Cyber security is the focus of many business payments discussions these days, and rightfully so. Business email compromise (BEC) alone rose 2,370% in identified exposed losses between January 2015 and December 2016 – and those numbers are expected to get higher still. As organizations bear the daily burden of protecting their payments, one question looms large: what can be done? Strategic Treasurer’s Craig Jeffery asked that and more when he spoke with security and business payments experts from Bottomline Technologies, a leader in business payment automation technology for more than 30 years. In this “Fintech HotSeat” interview from the 2016 AFP conference, Craig spoke with Dave Allen, Bottomline’s VP of Cyber Fraud and Risk Management, as well as David Levine, Director of Financial Messaging N.A. Here is an excerpt from their conversation. You can see the full interview on YouTube.
Craig Jeffery: Fraud is often thought of as an external threat. According to our research, however, current and former employees are identified in a significant number of fraud instances. Given that, what is Treasury’s role in security? It’s a function that’s historically thought of as raising funds, but there’s an asset protection element there as well. What are your thoughts on that?
David Levine: When most people think about security, they tend to think of the Chief Information Security Officer (CISO) or the Chief Security Office (CSO). That’s fine, but it shouldn’t be overlooked that Treasury is responsible for the financial health of an organization. Therefore, that role has to be involved in understanding fraud risks and how to mitigate them. Take, for example, the fact that more than half of all business payments in the U.S. are still made by check. That’s a huge source of fraud threat that has to be addressed. For the rest of organizations using payment automation, their threat is different, but no less pervasive and dangerous. Time is of the essence in those cases. Once a fraudulent wire payment is made, it’s too late. To stop fraud threats before they happen, Treasury has to understand the behavioral patterns of the organization in order to spot the red flags that are indicative of potential fraud. The buck stops with them.
Dave Allen: There are many very public instances of fraud that highlight how ineffective traditional security and fraud protection methods generally are. I’m thinking of one specific example where fraudsters were casing the systems of a major retailer for six months before they actually took action. They weren’t modifying data, they were just canvassing the environment looking for the right vulnerabilities to attack. Traditional security tools would not have picked up that activity. It’s a frightening reality, but fraudsters can live inside the application environment undetected for an indefinite amount of time. Protecting against these kinds of threats requires a proactive monitoring tool that can analyze behavior by individual user or by groups of users to determine what typical behavior is, making it easier to identify and isolate criminal activity before it happens. That’s’ the next step organizations need to take to achieve true security.
Craig Jeffery: So the key is to watch for anomalous behavior that’s usually a precursor to fraudulent activity, whether internally or externally?
Dave Allen: Exactly. Now keep in mind, it isn’t enough to just be able to identify the activity. You also need to be able to take preventative action. Whether it’s through an alert or ideally, the ability to actually block the activity before fraud takes place.
Craig Jeffery: So this is like the anti-virus of behavior?
David Levine: That’s actually a great analogy, because if you look at what’s happening with the uptick in sophistication of these fraud attempts, most existing security solutions are like antibiotics that are no longer effective because the bacterium has mutated into a different form. That’s exactly what we’re seeing here, where as the sophistication levels rise, organizations are faced with a constant battle trying to keep up. Unfortunately, fraud protection isn’t something you can just do once and be done with it.
Craig Jeffery: So all of this being said, let’s talk about the scope of the Treasury Security Framework. Every organization has distinct areas that need to be covered in terms of security, everything from 3rd party elements such as banks and Treasury providers to the inside of the organization which involves all employee actions to the perimeter and everything else in between. That’s a lot of ground to cover. What should organizations focus on in terms of priority?
Dave Allen: When we talk to treasury and security teams, we’ve noticed that there’s a lot of emphasis placed on perimeter security and preventing perimeter breaches executed by external parties. While that aspect of security absolutely has to be shored up, it shouldn’t be the sole focus. At least 1/3 of fraudulent activity that takes place involves someone on the inside that had access to privileged information. That doesn’t mean the insider was acting maliciously of course. It could be a simple matter of their credentials being compromised through malware or something. But the overall point is that if all you’re paying attention to is breaches from the outside, then you’re missing a significant number of threats happening right within your own walls.
David Levine: Something else organizations need to remember is the security of the partners they do business with. Whether it’s a network communication solutions such as SWIFT, the bank, etc., there’s connectivity there and each of those connections represents a potential risk that has to be controlled. That’s why it’s so important to implement behavior analytics technology that helps you understand what your employees – or “apparent” employees – are doing. It’s the most reliable way to detect the anomalous behavior that’s indicative of fraud. Simple things like why someone is looking at accounts in the European division when their job is in the U.S. or why are they looking at employee records of people who don’t report to them, etc. Those are all telltale signs of potentially serious issues and things that perimeter security could never detect or prevent.
Craig Jeffery: So what are the main takeaways people need to consider regarding risk management in their organization?
David Levine: The biggest piece of advice I’d offer is that organizations need to remember that security is not something that’s ever complete. There’s always going to be another attack. Another variation. A smarter virus. You have to recognize the ongoing threats and stop them across the entire infrastructure, making connections when you can between seemingly disparate occurrences, so that you can understand that they add up to a problem.
Craig Jeffery: Excellent points. Thank you both for taking the time to speak with me today. Given the increase in the frequency and severity of the security threats that are out there, this really is about increasing your defensive posture and remembering that true security is the ongoing process of staying ahead.