This post was originally posted on The Global Treasurer.

 

According to a recent survey of corporate treasurers and finance professionals, the risk of payment fraud/cybersecurity is the most feared operational challenge. What’s more, the surveysuggested it’s a rapidly growing headache – the number of respondents who identified it as a major threat increased by 14 per cent year-on-year.

Are treasurers right to view cybersecurity as the major risk? Absolutely yes, they are, according to Bart McDonough, CEO of managed IT and cybersecurity specialist Agio, which works closely with financial services organizations – not least because the threat environment is rapidly changing.

“If we go back 15 years, the macro threat and cyber security was very different,” comments McDonough. “We’ve progressed from cyber activism and cyber vandals, because cyber criminals started realizing they could monetize cyber-attacks. They worked out that they can take their activities and really turn them into revenue producing activity. While they still attack health records, for example, the focus moved to how they could get money quickly and easily.

“At the same time, they realized that finance professionals are great targets because they either have direct access to the money, or they’re a conduit for it. That’s why this group of individuals is so targeted. If you combine that threat intelligence, with the idea that, if you exclude the top 10 banks, the rest of the financial services industry, from, a multi-billion dollar hedge fund all the way up to your larger sell side institutions, sometimes their cyber security departments are either non-existent, or they might have two or three or five people. Everyone wants to talk about Citi or Bank of America, how they’re led by former FBI agents, and they have 1,000-person cyber armies defending them. That’s the rare exception. So, you have this target that is very rich, from a from a financial standpoint, but barely protected from a cyber resource standpoint. That’s why the cyber threat is so real.”

Starting point

Despite this rather concerning summary of the latest threat landscape, McDonough says treasurers needn’t panic.

“I always say that cyber-attacks are like playing the lottery without having to buy a ticket – you would if you could. Attackers just keep on playing. If you start making it harder for them to get a free ticket, they move on. If you can make it hard enough for attackers, they’ll turn their attentions elsewhere. If you can make it just one step harder than the next institution, you’re going to be that much safer. There is a game that is played – you see it on the hacker chat rooms – where once they reach a certain degree of difficulty, they simply move on to their next target. In medieval times, that was about having a higher fence than your neighbor! Incrementally improving your defenses exponentially decreases your risk profile.”

Taking that that analogy, what can treasury departments do to increase the height of their proverbial fence?

“One, I think they need to have really rich intelligence in order to understand the threat,” explains McDonough. “They also need end-user training so they understand how threat actors will approach them, whether that’s phishing or whatever. That’s the baseline. If you know you’re walking through a neighborhood where there’s a high history of pickpocketing, you’re going to take defensive actions. If you’re not situationally aware, you’ll leave yourself more open to crime.

“Next, let’s practice good basics. Let’s make sure that there’s multifactor authentication enabled on all systems. At one point this year, we had dealt with 17 different cyber breaches for an organization. All 17 would have been prevented had the organization enabled multi-factor authentication.

“Then, we need to make sure that systems are patched in a very timely manner. There are all kinds of statistics out there about the number of breaches that occur as a result of poorly patched systems.  Just those three things will provide treasury departments with much greater security and will encourage the threat actors to move on.”

People count

Given much of the above involves people – and security is only as strong as its weakest link (person), how does McDonough think organizations can about instilling a true culture of cybersecurity?