Corporate treasury departments are playing a key role in setting cyber security strategy and in ongoing risk management and mitigation functions across the enterprise.
Thursday morning was kicked off early by CTC's executive director, Craig Martin and with his first comments, "How many of you are thinking about your cyber risk this morning?", I knew I had come to the right place. Soon, it became clear that the professionals in corporate treasury departments from around the world are addressing cyber security and geopolitical risk with equal measures of intensity and urgency. Corporate executives are daily facing the potential for financial loss, brand damage, and risk to their professional reputations as the attacks become more sophisticated and engineered for maximum effectiveness at some of the most vulnerable points in the organization. Martin's comments specifically regarding phishing emails remind us that cyber security is not just about the technology anymore and that the IT department alone cannot hold effective defense against the risks of today's hostile online environment.
Martin then passed the podium to Ahold's Group Treasurer, Andy Nash. Nash commented on the challenges faced when desiring to leverage fully the power of technology for productivity, but controlling corresponding risk in the process. Highlighting the week's latest headline breach as an example, Nash used the IRS's well-intentioned "opening up" (online tax returns and record retrievals) giving way to the theft of personal information for over 100,000 individuals from the agency's website. Besides being the perfect segue for introducing the keynote speaker, Aneesh Chopra, and his presentation "Opening Up While Locking Down; Maximizing the Value of Your Data.", the example was ideal due to the multi-faceted implications of this breach, and their applications to the concerns and issues we were to discuss over the course of the day.
Punctuating the theme, The Washington Post covered the theft at the IRS the next day with "How the Breach of IRS Tax Returns is Part of a Much Bigger Problem Facing Taxpayers." We think the Post got it right, except consistent with our operating experience at Total Digital Security and our takeaways from the roundtable later in the day, the "bigger problem" applies well beyond just tax returns and the ID theft and financial fraud taxpayers now face as a result of the IRS's breach. It was these problems that apply broadly and deeply across the enterprise that we would find common to the discussions and concerns at the roundtable we were soon to host.
Aneesh Chopra, presenting "Opening Up While Locking Down; Maximizing the Value of Your Data.
Aneesh Chopra was the country's first CTO and wrote “Innovative State: How New Technologies can Transform Government” . He had found success at the state level tapping the internet for ideas, innovation, and advanced levels of productivity using proven, private-sector methods and brought the thinking to Washington with support from the Obama administration in 2009. The contrast from a quality and productivity standpoint between using crowd-sourcing, force-multipliers, cloud-hosted information, and new, innovative thinking to the traditional approaches taken by big-government, is beyond striking. On one extreme you have the glacial pace and nose-bleed high costs of traditional governmental process and on the other are multiple examples of history's greatest personal fortunes being made over staggeringly short periods of time. So extreme is the contrast that the notion of an "open" government for the sake of unleashing some of these resources has full, bi-partisan support, says Chopra.
With "opening up" of course, comes increased challenges to remain "locked down", or in control of your data and protected from cyber threats. Chopra used examples across the private and public sector to make his points and stressed the challenges within our legal framework, the options we have for risk mitigation including industry internet channels within the public internet, and what individuals and organizations can do to increase security and reliability of their networks today.
The Forum's agenda included a variety of topics pertinent to the gathering, but for the purposes of this report we will focus on the cyber security elements of the subject matter. We were asked to host a round-table discussion Thursday morning; "Cybersecurity, How to Reduce Your Risk." that I had the pleasure of hosting along with Laura Harkins, a treasury professional from the corporate sector. Our 75 minutes was spent with a large group of individuals from industries including publishing, agriculture, airlines, hedge funds, private equity and financial services, and biopharma, among many others. It was a dynamic conversation with lots of engagement and real-world experiences that even in light of the diverse audience, seemed to resonate with a common tone across the group. After our introduction to the group, we launched in by framing the session with the following points:
- That we understood the audience had heard presentations from the FBI and other national security agencies, as well as from their respective corporate IT departments. We knew as participants in the roundtable they understand the risks, the stakes, and the extent of their responsibility, and that we hoped to add context and perspective to add long-term effectiveness to their thinking about the matter.
- We did not have silver bullets, would not be recommending specific solutions or technology, and that risk elimination isn't possible, but new measures of increased mitigation are.
- For context and perspective:
- The smartphone began the internet's democratization of cyber risk by driving information and value to the ever-expanding perimeter environments. By average estimates, device count is doubling every year and the devices are increasingly connected, smart, and "aware". As a result, cyber attacks have shifted from being server-centric and "vertical", to being device and individual-centric, or "horizontal", sometimes in volume aimed at many targets simultaneously.
- Moore's Law is driving change and after a half-century of compounding, the exponentials phenomenon is really kicking in.
- The delta, or chasm, between hyper-changing technology and its users' (us, as biological beings) ability to manage the change, is going parabolic.
- Sophisticated, global criminal syndicates have figured it out and are re-directing resources to cyber crime for the unlimited upside, measured downside, ease and safety of perpetrating the crime, and the anonymous, portable, and liquid reward (digital currency) cyber crime pays.
- The smartphone began the internet's democratization of cyber risk by driving information and value to the ever-expanding perimeter environments. By average estimates, device count is doubling every year and the devices are increasingly connected, smart, and "aware". As a result, cyber attacks have shifted from being server-centric and "vertical", to being device and individual-centric, or "horizontal", sometimes in volume aimed at many targets simultaneously.
With these points in mind and for this roundtable's conversation, we were going to discuss cyber security not so much in terms of the technology, but in terms of a social science. The technology will take care of itself riding the same cost/performance curve the hackers do. It's true that technologically, cyber warfare has always been asymmetrical with the advantage to the bad guys, especially at the battlefield's perimeters. But for most multi-national companies, the IT department is on it, and new regulations coupled with heightened consumer awareness are driving investment capital toward innovation in the space.
With the tone set and an engaged group on point, the conversation opened and many individuals coming from disparate industrial and geographical viewpoints joined in. Clearly the group knew firsthand of the threats at the perimeter, where people and technology engage, and how the human element was fast becoming the predominant challenge at hand. They had faced phishing emails, financial fraud, product and IP theft, and the losses ranged from staggering amounts to small sums of money. In cases, small amounts of funds and product are regularly drained, akin to shrinkage in a traditional environment.
There were examples of social-engineered email attacks that evidence tremendous preparation, research, detail, and patience. The emails have successfully led to fraudulent wires of great sums of money, perfectly timed and executed to not allow a chance of funds recovery. Product has been delivered or diverted fraudulently, and employees inside the organization are still a culprit for information and IP theft.
The implications from the IRS attack, as reported in the Washington Post and referred to earlier here, apply across the board: the hackers are sophisticated and motivated for profit, personal information is collected and curated over time for multiple applications in the future, some attacks are orchestrated using multiple parties that are in on the scam, and that the problems are escalating at a feverish pitch.
Additional takeaways from the roundtable discussion include:
- Broad, firm-wide training is essential for a higher level of awareness and readiness, as well as function-specific training depending on the employee's responsibilities.
- Cultural change and leadership support from the top down are required.
- The IT department itself can't solve or sufficiently mitigate the problem and requires partnership across the organization.
- The treasury department's place can be especially beneficial to a collaborative partnership with broad, organizational risk-control functions.
For us, it became evident corporate treasury is playing an increasingly important role in setting cyber security strategy, and in the ongoing risk management and mitigation functions across the enterprise. The treasurer's office knows where the corporate assets are, who is around them, and how the assets are accessed and managed. It is at these key junctures within an organization that cyber criminals, hackers, and malicious employees will use sophisticated measures for information theft, financial fraud, and sophisticated social-engineered phishing attacks.
Treasury professionals are trained risk-managers and they are fully prepared to play their part in the fight against cyber crime. While we were mostly there to facilitate the discussion, we left the group with some thoughts of our own:
Watch the peripheral environments and be concerned with remote locations, mobile users, and the supply chain as weak points in the system.
Think about people and how they intersect at the perimeter, and look to add additional security measures at that juncture.
Quality training is essential and needs to go beyond the enterprise and IT-centric view. Address the issues from the individual's standpoint for empowerment beyond the workplace. This approach will enhance effectiveness, buy-in, and long-term retention.
Follow innovation in the cyber security space that is user-friendly by being software defined and requiring minimal behavioral adjustments. SECaaS, Security as a Service will increasingly provide effective measures for the individual and their connection to perimeter environments.
Have a plan, especially when it comes to roles and responsibilities as it pertains to the reporting process of an attack or breach.
For more on protecting your organization, people, and assets from the escalating risks and consequences of cyber crime, please contact Total Digital Security at 1-877-643-6391, or contact me directly at brad@totaldigitalsecurity.com