So-called Big Game Hunting (BGH) puts large corporations at risk of losing huge sums. Treasuries must learn how to protect themselves.
Paul Gillen, Chief Information Security Officer, Barclays Europe and Helen Kelly, Head of Europe, Barclays Corporate Banking take a closer look at what 32%1 of treasurers have identified as their top regulatory concern over the year ahead.
1TMI and Barclays European Corporate Treasury Survey 2021^ (PDF†).
Ransomware
With almost 1,400 recorded incidents1 in the first 7 months of 2021 and Big Game Hunting (BGH) on the rise, such attacks are a serious threat to corporations. BGH involves the use of “ransomware tactics, techniques and procedures (TTPs) to extort large sums by holding systems and/or data hostage,” explains Paul Gillen.
Companies that can least afford downtime or have high-value intellectual property (IP) are prime targets and criminals will “hunt them down over weeks and months,” Gillen warns. In Q4 of 2020, the average downtime due to a ransomware attack was 21 days^ and the mean global cost of remediating an incident rose to $1.5m this year, up from $761,106 in 2020^.
Phishing
Fraudsters pose as legitimate sources and send emails that aim to trick people into divulging sensitive information or transferring money. Typically, there’s a link to a fake site.
Alternatively, emails may contain an attachment or link which, when opened or clicked, allow criminals to access your system.
1Cyber Defence Alliance, Ransomware-as-a-Service Alerts, 1 January 2021-31 July 2021.
Equip your team for the fight against cybercrime
Create a programme of ongoing education and training
to ensure the treasury team understand how cybercrime works and what they can and should do to protect themselves and the business.
Keep on top of evolving threats
and communicate that throughout the business. Barclays offers regular webinars that can help as part of an awareness programme.
Make sure your processes are robust,
that any necessary changes are noted, and that the team is informed of new requirements, for example, multi-factor authentication. Also look to automate treasury processes where possible.
Build a culture of openness
where people aren’t afraid to speak up (and there are mechanisms to enable that) and where cybersecurity is seen as a collective responsibility.
Regularly update anti-virus software
and install any patches immediately when notified.
Make it clear what steps a treasury team member should take
if they feel that they may have fallen victim to a cyber-attack. This can facilitate a faster response and potentially reduce exposure.
Mobilising human resources is essential in the fight against cybercrime.
Covid-19
“In early 2020, we saw organisations having to shift to entirely different ways of working, almost overnight,” Helen Kelly recalls. The rapid pivot in operating environments laid bare technological vulnerabilities in organisations around the world. Even when remote-working software and protocols were in place, cybercriminals continued leveraging Covid-19 as a theme for phishing emails. With employers and employees in a state of turmoil “logical thinking around cybercrime was put to one side and people clicked links that they wouldn’t have under normal circumstances,” Kelly believes.
Initial access brokers (IABs)
These groups sell access to victim organisations as a service, often collaborating with criminals who focus on malware development and execution. Paul Gillen adds that “many of the major IABs started off as developers of banking trojans, gradually adding network intrusion capabilities. They’ve been used during recent major cyber intrusion operations, and in some cases initial access may have been bought or sold by nation-state adversaries.”
“The ransomware business model is evolving to focus on supply chain compromises and aggressive extortion tactics. Recent demands have been as high as $70m and gangs are carrying out around 35 attacks every week^,” Gillen continues.
Ransomware-as-a-service (RaaS) and Distributed denial-of-service (DDoS)
RaaS is a growing area of cybercrime, whereby criminals pay other gangs for the services they need to perform a ransomware attack. DDoS is used against online services to force higher-value ransom payments.
A successful ransomware attack on a business’ payment system could, according to Gillen, result in it facing “regulatory action due to compromised personally identifiable information [PII], loss of monetary assets and loss of service. In turn, this could lead to reputational damage and loss of customer trust.”
Payment of ransoms is something treasurers must be extremely vigilant about. “Some corporates have paid them in order to bring services back online more rapidly, but we do not endorse the payment of money to criminal gangs,” Gillen firmly states. Not only does it encourage cybercriminals, “some ransomware operators are internationally sanctioned. Therefore, payments to such groups may cause an organisation to face regulatory or even legal action,” he adds.
While ransomware is rightly front and centre of any discussion about cybercrime, the aforementioned banking trojans continue to evolve and carry out “sophisticated network intrusion, which can be devastating for corporations,” Gillen warns. He adds that the attacks can be silent, “without a ransom and with no red flags, such as the theft of IP.”
CEO/CFO fraud, also known as business email compromise (BEC), has been a threat for years, but Covid-19 disruption has provided those who deploy it with new opportunities. Helen Kelly observes that, “BEC has found holes in some corporates’ armour in recent months.” The social engineering that informs a BEC attack is also becoming more sophisticated. “Senior company executives are at risk – arguably more than ever – with cybercriminals using online collection through social media and social engineering campaigns,” she adds.
Invoice fraud also remains rife, with cybercriminals sending fake invoices or looking to change the bank details of an existing supplier to divert money. “Unexpected changes in personnel, bank account details or telephone numbers are red flags to watch for here,” advises Kelly.
"People are one of the best defences against cybercrime,” says Kelly. Gillen agrees, adding “Cybersecurity is a team sport. It’s not about looking at one function over another but examining how they work together and how threats might target the organisation through different pathways. A joined-up approach to cybersecurity is essential – and this extends beyond the four walls of the organisation to trusted business partners.”
In addition to collaborating with trusted partners, Barclays deploys the latest technology behind the scenes to analyse customer behaviour and ensure it truly is the client that we’re interacting with. Any anomalies that are detected are flagged up to the client to ensure that a fraud is not occurring.
We place significant emphasis on education and training, often working with organisations to help identify weaknesses in their cybersecurity protocols and bringing employees up to speed on threats to look out for. “I would encourage treasury leaders to hold regular sessions with their teams around the threat landscape,” advises Gillen. “Team members, no matter how junior, need to feel able to question instructions – even if they purport to be from the CFO or CEO. Reducing a sense of urgency should also be permitted where necessary. It is far better to stop and question payment instructions, and potentially send a payment late, than to send a fraudulent payment on time.”
“Although it isn’t the cutting edge of cybersecurity, it is vital to pay attention to strong authentication, patching, monitoring, and risk oversight. Treasury will be easier to defend if everyone takes care of the fundamentals,” he notes.
Kelly adds that automating processes to “reduce manual touch points decreases the number of opportunities for cybercriminals and fraudsters. Robotic process automation [RPA] can be applied to low-value, repeatable processes and then artificial intelligence [AI] can be layered on top to deliver more intelligent insights, in a safer environment.”
One of the biggest pitfalls to avoid when it comes to cybercrime is thinking that ‘it won’t happen to us’. Gillen and Kelly conclude with the following thoughts:
Cybercrime is extremely real. Businesses often make the mistake of thinking they have nothing of interest to cybercriminals. They could not be more wrong.
Chief Information Security Officer, Barclays Europe
Treasurers must take the lead and ensure their team is always ready to deal with the evolving threat landscape. Cybersecurity is no longer an add-on to the treasury role; it is the backbone for best practice.
Head of Europe, Barclays Corporate Banking
Content taken from article originally written^ by Eleanor Hill and published by Treasury Management International.
Read related Insights
Across Europe, we provide corporate banking services supported by deep local market knowledge.
Your hub for international corporate insights. The latest on international trade, global corporate treasury, FinTech and other topical content.
Real Time Payments are fast becoming essential in a B2B environment, so how can treasurers take advantage of the latest innovations?
With ESG becoming a board-level priority, how can treasury teams proactively support the wider organisation’s ESG goals?