Technology has made lives easier, safer and more fun for the law-abiding mass of humanity. Sadly, it has done the same, although to a lesser extent for the law-breaking few. In the area of cybersecurity there are clear cases of negligence in protecting systems, see Equifax and the Bangladesh Central Bank, but many other successful attacks use modestly sophisticated hacking tools and social engineering to achieve their malevolent aims. The good news in this is that establishing the first line of defense against cyber criminals does not require treasuries to spend large sums on systems and consultants to protect their operations, they can do it themselves.

Scenarios

Here are some scenarios:

• The phone rings and an authoritative voice purporting to be from corporate security asks about the wire you just sent to Smith & Co. You respond that no wires were sent to Smith & Co., that is handled by an individual you name whose last wire was to Jones plc. Called pretexting, pretending to be someone you’re not, this helps the malefactors gain some of the information they will need to hack one of your systems.
• You’re in the middle of a busy day and you get an email requesting that you verify a bit of data to continue to use an application. The email looks good and you’re busy so you click on the link and provide the validation requested. This is called phishing and like its homonym, fishing, it’s a law of numbers. In a company of 100,000 employees it only takes a few to provide the needed information. When a phone system is used instead of email, it’s known as vishing.
• Spear phishing is similar to regular phishing except the emails are highly targeted, perhaps using information picked up in an earlier phishing attack. Perhaps an email from the CEO asking for you to make an urgent wire payment.
• Another good tool is to leave a CD with a provocative name, such as “bonus planning” in a spot where it is easily found. This is going out of fashion as is the CD, so perhaps a nice looking USB drive might be left in its place. Run the CD or connect the USB drive and there is now malware on a computer. Unsurprisingly, this is called baiting.
• Or a contractor borrows your id to go to another area of the building to pick up some items from a vending machine.

The list goes on aided by information picked up from LinkedIn, Facebook and other social media applications. Social engineering relies on the fact that most of the time bad things will not happen and that people are so busy they will not suspect one or two unexpected interactions in a hectic day to be criminal.

Policy AND procedures

Back to treasury and some simple steps to make sure yours is not victimized. It’s really down to policy and procedure, two things loathed by those with much to do and little time within which to do it.

• Policy - Every treasury needs a complete set of policies covering all areas of treasury operations. The policies need to be clearly written spelling out what is and is not permitted. And holding people accountable for their actions as the prospect of a truncated career will do much to ensure compliance.
• Procedure - The policies need to be backed by procedures, what to do in a variety of scenarios. These provide clear direction to staff along with organizational cover for doing the right thing, such as not being intimidated by an email from a senior executive.

---

Cybersecurity is a complex topic involving the entire organization and making use of sophisticated tools to protect against bad actors. The message here is that the best walls in the world will not help you if an unwitting individual leaves the gate unlocked.