Is Your Company Protected from Cyber Threats?

Published: September 01, 2018

Is Your Company Protected from Cyber Threats?

Today's treasury infrastructure is changing and, with it, the associated risks of data loss or fraud have multiplied. Within the security community, it is often said that it is not a matter of ‘if’ but ‘when’ you are going to be affected by a security breach. Treasurers need to ensure that controls are in place to protect the corporate assets and, as such, should take a lead role in protecting the company from cyber threats. Securing your company is not a one-time exercise; it is a journey that needs to be reviewed regularly and adapted to new threats. 

You can’t do it alone

It is unlikely that treasurers have the expertise to protect the company on their own. Therefore, it is best to create a cross-business team with technology, information security and internal audit to jointly protect the firm. Working together and utilising collective expertise, the team can audit risky processes, run security penetration tests, and then jointly assess the levels of risk to the organisation before determining an action plan. 

In addition, this is not something that only the leadership team needs to be aware of. To best prepare the organisation, the employees need to be aware of the latest fraud attack vectors and techniques, and receive proper training on how to successfully identify, prevent and respond to attacks. This training must be provided regularly, so as to keep pace with the constant evolution of the cybercrime landscape. It is a good idea to test the effectiveness of the training through internal mock phishing exercises to ensure the employees follow the proper policies and procedures. 

Protecting the treasury infrastructure

There can be numerous entry points into a company’s infrastructure. For some, all it takes is an employee plugging in a USB stick they found on their way to work, or an unintentional click on a website (even legitimate ones) to open the infrastructure up to risk. It’s a good idea to review these potential entry points with your technology team to understand what controls you have in place. The following topics provide a good starting point for these discussions:

    Minimising the risk from external connections 

    You need to protect the information not only whilst it is within your environment but also when it leaves your estate. To do this, the key is to instigate encrypted channels and protocols throughout the information flow. There are a number of weak points to consider:

      When considering regular penetration tests, you should think not only about your treasury infrastructure but also that of supporting systems and your external service providers.

      Manual interactions

      Manual interactions within most systems are inevitable. When they do arise, the key is to ensure there are the appropriate levels of control around them. Utilising features such as user profiles, workflow limits and four-eyes approvals help. However, for controls to be effective, you also need to ensure users have just enough latitude to complete their jobs. When determining where controls are required within the workflow you should think creatively. For example, whilst the payment details obviously require a high degree of control, what about suppliers’ phone details? If someone first modified a supplier’s phone number and then changed the invoice details, would you call a number that you know and trust to check if the supplier’s details are correct?

      Utilising the controls available to you 

      Your banking partners may have a number of controls that can be deployed to further help you. The usefulness will depend on you integrating them. Below are the most common tools:

        Tracking unusual behaviour

        Once you have implemented a tight control framework, you should consider how you monitor the payment flow, privileged user actions and network traffic to identify any unusual behaviour. The first step is to have a centralised role completing the monitoring. In doing so it helps build up expertise, in order to enable more effective vigilance and the creation of more useful controls. Advancements in technology, with respect to machine learning and artificial intelligence, are making this activity less resource-intensive and thereby accessible to more companies. When deployed to monitor network and server logs, you can detect threats before your antivirus is even aware of their existence. Additionally, when deployed to monitor users with privileged access, you can track unusual activity preventing account compromise and insider threats.

        Incident response 

        Speed and precision are required to prevent an incident becoming a disaster. You should make sure the relevant actions are defined for each scenario, from the discovery until conclusion and review, as well as ensuring that everybody involved in each action knows their role within the process (compliance, audit, security, treasury, IT, banks, legal, corporate communications etc.). It is recommended that you regularly test the process to confirm the validity.

        Conclusion

        In some cases, these practices may seem daunting at first to the uninitiated. Nonetheless, with the rising level of threats, it is paramount that attention is given to ensuring the firm’s assets remain protected. A useful starting point would be to create a cross-business working group to consider your firm’s potential vulnerabilities. Once you have a list, you can ensure management are aware and then prioritise the remediating actions.   

        Anne Catherine Sailley

        Manager, Treasury EMEA, Steelcase

        Anne Catherine Sailley started her career with KMPG Audit as an auditor. Then she joined Steelcase, 18 years ago, to create the internal Audit department in EMEA. Following this audit experience she became a member  of the Steelcase finance team responsible for consolidation, control, industrial reporting and analysis. For the last eight  years, she has been working  in the Treasury  department where she currently takes the treasury lead in designing the banking structure to support more centralised payments, to drive the design of ongoing control structure around payment processes and  to implement a treasury management system around the globe.

        James Henderson

        Director, Head of Specialist FX Products, Barclays Corporate Banking 

        James Henderson has spent the last seven years working within Barclays’ Foreign Exchange team, focused on improving the automation and risk mitigation of FX processes. James’s current role is as Director, Head of Specialist FX Products, with responsibility for looking at how technology can be used to help improve the effectiveness of clients’ business processes. As a Fellow of the Association of Corporate Treasurers, James joined the EACT Cyber Security working group in 2017.

        Sign up for free to read the full article

        Article Last Updated: May 03, 2024

        Related Content