Cybercrime is a multi-billion-dollar industry, and it’s on the rise. According to a recent survey, the last two years have seen a clear increase in the number of Norwegian businesses exposed to phishing, malware, distributed denial of service (DDoS) and hacking attacks. In 2017, one in five Swedes was exposed to some form of cybercrime.
Criminals are searching for gaps in your defences 24/7, and they’re usually after money. That poses a real danger to treasuries and finance departments across the Nordics. Fortunately, there are practical steps you can take right now to bolster your defences. We spoke to leading cybersecurity experts for their top recommendations.
1. Know your value chain
Understanding your value chain is the first step towards risk reduction. Begin by identifying and prioritising all of the assets your treasury needs to protect. This is likely to involve discussions with your bank and any third-party providers you work with on a regular basis. Consider what the damage of a potential attack would be.
This should inform a conversation with your IT department, enabling them to develop a risk mitigation strategy that gives you protection where you need it most. You can work together to address the most urgent vulnerabilities, with the goal of progressively becoming more secure. The dialogue between your departments should be ongoing and include employees at all levels.
Know your value chain and the assets you need to protect. That’s an absolutely crucial first step for all companies. You need to know what’s at stake.
2. Educate your employees
Since 2016, phishing and social engineering attacks have risen more than any other threat. These attacks work through manipulation and deception of human targets, so educated employees are one of your best defences. Make sure everyone knows how to spot the signs of a suspicious email, phone call or SMS. Even if it looks official, they should question any request that seems out of the ordinary, for example, for a sudden payment or to change an account number on an invoice.
Security training should be an ongoing commitment. Consider holding regular seminars and hands-on training workshops, then offer e-learning modules as a supplement or refresher. Cybersecurity training should be done for all new employees, and department-wide training should be held every three months at a minimum.
The threat landscape is constantly changing, so you also need to stay abreast of new developments. It’s a good idea to subscribe to the latest whitepapers and reports and share them with your team. If you haven’t already, read the Norwegian Computer and Data Breach Survey 2018.
Securing technology is often the ‘easy part’ —it’s the human factor that’s hard to control. People tend to be your weakest link, and criminals know that.
3. Follow the “four eyes” principle
Payments are an obvious target for criminals. They might hack into your system and change an account number on an invoice. Or they might email an employee impersonating someone in authority, like the CFO, and instruct them to change a suppliers’ account number in your system.
This means you need to be hyper-vigilant about all payment processes. The experts we spoke to recommend following the “four eyes” principle: always have at least two people check any payment. This should be done carefully and consistently—don’t speed through the process just because it’s routine. Make sure employees know exactly what they’re looking for and what’s at stake.
It doesn’t matter how big the lock on your door is if you’re giving the key to everyone.
4. Don’t just rely on employees
You should have clear policies for employees to follow, particularly if an incident happens. Make sure they know who to send flagged emails or suspected malware to for investigation. But don’t just leave security entirely up to your employees’ discretion. Your finance department should also have robust cybersecurity policies and routines in place. This can help you eliminate some of the most glaring vulnerabilities.
Some of the basics are: restricting the use of USB sticks, blocking access to dangerous websites, using and updating firewalls, restricting employees’ use of insecure or public Wi-Fi, using random password generators and enforcing two-factor authentication for all accounts. There should also be a clear reporting procedure for when work devices are lost or stolen. Most of these precautions are common knowledge, but it’s surprising how many companies fail to enforce rules or follow procedures consistently.
I’ve worked in cybersecurity for over 20 years, and I’ve seen the threat landscape become much more sophisticated. We’ve seen the rise of DDoS attacks—initially it was just a few hobbyists building botnets, but it’s evolved into huge attacks and lots of critical damage. Email is also becoming a very dangerous medium.
5. Enhance your cashflow visibility
Monitoring your cashflow and liquidity is one of your core roles—but improving this visibility can also help your security. Moving towards a “single pane of glass” view makes it easier to recognise suspicious activity and detect breaches early.
Nordea is developing a Treasury dashboard which will soon offer a real-time, aggregated view of all your accounts. Artificial intelligence (AI) driven analytics and machine learning technology can also help to detect patterns that are out of the ordinary.
Don’t look at security as a business expense. Try to see it as an investment.
6. Avoid naming and shaming
Who’s fault is it if a social engineering attack succeeds? It’s tempting to blame the person who clicked on a malicious link, fell for an imposter’s phone call or transferred money to a fake account. But blaming or reprimanding employees doesn’t undo the damage. More importantly, you risk scaring employees out of reporting future incidents.
Ultimately, the responsibility for security lies with your company. Employees should be educated about the risks and know how to spot signs of suspicious behaviour. Take every incident as an opportunity to learn from their mistakes and strengthen your defences.
Cybercrime isn’t that different from traditional crime—they’ve just swapped crowbars for computers. If your employee was mugged in the street, you wouldn’t blame them. So why punish an employee who falls for phishing?
7. Work with your bank
When an attack happens, the worst thing you can do is stay silent. At Nordea, we have dedicated fraud handling teams, and we know that dealing with security incidents can be a sensitive matter. We’ve seen it all—from love-based phishing scams, where victims are deceived through online dating, to business phishing and CEO fraud. While different, these attacks often lead to similar feelings of shame and embarrassment.
But the sooner you alert us to incidents, the sooner we can work with you to reduce or mitigate the damage. And by sharing our stories and lessons learned, we can progress towards a safer digital world.