A lack of checks on third party and supplier identity authentication strategies is leaving corporate treasuries with “open doors” to cyber fraud, a new study warns.
Having the authority to move large amounts of money fast, corporate treasuries are increasingly a top target for cyber criminals. Yet, serious gaps remain in their cybersecurity strategies, highlights a new report by the Economist Intelligence Unit and Deutsche Bank.
“Sophisticated cyber criminals often use social engineering and inside information to execute high-value thefts via corporate treasuries,” says Michael Spiegel, head of cash management at Deutsche Bank. “Our research has identified serious gaps in corporate defence, including vulnerabilities hidden with third parties and their subcontractors. This gives cyber criminals the opportunity to steal data.”
The report points out that because an increasing number of treasuries have outsourced their back office and payment factory processes to shared services, treasury departments are particularly vulnerable. According to the research, one in five companies do not check if suppliers use the same methods for identity authentication as they do, do not co-ordinate regulatory and compliance rules, and do not ensure that requirements on information security which apply to third parties are extended to their subcontractors.
While most companies in the survey performed internal penetration testing (92%), one-third of companies (33%) did not conduct external testing and only 38% of companies require all third parties and suppliers to perform penetration testing.
Internal penetration testing allows organisations to test, if a hacker had the equivalent of internal access, how they may gain access to perform unauthorised data disclosure or misuse. An external penetration test exploits vulnerabilities to determine what information is exposed to the outside world by mimicking the actions of an actual attacker exploiting weaknesses in the network security.
“This leaves an open door for fraud,” says Spiegel.
Sectors with the lowest rate of authentication testing are manufacturing (43%), agriculture and agribusiness (38%), energy and natural resources (32%), construction and real estate (31%) and professional services (25%).
“Cyber criminals target corporate treasury for a simple reason: it’s where the money is,” says the report, titled Third party risks; the cyber dimension. “Hacking treasury is one of only a few ways to steal very large amounts of money very quickly. And unlike data theft or even ransomware, which can cause damage and cost over time, treasury hacks can cause immediate, significant and usually irreversible financial loss.”
Hackers are also aware that many companies still do not take cybersecurity seriously. While most experts agree that it’s impossible to fully protect yourself from an attack, companies could be doing a lot more.
“No matter what you do, you can never protect yourself 100%, that’s simply not possible – everybody gets penetrated every now and then,” Lars Jensen, CEO of maritime industry cybersecurity firm CyberKeel, told GTR in a recent interview.
According to experts, contingency planning and incident response platforms (IRP) are among the most effective ways to become more cyber-resilient. Last year, however, a survey by IBM and Ponemon of 2,400 security and IT professionals found that 75% didn’t have a formal cybersecurity incident response plan across their organisation. 66% were not confident in their organisation’s ability to recover from an attack.
The simplest scams are, according to the study, invoicing frauds. Once systems have been hacked to discover who makes payments and how, fraudsters can easily send false invoices from made up suppliers to the right person in accounts payable and then harass them into paying them.
Another popular method is known as man-in-the-middle (MIM) attacks. These see attackers intercept communication between buyers and suppliers and then send their own versions of invoices or payment instructions, but with their own bank details. The buyers think they are sending their payment to the supplier, but they are really sending it to a hacker.
In June 2015 Europol announced it had dismantled a group of cyber criminals active in Italy, Spain, Poland, the UK, Belgium and Georgia, who used MIM fraud to steal €6mn within a very short time.
The most sophisticated hacks involve attackers hacking into corporate emails and other systems to build up a detailed picture of staff and company operations. This information is then used to create email sequences that include confidential company information and which appear to come from senior management, often requesting urgent requests to transfer money.
These attacks, known as business email compromise (BEC) scams or CEO fraud, differ from spam-based malware attacks, which generally carry ransomware. They use social engineering and inside information gathered through reconnaissance to target specific individuals with customised, believable emails. BEC fraud has claimed a number of high-profile victims. In August last year, leading wire and cable manufacturer Leoni announced a loss amounting to around €40mn owing to a case of BEC fraud.
Call for common platform and terminology
In a bid to establish deeper understanding and better cyber defence in the financial sector, Swift has recently published some research papers and called for establishing common terminology to allow for better communication.
In one of its papers Sharing Insider Threat Indicators: Examining the Potential Use of SWIFT’s Messaging Platform to Combat Cyber Fraud the organisation discusses using its own platform to communicate cyber fraud threat information.
“As cyber threats become increasingly prevalent within the financial services industry, firms are having to step up their cyber defences,” says Peter Ware, director of the SWIFT Institute. “It is only by collaborating as an industry that we will be in a stronger position to mitigate these threats. It is our hope to eventually build on this published research to more effectively recognise forces at play, to establish a common language, and to build tools that will identify patterns of behaviour.”