As companies – alongside customers and governments – do more business online than ever before, they not only enjoy the benefits of the digital world, but they also are exposed to its threats. Aside from high-profile breaches covered in the media – from Targets to Sony – organisations are actually under constant attack. As an example, FireEye´s threat map demonstrates how thousands of attacks are happening in real time.
But how can a company protect its data both within the its network and in the cloud, against dynamic malware, targeted spear phishing emails, elaborate web attacks and other sophisticated, ever-changing tactics? Here are five actions organisations can take to improve data security and prevent fraud:
Define a security management program
Put together security objectives, policies and procedures in a program. Use for example ISO 27001/2 as a framework. Assign clear responsibilities to manage security risks based on the program.
As new threats are being discovered every day, work with industry experts to stay current on security issues and maintain the highest level of protection. Also, use third-party audits, such as SSAE16 SOC2, to get independent feedback on the thoroughness and effectiveness of your program.
Mitigate human error
Companies tend to focus on external intruders, but security threats and fraudulent activity often come from within an organisation. Internal resources accidentally create security issues or even worse intentionally perform malicious acts. Therefore, make sure all staff is well trained and up to date on the latest security policies. Additionally, take actions to protect your data from unintended behavior and to identify internal threats immediately.
Use current technology and work with partners
Legacy technology is rarely able to support current industry standards for security. As corporations start to realise that they either don’t have the talent, capacity, or money to guarantee the required security standards of their installed software applications, they look into outsourcing their IT increasingly to the cloud and only service core systems like the ERP system(s) in-house.
By outsourcing applications to vendors that are expert in hosting the software, they not only get a higher level of service defined in a Service Level Agreements (SLA), but they also benefit from the vendor’s economies of scale in areas like security protection. If they are part of a community of clients on a multi-tenant software-as-a-service platform, they will share services and costs. These savings can also be quantified as part of their return on investment.
Centralise access and control through authentication
Authentication is a key component to security and fraud protection. Many companies struggle with a disparate system landscape created through mergers and acquisitions, global operations or a weak IT policy. Using industry standard authentication technologies such as Security Assertion Markup Language (SAML), companies can centralise system access and authority for their global staff, using a common identity provider.
Today, dual factor authentication has also become the industry standard, especially with systems that can be used to manage financial transactions and payments such as temporary transaction authorisation numbers.
Balance security budgets and levels
Although security levels can never be too high, it is easy to spend time and money on preventing cyberattacks without adding much extra value. Make sure investments are providing measurable mitigation on real and present cyber dangers. Keep on top of industry trends and mitigate risks before they become an issue for the company and its customers.
Commonly, data protection is an IT task. However, CFOs and treasurers are very sensitive when it comes to cyberattacks and fraud, given the sensitivities around financial data and the damage that may derive from payments going to the wrong accounts or money disappearing from corporate bank accounts. In addition to participating in their company´s security management programs, here are three things finance professionals should think about:
Make cash visible
Knowing the balances and movements for each corporate account is the logical first step to avoiding fraud. Fast-growing corporations often struggle with cash visibility. This starts with not having an overview of all accounts across the company’s different banks. Under this condition, it often takes days to put together the cash position. Without a clear picture of a company's financials, cyberattacks can go on undetected.
Control payment workflow
The payment system is of particular interest to cyber criminals as it contains a lot of sensitive data, including information on clients, suppliers and employees, but it is also the place for illegal money transfers. Finance professionals should implement strict authorisation and approval workflows to assure secure payments. Defining signatories per account and different levels for payment approval workflows through a 4-eye-pricipal or 6-eye-principal are established best practices.
Use current treasury technology
Today, finance departments are often responsible for selecting and implementing new treasury technology themselves. Considering cyber threat, fraud and human error, finance professionals should make sure they have current technology in place that helps them to collaborate with global subsidiaries to make global cash visible and to control transaction workflows.
As many treasury software providers are moving to the cloud, finance departments are able to outsource their technology to experts providing high service and high security levels. At the same time, they get specialist capabilities that help them to make cash flows and workflows transparent and secure.
Security is all about identifying risks and mitigating them on an ongoing basis. Therefore, it is critical that corporations take a structured and consistent approach to managing cyber threats globally, both within treasury and across the IT organisation.
By Phil Pettinato, Chief Technology Officer at Reval and bobsguide Contributing Editor