One of the most exposed areas in a company is the treasury department due to the type of information it holds.
New applications in the digital world such as robotics, cloud computing, smart contracts and blockchain are gaining terrain in the business ecosystem. The type of information the financial department manages makes it one of the most important areas in the company. For this reason, it is necessary to invest in protective measures.
Generally a cyberattack is held through malicious programs distribution to steal personal or company information with financial interest. According to the survey “Confronting the Threat of Cybersecurity” by HSBC, 8 out of 10 treasurers declare that the financial department is one of the most exposed areas in the company.
With digital transformation, treasury functions have evolved in the latest years. Fraud prevention has become a corporate responsibility and it’s not just about financial management anymore, treasury should also apply mechanisms to identify anomalies and reduce risk of attack. Siva Ram, Business Security and Fraud, Global Payments Solutions Director of HSBC, shares his experience in the application of better practices in terms of cybersecurity and fraud prevention to perform controls over financial processes. One way to implement preventive measures is to train personnel in the protection of the business assets. Siva Ram explains that employees should be able to detect “unusual” activity and he also adds that the majority of non-authorized attacks are held through e-mail fraud and identity theft, this is why it’s important to train everybody.
This training should not be a single effort. The expert indicates that a versatile training program should be designed and updated regularly in order to accommodate different types of users. He also affirms that the possibility of internal fraud should also be considered. “This is essential to avoid people from becoming involuntary cyberattack objectives and to be able to test our controls on a regular basis”.
Regina Ochev, Prologis Associate Treasurer, adds in the HSBC report, that a way to maintain internal security is through user identification and passwords. “This way we implement system access controls to guarantee registration and integration of multiple banking systems to be able to identify unusual activity”, she implies.
The recommendation is to create a constant culture in which every employee understands his / her role in the protection of the organization against cyberattacks. Siva Ram indicates that in order to minimize internal or external risk of fraud all internal and banking systems can be integrated to identify non-authorized payments in a simpler and faster way, nevertheless he adds, that even though the processes are more efficient or controls are more tight and employees more capable, any company can still become a victim. In consequence, it is essential to guarantee a fast and proper answer to real or suspicious attacks. “In case of a suspected or real cyberattack, acting with speed is essential. Therefore, all personnel involved in transactions or in contact with financial information must be able to recognize these events and know how to answer. Attack simulations, not just in regional or central treasury centers, but in other parts of the company where financial or cash activities are performed can be a very valuable way to overcome user reluctance to act, practice response or identify areas for further exploration or resolution".
Every organization should be prepared to manage the impact of an event in a fast given and correct manner. Siva Ram highlights some of the questions to be addressed against an attack:
- “In a case of ransomware, in which circumstances would hackers be paid off? How much does it cost? When? How? For example, the usual payment channels could not be used, for this reason; Are you prepared to use cryptocurrency?
- “In case of data breach, do you know where to locate the data? How would you restore services in case of a cyberattack?
- “A serious attack could require completely new hardware or software in case its compromised: Are you ready for such a situation?”
Peter Atuma from Equinix, suggests that the IT department works closely with the commercial functions, such as the treasury, to create a coherent cybersecurity approach to work collectively as good corporate citizens.