rvlsoft - Fotolia

Time for CFOs to get serious about cybercrime prevention

Payment risks and email scams are too complex to pass off to an insurance provider. They call for C-level involvement in making sure the entire trading partner network is secure.

Some CFOs and corporate treasury managers lack a sense of urgency about the need for cybercrime prevention and about the financial hits that could come from cybercrime attacks. Scanning conference rosters, I see an emphasis on cyberinsurance, which ostensibly transfers the risk of loss to someone else, all for the price of a policy. But an effective cybercrime prevention strategy requires much more than that. It requires CFOs to be proactive about making their networks secure.

The FBI certainly wants individuals and corporations to know that cybercriminals are becoming more sophisticated in their efforts to target victims. For example, a big worry for businesses this year involves tax return fraud and senior executive impersonation -- sometimes called business email compromise (BEC) scams. The tricksters typically get into a corporate network, impersonate a senior executive, such as the CEO or CFO, and then send a note to the keeper of employee W-2 forms. The villains ask for copies of those forms, which are full of personal financial and tax data. The next step is to file fraudulent tax returns that produce tax refunds, which the IRS then delivers electronically to the criminals' own bank accounts.

According to the Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center, an earlier, related stunt "involves a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds." The FBI's 2015 annual crime report explained that some senior executives said "they had been contacted by subjects posing as lawyers or law firms instructing them to make secret or time-sensitive wire transfers."

The number of incidents of both types of BEC scams has been soaring, with some individual losses in the millions.

Ernie Humphrey, CEO and founder of 360 Thought Leadership Consulting, believes corporate treasury leaders are quite concerned today with BEC scams, and some, rightly so, are investing in training every employee involved in creating payments and approving them.

Payment risk should be major focus of cybercrime prevention

There's more going on than executive email compromises. A well-known cybercrime involved Target Corp. in December 2013. The breach of Target's systems affected up to 110 million customers who shopped with credit cards. The compromised customer information included names, phone numbers, email and mailing addresses. In March 2015, Target reached a class-action settlement with affected consumers for $10 million plus class-action attorney fees. In May 2016, Target settled with affected banks and credit unions for $39 million plus attorney fees.

The Target case started with a heating, ventilation and air conditioning vendor that was compromised and had access to the corporate network, which wasn't properly segmented from the point-of-sale system. Experts have since pointed out that it's not enough to lock down a single company's network. As part of its cybercrime prevention strategy, a large, complex business should be able to certify as safe any part of the supply chain that accesses its network or with whom it does important transactions.

Consider just one scenario that is in the realm of cybercrime probability. What if criminals hack into your network and make a beeline for your accounts payable (AP) systems and files, which are often clogged with data entered manually? Benchmarking data from my former employer, American Productivity & Quality Center (APQC), reveals that, at the median, 58% of invoices are still manually keyed into financial systems by AP clerks. This means the typical large business (with over $1 billion in annual revenues) has an army of AP clerks doing manual data entry. And that data, which contains all manner of financial information about vendors and how their invoices get paid, is surely not certifiably safe at some businesses.

How big is such a risk? Has the probability of it happening even been quantified? I'm not sure. It's not the type of question CFOs are glad to discuss.

Humphrey is optimistic about changes on the horizon, but he has an added concern. "On the one hand, I do believe that CFOs are paying more attention to cybersecurity threats as they transition more to electronic and mobile payments," he said. "On the other, treasury leaders need to be very cautious and not become too comfortable with payment risk exposures as they rely more heavily on automation and third-party providers. More systems can mean new – and, in some cases, increased -- exposures without the proper controls in place. Liability needs to be expressly addressed in agreements with third-party vendors."

The role of network resilience in cybercrime prevention

APQC recently spoke with Ray Rothrock, chairman and CEO of RedSeal, which makes a cybersecurity analytics platform. Rothrock is passionate about the concept of network resilience and how to measure it.

"A lot of security products deal with specific elements of the network, such as the firewall or the host," he said. "But I believe what you need is an overview of the entire network and a judgment about how resilient your entire network is, not just the parts. You need the diagnostics, intelligence and the capability to use that model to play war games with it, to conduct penetration testing against the entire network and to optimize existing cyberinvestments." RedSeal says it offers operating managers a way to measure the risk of systems compromise, including those that may lurk in a supply chain.

What is resilience? According to Rothrock, it's the capability to withstand and continue operating through a threat or actual incident. Unfortunately, he said, "networks aren't built with resilience in mind at all. There is very little resilience in a modern digital network. In your typical large corporate network are hundreds, thousands or hundreds of thousands of different devices from more than 100 vendors. They all do a specific function. They all have a configuration piece of software in them, and they interoperate." Rothrock said his software reads the configuration files and builds a software model that allows users to see the risks of changes in the network.

CFOs need to think carefully about gaining this sort of capability to monitor network risk, speak with the CIO to get his or her take and investigate options. That's how to ensure that wise investments in cybercrime prevention will be made.

Next Steps

Prepare a risk management plan

Fight waste and fraud in travel expenses

Understand the value of risk analytics

Dig Deeper on ERP financials