Cyber security: Best practices for treasury and finance departments
Cyber threats impact so many areas of both personal and professional life, it can be difficult to stay prepared. Here are 12 specific ways to improve your treasury's cybersecurity.
1. Don’t be complacent. As a treasury professional, finance employee or CFO, you are an attractive target to hackers. Everyone is a potential victim of cybercrime so be aware, take the risk seriously and stay on top of the latest trends both globally and locally. Work with your internal cybersecurity experts and ensure cybercrime is part of your department’s risk policy.
2. Plan for the worst. It has been widely stated by security experts that there are two types of companies today: those who have been hacked, and those who will be again. Ensure you have a plan in place if your systems are breached: Do you have a backup of data? Do you have a recovery procedure on a department or Group level? Do you know who to contact if you notice any breech or suspicious activity?
It currently takes a company an average of 40 days to notice that attackers have infiltrated their networks.
3. Notify your customers. If your customer data has been compromised, do you have a procedure in place to inform them straight away? It currently takes a company an average of 40 days to notice that attackers have infiltrated their networks – make sure your time is shorter and your customers don’t also pay the price!
4. Update your treasury and IT systems. Older IT systems can be weaker and more vulnerable to a cyber-attack. Audit your treasury systems so you are confident you are using the latest and most secure software and have installed any critical updates.
5. Become best friends with your IT/ cyber security team. These people can ensure that you are compliant with internal processes and procedures and can help you explore specific ways to make your finance and treasury processes more secure. As cyber threats are continuously changing, a strong line of communication between your key internal stakeholder and your team is vital.
6. Secure your treasury processes. Do you have secure authorisation processes for accounts and payments in place, such as two-step approval and verification for large transactions? These should be visible internally, documented and implemented fully. Make sure your treasury team is aware of and compliant with all procedures and processes.
7. Visibility into cash flows and liquidity. Not only is gaining and maintaining an overview of your liquidity and cash flows one of the core roles of the treasury, it can also help you recognise suspicious activity on your accounts and detect a security breach early. So be vigilant and monitor your accounts, credit reports and payment flows.
Limit the personal data you expose on social media channels and always be cautious when surrendering information through phone calls or emails – do you really know that this person is who they say they are?
8. Phishing – don’t bite, don’t get bitten. Phishing is an attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. Spear-phishing is a related kind of attack directed at specific individuals or companies. It is important to be alert to increasingly sophisticated phishing attempts, which can seemingly originate from colleagues or trusted websites. An example could be an email apparently coming from your CFO’s email account asking you to conduct an urgent transfer – but, in fact, it is an email cleverly disguised by a hacker to look like it came from the CFO. Always validate requests (for instance, with a phone call) and double check email addresses, URLs and other credentials.
9. Set strong P4Ss_w0rD5. Do not go the easy route and use common words, names and birthdays. Instead, use a list of mixed characters and numerals and make it long! Never share your password, use it for multiple sites, or write it down on a Post-it inside your laptop. It is good practice to change your password periodically. And, no, password1234 does not cut it! For best results, use an automatic password generator.
10. Look out for dodgy links and suspicious attachments. If you receive an attachment or link via email, text message or any online messenger, look before you click and ask yourself: Do I know the sender? Does the link look legitimate? Am I being asked to needlessly submit personal or company details in return for access? Also beware of links that take you to a fake website that looks exactly like a website you are familiar with – check the URL and do not submit sensitive information such as passwords or account numbers if you are unsure.
11. Sharing is not caring (about security)! Your personal information can be mined both on- and offline, making you vulnerable to identity theft and putting your network at risk. Limit the personal data you expose on social media channels and always be cautious when surrendering information through phone calls or emails – do you really know that this person is who they say they are? If in doubt, perform a background check by calling the company they claim to be from or ask questions until you are satisfied. Finally, make sure websites are secure by looking for “HTTPS” at the beginning of the URL, for example, when conducting online purchases.
12. Plug and pay … the price. Be aware that inserting USB keys that have been used on other devices can pose a significant risk. Connecting USB keys, external hard drives and even smart phones to your work computer can result in the transfer of Malware/viruses to your network.