What Treasurers Need to Know about Cyber Security

Download a print-friendly version of this article.

With greater connectivity comes greater potential for cyber risk

Managing cyber risk is not a new priority for treasury, but it’s one that demands constant dialogue and attention. While there’s been great strides made in developing advanced protection tools for our systems, online banking remains an appealing target for cyber criminals and attacks are on the rise.

Two thirds of companies surveyed experienced some kind of cyber incident in 2019, according to McAfee’s The Hidden Costs of Cybercrime report. Without even taking fraud into account, the average cost of downtime for a department is about $590,000. Globally, the monetary loss from cybercrime was estimated at approximately $945 billion in 2020.

In treasury management, it seems that as businesses achieve greater digitization and connectivity, in areas like payables and receivables for example, security measures improve but there are also more points of access for cyber criminals to exploit. The COVID-19 crisis was a powerful lesson for many companies in understanding how resilient their systems are, but also how vulnerable they are when faced with securing the future of work and a remote fleet of devices. And as we’ve learned, security breaches, most often come down to the habits of the individual remote worker.

Familiar strategies, rapidly evolving tactics

The threats we see having the most impact on businesses today are phishing campaigns, malware and business email compromise (BEC) attacks. These are people-based maneuvers that have been causing damage for years in various forms. Malicious actors are drawn to them because the basic strategy of playing on an unsuspecting victim’s gullibility and unpreparedness works.

Phishing was once primarily a phone-based fraud scam. It relies on social engineering and impersonation to extract sensitive information from victims, usually login credentials and personal identities. Today it is largely carried out by email and victims are most often lured to counterfeit websites where they are tricked into surrendering their credentials. Untrained and unprepared for the persuasive tactics, remote workers have been a prime target during the pandemic. The number of phishing attacks doubled in 2020, according to the Anti-Phishing Working Group.

Malware, or malicious software, is right up there in terms of impact and prevalence. It’s considerably harder to pull off compared to phishing, but it is much more effective and dangerous. The basis of a malware attack is a virus or piece of software that is been planted on a victim’s computer. Once installed, cybercriminals can steal data or take over online banking sessions. There are lots of variations, including ransomware and spyware, and the frequency and sophistication of malware attacks are intensifying.

The other cyber hot spot we are paying close attention to, especially as it affects the financial sector, is BEC. A specialized form of phishing, it has become very common as more companies are moving to remote and virtual transactions. BEC relies on impersonating or stealing the identity of a company employee, usually a senior executive, and tricking victims into exposing valuable information or transferring funds outside the company. Wire transfers and international payments are widely targeted and the volume of attacks is increasing.

New technologies present new opportunities for cyberattacks

The big cyber risk areas right now — phishing, malware and BEC — are rooted in tried and tested social engineering techniques. The speed and sophistication of these attacks, however, are accelerating. And as we look toward the future, the first steps in successful mitigation is going to be understanding how these threats are occurring and the role of technology in fool proofing our systems.

Many companies will focus on new comprehensive tools that improve their systems and operations and have new layers of security built in. Digital payments networks, for example, are greatly enhancing many aspects of payables and they’re laden with sophisticated protection measures to mitigate cyber-attacks. There will be a lot of opportunity along these lines for businesses to leverage end-to-end solutions that will help them secure their assets and avoid the responsibility and liability associated with cyber risk.

Looking in the opposite direction, the same technologies that have helped businesses move toward digitization and greater connectivity have also created new vulnerabilities. Technologies, such as application programming interfaces (APIs), have made it possible to connect financial services and data in new ways and achieve faster more accurate transactions. But at the same time, there are more openings for criminals to infiltrate and compromise a network.

Similarly, cloud-based email services and applications have revolutionized how many companies do email and created new flexibility and efficiencies. However, these services are showing to be popular targets for BEC scammers who are deploying advanced phishing techniques to exploit service features in order to compromise accounts.

Mobile and personal devices, such as smartphones or tablets, haven’t received a lot of attention due to their limited use in commercial banking but this will be an important area to monitor going forward.

Alongside supersized bandwidth, the arrival of fifth generation (5G) of wireless technology will introduce a very wide and complicated area of cyber risk to manage. Malware and network manipulation are two of the primary threats highlighted by the FBI.

Businesses must embrace a range of approaches and technologies to protect themselves from cyber risk

The drive to successfully clamp down on cybercrime while supporting business strategy and organizational growth will be equal parts awareness and education.

Companies have been investing heavily in cybersecurity and the tools needed for the job are largely available in many of the online banking, accounting and enterprise resource planning (ERP) systems widely used today. That said, awareness in this space overall will be critical and businesses must be prepared to embrace new technologies and approaches as needed.

In many threat scenarios, the actual integrity of the online banking or security system is usually not compromised, but rather a user has inadvertently become a victim of a social-engineering scam. In this regard, education is of the utmost importance and any worthwhile cybersecurity strategy needs to ensure that cybersecurity is a top-of-mind priority for everyone across the organization.

Matt Richardson has over 20 years of treasury management experience in sales, product and business administration roles. Currently the head of Product Solutions for Treasury Solutions at Citizens Bank, he leads a team that is driving innovation in the treasury management product suite across customer experience and payments.

Matt holds a B.A. in Economics from the University of Massachusetts and has completed professional training including the RBS/Harvard Business School Senior Manager Program and the Advanced Leadership Development Program through Babson Executive Education.

Download a print-friendly version of this article.