Cybersecurity: When speed is everything
For many of us, it feels like the world runs at the speed of light. Today, businesses that want to stay relevant have to think fast to survive and thrive. Consumers and business clients alike expect instant gratification.
That’s why real-time payments with instant settlements that enable businesses and consumers to send and receive payments instantly — directly from their accounts at financial institutions — has become a preferred option for many.
But this culture of speed can come with unintended consequences. In a digital world with fraudsters becoming more agile, financial executives have to be proactive. Who knows what moves hackers will make next? Even the best-designed cybersecurity policy is no silver bullet for total protection of corporate data.
Top causes for cyber breaches
Anyone within a company or organization can become a target of fraud. Unfortunately, some companies have discovered the hard way that if the right security policies aren’t in place, employees can inadvertently give the game away.
To keep company data and resources secure, staff training is critical. According to Verizon’s 2016 Data Breach Investigation Report, it is feasible to successfully pull data within minutes of a breach. So when it comes to data fraud, time is of the essence. Interestingly, PwC’s The Global State of Information Security Survey 2017 finds that of the 15% of respondents who reported that there had been a serious breach in their company, 1 in 3 didn’t know for how long the company had been breached and 24% thought the breach had lasted only a day.
The survey reported that the top causes of cyber breach were:
- Human error
- Lack of staff awareness of security risks
- Failure to follow a defined process
- External attacks specifically targeting a company
It seems people were the weakest link. Case in point: The most frequent breach vectors were social engineering or phishing (55%), followed by malware (49%) and human error (45%).
Social engineering fraud: an example
Social engineering fraud has severe consequences and requires pragmatic protection. A leading agro-industrial group became a victim of such as scam, resulting in a fraudulent payment to a foreign bank account. The fraud was discovered during a forensic analysis of electronic data from computers, smartphones, and employee interviews.
The incident started with a fake email providing context and instructions on how to deal with an ongoing confidential transaction, supposedly from a senior manager. Email correspondence continued and involved a payment up to the maximum allowed amount to a foreign bank account. This was supported by incoming and outgoing telephone calls with a bogus attorney who was supposedly involved with the transaction. The lawyer emphasized the urgency and secrecy of the transaction, using flattery, threats and appeals to higher authority.
This use of electronic and real-person manipulation is a growing threat. While technology facilitates the speedy transfers, the targets of the fraudsters’ attacks are employees. After a breach, some companies may want to believe that it’s another party’s responsibility to verify transactions. However, I believe the best protection is employee engagement and a strong culture of openness, validation and support, educating employees about the potential dangers. After the social engineering fraud incident, the agro-industrial group changed its internal culture and updated agreements with its financial partner.
For more information about cybersecurity trends and case studies, check out the second edition of Journeys to Treasury. From BNP Paribas, PwC and SAP, Journeys to Treasury identifies the most pressing topics for corporate treasurers today: data analytics, compliance and regulation, and cybersecurity.