Partners in Cybercrime Fighting

Cyberattacks are estimated to be draining more than US$400 billion a year from the global economy, and that figure is predicted to rise to US$2.1 trillion by 2019. The Bangladesh Bank heist of 2016, which saw US$81 million taken from the central bank’s account, stands as a telling example of the damage that can be wrought.

Corporate treasury teams are at significant risk of succumbing to a similarly disastrous incident. Access to large sums of money and a wealth of sensitive client data have placed the function at the top of many cybercriminals’ hit lists. Businesses are certainly not ignorant of this threat, nor have they stood idly by. Most treasuries have taken measures to address their technological vulnerabilities, many investing in solutions such as two-factor authentication and penetration testing.

Still, all signs suggest that more needs to be done. The Economist Intelligence Unit’s recent study “Third-Party Risks: The Cyber Dimension,” sponsored by Deutsche Bank, highlights third parties as a chink in the armor of many a treasury department. Oversight of internal employees is another ongoing concern. These two factors go some way toward explaining how cybercriminals have been succeeding in siphoning so much money from international businesses.

Secure Partners Are Essential

The case for shoring up third-party weaknesses is clear. Every large company relies on external suppliers, and while these partnerships are essential, the corporate must take steps to ensure that its supply chain doesn’t represent a weak spot cybercriminals can exploit. This is an area in which global businesses have much work to do.

As part of its report, the Economist Intelligence Unit (EIU) surveyed more than 300 corporate treasury executives on their existing cybersecurity defense mechanisms. This research indicates that 19 percent of companies do not check whether their suppliers use the same methods for identity authentication as they do. They have not, for example, asked whether suppliers have secure email systems to protect confidential information, or whether they offer the ability to check the IP addresses of log-ins to match them with preassigned, or “white-listed,” addresses.

While 92 percent of corporates in the EIU survey vet their own internal systems with penetration testing—a specific cybersecurity technique in which experts are hired to attack systems to reveal weakness—the survey also reveals that only 33 percent of corporates apply penetration testing to their external agencies, and only 38 percent require it of their partners.

There is also room for neglect farther down the supply chain: Fourteen percent of surveyed treasurers demand that their suppliers meet specific requirements for information security but do not require those suppliers’ subcontractors to conform to the same policies and procedures.

These gaps leave the door open for what are known as business email compromise, impostor fraud, or “man in the middle” attacks, in which hackers attempt to manipulate payment instructions, either by posing as a supplier and sending fraudulent invoices or by altering the payment instructions of legitimate invoices in order to redirect funds to a different account.

Avoiding falling victim to such incidents is a matter of working with supply chain partners to jointly tighten security protocols. Basic steps include ensuring third parties use a secure email system to protect confidential communications, including two-factor authentication (or equivalent) to verify that employees of the supplier are who they say they are. In addition, companies should check whether their suppliers track the IP addresses of those entering their treasury management or email systems. Are they able to match the IP addresses of those logging in against a set of white-listed addresses? Can they block access to anyone who is not specifically white-listed? Finally, companies need to check that their third parties are trained to look for unusual patterns of behavior in customer accounts.

Where partners do not comply with these requirements—and refuse to upgrade their security accordingly—treasurers must begin to look elsewhere for support.

 

To Err Is Human

Internal employees are often overlooked as a source of vulnerability within corporate treasuries. Cybercriminals frequently look to gain entry by hijacking an employee’s insider status. This strategy can yield quick and easy results if employees of the target company are not adequately trained to identify the signs of an attack. Fraudulent emails now populate the inboxes of almost everyone with an email account, while sophisticated phone scams are on the rise.

In the treasury space, a common scam is the fake-CFO scam. Attackers will attempt to impersonate a senior member of staff via email or phone, requesting financial information from a junior employee. They may, for example, ask for a transaction to be initiated or for goods to be diverted in what appears to be a legitimate request.

Another common email scam relies on a company receiving a message—ostensibly from a legitimate supplier—that alerts the treasury of amended supplier bank account details. The email actually comes from a fraudster and would divert payments to his or her account. Similarly, a company might receive a falsified invoice that appears to come from a business partner, but for services that never happened.

In each of these scenarios, scammers may take advantage of time differences involved in cross-border trade to improve the likelihood of success for their con. For instance, if they contact a European business group in the middle of its day and demand that funds be transferred before close of business in Asia, the targeted employee may panic, thinking he or she has to act immediately.

Training is crucial to ensure employees are able to identify and deal with threats quickly and safely. A well-trained employee, for example, is well placed to spot a fraudster posing as a supplier in order to alter payments or pilfer sensitive data. Effective training could also help employees to spot emails infected with ransomware, which, if not dealt with appropriately, might encrypt critical data and threaten to delete it altogether unless the company pays a ransom by a certain deadline.

Even if a treasury organization can train employees to keep external threats at bay, management must still be mindful of threats born from within the organization. There is a growing awareness of the risk of “malicious insiders”—employees looking to gain access to company funds and data for their own personal gain. Given that these individuals often already have the permission required to take action, they represent a particularly potent threat.

How can the treasury team tackle this threat from within? Employees need to be alert to suspicious behavior among their colleagues. They also need to be aware of which types of behavior should raise red flags—for example, downloading large volumes of data to external drives, accessing sensitive information that bears no direct relevance to the individual’s normal job duties, and emailing confidential data to a personal account. Requests for clearance or higher-level access without adequate explanation, or behavior that demonstrates sudden affluence without obvious cause, should also raise alarm bells among fellow employees.

One individual red flag is not necessarily a clear demonstration of harm, but when managers or employees note these types of activities, they should have a means for setting in motion a process of review and clarification.

Cybersecurity Lessons for Banking Relationships

The recurring lesson of cybercrime stories in the press these days is this: Make sure every link in the transaction chain is fully secure. Corporate treasury groups should be in constant dialogue not only with their third parties and employers, but also their banks—the partners that represent the final barrier in the way of the cybercriminal.

Many banks today are making cybersecurity a top priority. For example, to tackle phishing and protect information exchanges from disclosure to and manipulation by third parties, some banks use an encrypted email solution based on digital certifications with both private and public key combinations. Such a system enables the bank to establish a secure channel with clients.

Banks should also be providing employees with cybersecurity and cyberfraud training. Some financial institutions offer regular (and regularly updated) training in the art of identifying irregularities in both client transactions and colleagues’ behavior. They might also provide frequent updates on new security threats and best practices, and require employees to pass online training courses related to security topics. Another measure banks can initiate to reduce cyber risks is offering their employees a 24×7 cybersecurity hotline to ensure swift action is taken in response to potential threats.

Of course, these are just a few examples of measures that a bank can take. Companies need to start assessing their prospective banking partners on their ability to protect the confidentiality, integrity, and availability of customer and bank details. They need to start asking their banks security-related questions, such as:

• What are your security policies?
• What controls do you have in place to tackle threats?
• Do you hold third-party IT vendors to the same standards?
• Are your employees aware of potential threats, and do they receive rigorous training?

Armed with this information, a corporate treasurer can be confident that banking partners do not represent a weak link in the chain. As the cybersecurity landscape continues to evolve, banks must now be experts not only in financial services, but also in fighting cybercrime.

---

David Watson is global head of digital cash products and Americas head of cash management for Deutsche Bank’s Global Transaction Banking (GTB) business. As part of the Cash Management business leadership team, he helps with defining the forward strategy and identifying disruptive opportunities in the product, technology, investment, digital, and fintech areas.