful phishing attacks, 96% of the activity is intelligence gathering – playing a long game to reach the right target within the organisation at the right time and/or harvesting information which can then be sold to competitors, or to other cybercriminals on the darknet – an underground economy.
To demonstrate just how easy it is to snag a target via a phishing attack, Hany George then performed an ethical hack for the audience. He demonstrated how, by “profiling an individual on social media and understanding their likes and habits, it is easy to create a malicious email campaign that will entice them to click and unwittingly install malware. “It could be as simple as sending someone an email that looks as if it is coming from a large e-commerce website advertising a new mobile phone,” he explained.
And using site cloner software available on the darknet, the cybercriminal can build a replica of that e-commerce website which, when the user clicks the link in the e-mail, looks perfectly normal – but is in fact installing malware that gives the cybercriminal control of the user’s device. The clever part is that the user sees nothing suspicious. “The cybercriminal can sit there for as long as they like, watching and waiting for the opportunity that will provide them with the biggest payday,” said George.
Users can play a role in stopping phishing attacks – such as taking the time to check the sender field of an email or hover over a link and check the URL if the email looks suspicious. But often, the emails don’t look suspicious, and email addresses can be cloned. So, the best way to prevent this kind of attack is through a targeted cybersecurity solution. Nevertheless, treasurers can play their part by being vigilant and embracing good cyber hygiene steps, including visiting a website directly, rather than clicking an email link.
Another important step “is to assume you will be hacked sooner or later,” George warned. “You need to work with your IT team, compliance and legal, your banks and vendors to have a plan in place for when the inevitable happens. The recovery time from an attack can be significantly reduced if a robust plan is in place – and it is tested regularly.”
Being a good cyber citizen
Daniel Tromans Director of Treasury, Etihad Aviation Group
Much audience debate followed, with audience members sharing their own experiences around cybersecurity. During the Abu Dhabi roundtable, Daniel Tromans, Director of Treasury, Etihad Aviation Group explained how data security is a key priority for him, and the wider group. “We hold large amounts of sensitive data, including passenger information. We also operate in numerous locations that are hotspots for cyber attacks, so we have to have state-of-the art security,” he noted.
Tromans went on to say that the rapid digital transformation Etihad is undertaking is also raising awareness of cybersecurity across the organisation, including within treasury. “And as treasury departments across the UAE shift towards digital processes, treasurers must take a proactive role in keeping the organisation’s cash and data safe,” he said.
“We’ve taken a number of steps to help ensure treasury plays its part: our treasury management system is hosted on a secure cloud; we use best in class security protocols; and we have policies in place around segregation of duties. These are just a few examples, but they demonstrate how seriously we take our role in protecting the organisation from cyber threats,” Tromans explained.
Meanwhile in Dubai, corporates debated the merits of cyber insurance, with many treasurers yet to be convinced of its value, given the high frequency of get-out clauses. Audience members also discussed the rise of artificial intelligence and robotics, and how this would deepen treasury’s role in cybersecurity – with George warning that robots can potentially be hacked.
Finally, Ogden and George, while highlighting that there is no substitute for good cybersecurity software, shared some best practice tips:
Know your infrastructure.
Work with IT to check that all treasury systems are protected – this should include physical threats, such as malware being introduced via a USB port.
Know your supply chain.
Conduct strict due diligence on all supply chain players – buyers, suppliers, banks and vendors. Data hosting services should come under scrutiny and comply with ISO and SOC standards as a minimum.
Know your team.
Regularly train your treasury team on cyber threats, how to spot them, and how to react to them. Ensure there is a speak-up culture whereby everyone in the team feels empowered to question instructions, even from the C-suite, and to admit when they think they may have clicked on a suspicious link.
Know your plan.
Work with IT and other internal and external partners to build robust cyber resilience, disaster recovery and business continuity plans. Ensure everyone knows what role they play and what the safe communication channels are. Test the plan regularly and keep it updated to reflect new threats and new partners.
Know yourself.
Take responsibility for your own cyber habits and adopt good cyber hygiene – from using strong passwords and changing them regularly, to remaining vigilant at all times. Be a cybersecurity champion within treasury, leading by example.