There are many best cybersecurity practices that treasury executives can follow within treasury.
One easy step treasurers can take is to set up a dedicated computer on which treasury initiates all fund transfers, a computer that can’t be used for email or surfing the Web, said Craig Jeffery, managing director at Atlanta-based consultancy Strategic Treasurer.
Treasury staffers should also practice “desktop hygiene,” he said, which includes not keeping account information on employees’ physical computers and making sure PCs and laptops have antivirus software and are regularly scanned and checked.
Laptops and other mobile devices should have encryption that would protect any corporate data in the event that the devices were stolen, Jeffery said. And users of laptops should protect against an unauthorized person using a flash drive to download data from the laptop.
Jeffery also cited the advantages of automated reconciliation. “If you have it automated, every day files are being compared,” he said. If there’s been some type of scam or cybertheft, “you will find the problem much more rapidly, and when you find it much more rapidly, you have the ability to contact the banks, and you may be able to get it frozen wherever it is and explain and get your money back.”
Jerald Seti, vice president of product management at Openlink, pointed to several best practices corporate treasuries should follow, beginning with being aware of the security aspects of the software treasury uses.
Treasuries should be sure to use permissioning, rather than giving employees permission to do everything on a given software system. “They need to go through, role by role, and make sure permissions are granted or taken away at a very granular level,” Seti said.
Treasuries should also be sure to employ dual authorization. “They want to be sure they implement four eyes or more,” said Seti, pictured at left. “Before a deal moves into the middle office or when a payment is keyed into the system, you probably want to have someone else just validate, review it, verify that the third party is legitimate, the bank accounts listed are legitimate.”
If payments are large, treasuries might have to have more people vet them, Seti said. “All that can be routed using workflows given the type of payment, the currency, and the magnitude of the payment.”
He also noted the “general housekeeping” that’s involved in software systems. “With most systems, you can designate, where am I putting my log files, where will my reports reside,” Seti said. “You want to be smart about where those artifacts reside. Are they in an environment that’s permissioned?”
Companies may not realize that producing a SWIFT message, for example, will result in a log entry or a backup that’s stored elsewhere on the system, he said. While the users may have forgotten about those records, hackers snooping around in the system could find them and access them if they’re not permissioned properly.
Jeffery, at right, said he sees shortfalls in treasuries’ bank account management.
“Do you have a complete inventory of all your accounts, all your signers, and all the security you have? That’s one that’s usually woefully inadequate for most organizations,” he said, adding that each bank account represents not only a cost, but also an exposure.
Companies should also have an inventory of all the payment files throughout the organization that includes where the files originated, whether they’re encrypted, and how they are transmitted to a bank or network, he said.
David Watson, global head of digital cash products at Deutsche Bank, also emphasized the importance of treasuries’ using two-factor authentication.
“If you’re not using two-factor authentication, get using it. The weakest link is people,” he said. “Any controls you can apply to the manual aspect of what you do, apply two-factor authentication. And remove as many manual steps as you can.”
Treasurers can also work to ensure that penetration testing is being done, both at their own companies and with their business partners, Watson said.