On 14 January 2019, the Association of Corporate Treasurers (ACT) alongside the European Association of Corporate Treasurers Cyber Security Working Group hosted an event at Barclays’ head office to discuss current trends in the cyber security space and ways of mitigating cyber risks. The event featured a panel session with a line-up of speakers from companies including the City of London Police, Standard Chartered, Global Cyber Alliance, Steelcase and Barclays.
The source of many headaches
As companies continue to evolve digitally, they also become increasingly more vulnerable to cybercriminals deploying more sophisticated attack methods. Daniel Piper, Detective Inspector from the Cyber Crime team at the City of London Police, explained that criminals have been exploring potential targets for centuries and now they can do it from the comfort of their own home. For hackers that are learning new tricks, they can simply use a search engine to improve their knowledge. If that is too hard, then it is possible to find sites online that look as professionally as those of a high street brand, offering to take a website offline, provide fake ID, offer cloned cards, as well as a raft of other services.
Ludwig Keyser, Director of Joint Operations Centre at Barclays, explained that the most common attacks seen across the Barclays network are phishing scams, through which cybercriminals send malicious emails to gain access to networks and personal information. Nina Paine, Global Head of Cyber Partnerships & Government Strategy at Standard Chartered emphasised this fact revealing that 80-90% of cyber attacks still come through victims clicking on a link.
Personalised attacks
Daniel explained how the rise of digital footprints is also enabling cybercriminals to become smarter with their tactics, with more information available online to use when personalising their malicious attacks. Ludwig elaborated that social media platforms are key targeting areas as often users will post information relating to the company they work for, their department and potentially even what treasury platform they use, all of which can be used to make mail spam look realistic.
Finding a way in
With many large corporates investing more into their cybersecurity defences, criminals are now searching for areas of weakness to target next. Digital connectivity between companies means that smaller companies are increasingly targeted as a means to access larger businesses. Nina Paine recalled that a cyber attack on a major US retailer had originated from the compromise of one of their suppliers, an air-conditioning and refrigeration firm.
Protecting your company
Anne-Catherine Sailley, EMEA Treasurer from Steelcase, emphasised the importance of working together in order to mitigate cyber risk. Treasurers alongside internal audit, technology and information security need to work together in order to build a strong control environment. She suggested an audit of the company’s current set-up can help focus attention. Nina explained a common approach was to consider risk based on the level of confidentiality of data, the need for data integrity and the required availability of systems.
Andy Bates, Executive Director for the United Kingdom, Europe, Middle East & Africa at Global Cyber Alliance, felt it was important to keep technology departments focused on the basics. As part of a review of treasurers within Europe, the Global Cyber Alliance found that 88% of companies had not turned on a simple email configuration, called the Domain Message Authentication Reporting and Conformance (DMARC). As such, hackers are able to send an email from any of these company’s email addresses without needing to hack into the company’s network. Andy also highlighted an example where a hacker was able to instruct a bank to complete a fraudulent payment even after the bank had correctly identified it as fraudulent because the client had not turned on DMARC.
The panel discussed how companies migrating services onto cloud computing software could gain access to more advanced controls. Ludwig, however, expressed the importance of not relinquishing your own control requirements, citing a number of companies that turned off two-factor authentication when they went live with a cloud solution and were subsequently breached.
Anne-Catherine’s top tips
□ Maintain controls across all channels (ERP / TMS / Web banking tools).
□ Implement 4 eyes checks
□ Activate 2 factor authentication
□ Don’t allow people to share accounts; it makes it harder to monitor behaviour.
□ Only give people enough scope to do their job.
□ Implement detective controls such as reconciliations and account monitoring.
For more information see: https://eact.eu/news/108/is-your-company-protected-from-cyber-threats/
Changing behaviours
Nina revealed that there is a clear correlation between Board commitment to cybersecurity and leading cybersecurity practices. This an issue that needs to be filtered down throughout the company, as staff are the front line of defence in reporting malicious emails or potentially identifying the next attack. For example, in the Bank of Bangladesh heist, where cybercriminals attempted to steal $1 billion dollars in total, $20 million was stopped by a bank employee, who identified the cybercriminals’ spelling error on a payment. Nina also suggested that staff could be incentivised through colleague “rewards”, to positively encourage continuous awareness. Anne-Catherine highlighted that the focus needed to be broad within the organisation and not just focus on the highest risk roles.
In addition to procedural training, Dan reflected on the importance of making people aware of what their digital footprints might be used against them or their colleagues in the future. The panel also recommended enforcing a healthy scepticism into your team, such that if they receive an odd request they recheck the instructions. For example, if an employee receives an email with an unusual request, they respond by telephone rather than email. A member of the audience suggested that personal relationships are key when understanding and validating inbound requests.
Resources to help design training
Content from Barclays that could be used for internal training: https://www.barclayscorporate.com/insight-and-research/fraud-smart-centre.html
A tool that can tell you how long it would take to hack your password:
https://howsecureismypassword.net/
A tool to identify if an email was part of a previous major database hack:
Help if it goes wrong
Daniel’s team is there to help if you are targeted. Incidents should be reported through Action Fraud. The process is quick to complete and only requires information the user has. Even if users do not fall victim to a cyber-threat, it is important that they are logged, as friends and colleagues may not be so fortunate.
Andy explained that corporates should also consider sharing information on threats with other businesses. Nina concurred that many financial institutions take part in this form of industry collaboration and it has helped them prevent credible attacks.
Reporting an attack
Use the following link to report an attack:
https://www.actionfraud.police.uk/
Author: James Henderson, Director within Barclays Corporate Banking & member of the European Association of Corporate Treasurers Cyber Security Working Group