Treasurers walk a fine line as they try to reduce the risk of cybercrime by taking humans—often the last line of defense—out of vulnerable processes like payments.
Mitigating cyberfraud in the treasury and payments area (including AP) is tricky when it comes to people risk.
- On the one hand, people are the weakest link because they can be convinced by cyberfraudsters deploying social engineering to violate procedure to send out payments they shouldn’t. Or, being human and fallible, they click on a link that they should not or enter a real password into a phony site.
Get people out of the process. Human fallibility prompts cybersecurity experts, like one from JP Morgan at our Asia Treasury Peer Group Meeting in Singapore last April, to recommend straight-through, or machine automated, processing of payments. Machines can be programmed to stick with protocols and even evaluate the authenticity of change requests.
Keep people involved in oversight. On the other hand, there are plenty of anecdotes where human beings have proven to be the last line of defense. People who show good judgment or sense something is amiss can be the difference between a cyberevent succeeding or being stopped.
This tension was a focal point of a session on cyberfraud led by Societe Generale at our recent Global Cash and Banking Group meeting. The bank cited both the need for artificial intelligence and machine verification of IBAN numbers along with robust callback procedures (just make sure there’s a secondary verification that the person on the phone is who he or she says she is, even if it sounds like them).
- “It’s important to have a balance,” one member said. She cited internal, red team exercises where the team’s efforts to hack into treasury systems are often recognized by the treasury team after noticing that something does not look right. “People are part of the defense.”
If people are to be part of a balanced approach to cyber risk, then they have to remain educated and aware of what to look for. This is one reason treasurers updating their cybersecurity practices at our Treasurers’ Group of Mega-Caps meeting recently cited increasing the frequency of meetings with information security heads to at least quarterly.
- “The types of attacks and various vulnerabilities change so fast now, that we need to keep up,” one treasurer noted.
People pleasers beware. Customer service (aka business support) oriented roles or individuals with a service mind-set are often those targeted.
Remote country staffers. Another area of vulnerability is people with access to payment systems at the periphery, such as joint ventures or minor affiliates in remote countries far from headquarters.
- So don’t ignore these cohorts when balancing cybersecurity systems and people training.