As 2017 drew to a close, former White House cybercrime adviser Dr Eric Cole warned FOX Business that we’ve “only seen the beginning” of cyber fraud.
As such, it is vital for corporate treasurers to be hyper-aware of the cyberthreats that are facing their profession – and the duties they must fulfil to maintain scrupulous levels of cybersecurity.
In that spirit, we have asked two experts to highlight a range of cybersecurity pain points that treasurers must cover off in 2018.
Our speakers are Jonathan Williams, principal consultant at fraud prevention specialists Mk2 Consulting, and Ferguson Group Services assistant group treasurer Royston Da Costa. Here are their thoughts…
JW Counterparty due diligence is a crucial area for cybercrime prevention, and there are several initiatives related to this. One strong example is the UK’s cross-industry Payment Strategy Forum. Its recent Blueprint for New Payments and accompanying Financial Crime, Security and Data Solutions are full of excellent advice on KYC data-sharing procedures and a host of other, relevant matters. You can find those materials here.
RDaC Put together a formal treasury policy. This should define in writing how you conduct your counterparty exposure management, who you deal with and what terms you have with them. We look at our counterparties’ credit ratings and CDS spreads – indeed, all of our banks and counterparties must be highly visible. We have credit limits in place to put ceilings on transaction values, and we use an encrypted online platform for transfers. Every year, we’re obliged to ensure that the third-party technology providers we use for such activities are up to date, in terms of their externally audited IT security certifications.
JW Social engineering (SE) is one of the two, main methods that enable individuals to access systems they shouldn’t. The other – hacking – often relies upon data obtained through SE. That makes SE the primary threat to guard against. Typically, it relies upon establishing trust between people where none should exist.
In some cases, the criminal pretends, in writing, to be a representative of a regulatory or law-enforcement body, in order to persuade someone to do something they shouldn’t. Many of these approaches result in what the industry now calls ‘authorised push payments’: the business ends up making a payment, properly authorised by the right people, to a fraudster or account in a money-mule network.
For many years, invoice fraud has attempted to redirect payments for valid invoices into criminals’ accounts. This has developed into so-called CEO fraud, whereby a junior member of staff receives an email purportedly from their superior, requesting an urgent payment to a particular account – often for a large sum, and to an overseas recipient. Their willingness to help is abused, and even Facebook and Google were embroiled in a $100m email scam. To counter this, firms must learn to distrust such instructions until they can be verified.
RDaC When CEO frauds were first covered in the media, the cases were horribly unfortunate. Victims had not been naive – they had only been trusting. However, with further cases coming to light, firms have become more aware. It remains the case that you can’t do anything about a fraudulent email coming through your firewall. But what you can do something about is how you deal with it. Ensure that no member of staff feels pressured to carry out financial instructions at the behest of a single, senior figure. Instead, put in place a set procedure that has to be followed for each instruction of that nature, overseen by at least two, independent members of staff.
JW It is no longer just passwords that are used to secure systems. In fact, as a result of the General Data Protection Act, many services that handle personal data require two-factor authentication to log in, including either biometric details or security tokens.
Firms that still rely upon only usernames and passwords should certainly ensure they have strong levels of password security. However, long-standing advice to change passwords on a monthly basis is no longer valid. In the US, the National Institute of Standards and Technology strongly recommends not enforcing frequent password changes, as they can increase the support load on stretched IT security resources.
RDaC Best-practice information I have suggests that a password’s strength is not guaranteed by its complexity – as in how it combines uppercase, lowercase, numerals and special characters. The deciding factor is length. A strong password should be as many as 30 characters, the longer the better, and contain a reasonable amount of variation.
JW The second Payment Services Directive (PSD2) requires users to observe the strong customer authentication protocol – not just when making a payment and logging into an account online, but for engaging in a remote action that carries a risk of payment fraud or other misuses.
That protocol will cover many corporate-to-bank transactions, especially those relating to mandate changes. To support knowledge-based authentication, such as passwords or shared-secret information, this authentication method will ring in new technologies, such as biometric devices and security tokens. Each bank will implement different technologies – one may use voice authentication, for example, while another may prefer fingerprint or iris scanners.
For treasurers, this will mean providing personal data – particularly biometric data – to the corporate’s banks: a process with which they may or may not be entirely comfortable, as it’s easier to reissue a security token than a face or voice. Finding out which technologies your bank proposes to use to secure your corporate accounts is vital.
RDaC Without question, if your staff are going to get clear insights into the mentality of cybercriminals so they can better understand how they operate, then training is key. This can take many forms – of course, there is a wealth of resources online. But for a deeper introduction to the ways of fraudsters, I would recommend using your banks.
Most of our banks offer us cybercrime webinars and other updates, and many of the institutions you work with would be delighted to send their cybersecurity experts over to you, or accept visits from your finance teams, to provide their wisdom in person. This work can be supported by simulation exercises, whereby you ask an external provider to send, for example, a dummy bogus email to your staff, and then you review in an open and transparent way how they reacted to it.
Don’t be afraid to seek advice directly from the law-enforcement community, either. Representatives of the Met’s Operation FALCON unit would be happy to meet your key people to discuss the latest threats. And never underestimate how breaking taboos can facilitate learning. The more firms speak out about their problems with cybercrime, the quicker we will extinguish the shame associated with being caught up in it. Fraudsters rely upon taboos for cover. But if we share our experiences and learn from each other, they will dissipate.
JW Under the EU’s General Data Protection Regulation (GDPR), any individual is free to make requests about the personal data you hold on them. That data could be as simple as an email address or a photograph – as long as it’s possible to identify the individual. Data subjects have a range of rights, including to access their personal data, and to transfer it to a third party. This whole area is fraught with potential problems, as a deceptive criminal could potentially gain access to an innocent subject’s details.
It is therefore vital for businesses to implement processes and procedures for capturing such requests and validating them – including the subject’s identity – before executing the request within the GDPR’s time limit. It’s easy to forget that this applies to business contacts as well as customers, prospects and staff. Ensuring that your employees are looking for potential problems now around how you handle personal data will enable them to act as ‘canaries in the coalmine’, capable of flagging up issues before they arise.
Find out more about data subjects’ rights under the GDPR here.