A Treasurer’s Guide to Fraud Prevention
When it comes to cyber security respectively the manifold threats against it, there’s no ceasefire ahead in the ongoing battle between attackers and defenders. For the time being, we shall remain subjected to a never-ending grind driven by new technologies on both sides. The many types of cyber-attacks seem to multiply faster than the heads of the legendary dragon, who grows seven new ones every time one gets chopped off. Phishing, vishing, spoofing, malware, ransomware, different types of fraudulent invoice scams, reputation attacks — the various ramifications of cyber-crime are as hard to keep track of as the incessant reports of high profile cases: the $81 million Bangladesh bank cyber heist, where criminals hacked the SWIFT network, the phishing scheme that conned Google and Facebook out of $100 million, last year’s WannaCry ransomware attack or hardware vulnerabilities like Meltdown and Spectre — and these prominent examples merely present the tip of a mighty sinister iceberg.
Triple treasury threat: system, process and people vulnerability
As treasury is one of the most sensitive functions within a corporate, it is especially vulnerable to different types of cyber-attacks. These correspond with various system, process and personnel weaknesses. On the system side, low access barriers and poor technical defenses pose an unnecessary risk. Processes are compromised by insufficient signature rights, weak control mechanisms, deficient SOD, decentralization and an overall lack of transparency. And, of course, there’s the old adage of the open door that might tempt a saint: people are a risk factor. And even though employees’ genuine fraud-intention is far less common than a lack of knowledge and training in security matters, the damaging results are the same.
The potential pitfalls in the realm of system, process and user security call for an overarching technology to warrant the best possible protection for your business. Let’s have a close look at the Treasury Management System side first, using Coupa Treasury as an example, because the way a TMS is set up ultimately governs processes and shapes user behavior. How do we ensure your system is resilient against various types of attacks?
TMS security: how a sterling system setup engenders proper processes
For starters, there’s the overall operating principle of the application, which provides automation as well as transparency. The former ensures that critical information like market data, account statements or deals transcripts can’t be individually manipulated. The latter makes all relevant data available to authorized users, world-wide and in real time. Because only the visibility of company-wide cash flows enables group treasury to detect irregularities and identify weaknesses across the organization.
A system-immanent key concept promoting visibility is the principle of dual approval, governing the processes related to it: if, for example, a new user is to be added, a single administrator’s consent will not suffice. Usually a head of treasury and an administrator from the company’s IT must both approve the user add for it to become effective. The same rules apply for the overall signature concept, when it comes to releasing payments: the system enforces a sophisticated, finely ramified process with multiple access levels by limiting user’s signature rights to certain accounts or payment limits, thus generating additional dual approval chains down the line. Corresponding to that, advanced rights and roles concepts are in place, which furnish each user only with the clearance and the authority necessary to accomplish specific tasks at a specific group company. Rigorous access controls like SSO coupled with IP restrictions further curtail user access by limiting individual log-in to select work stations and by only admitting subsidiaries within a certain range to those areas of the application pertaining to their assigned responsibilities. These measures are further enhanced by two-factor authentication with Treasury Connect or a token to log on to the application respectively to release a payment.
This multi-layered security approach pervades every aspect of the system, thereby enforcing safe processes that minimize the potential for abuse or errors by its users.
The clear segregation of duties is key on every level. Take, for example, the processing of a payment, which requires an independent action from two separate departments: accounting has to upload the payment file for treasury to release it.
This same principle that governs the processes within your organization applies to the way we operate as system providers: Our product managers are tasked with designing your system while our consultants implement it, our support team deploys it and our cloud service department operates it in coordination with your in-house IT. This makes for a resilient systemscape sustaining the entire process chain from user authentication and the application’s logical access security to the impenetrability of our servers and the data center’s physical security.
Server security & the power of three all over: technology, procedures, training
Thus, the same three-pronged approach of advanced technology, sophisticated policies & procedures and thorough user training that shapes the application’s design and implementation also governs the security of our server network. On the technology side, the combination of a network and a web application firewall restricts network traffic to legitimate sources and activities. Via reverse proxy and gateway antivirus all traffic is analyzed to detect potential intrusion attempts and keep harmful activity at bay. In the unlikely event of a primary device’s failure, secondary network devices, servers and datacenters replicating in real-time maintain the application’s availability. Disaster recovery via backups and snapshots allows administrators to restore the system from potential data corruption by backtracking to a point prior to its occurrence, ensuring data integrity.
This advanced technology setup is fortified by equally sophisticated information security policies. Externally, via legal requirements to comply with safety measures that safeguard the system and by government regulations like the GDPR. Internal considerations, like organizational requirements determined by your company’s management further govern your TMS’ processual integrity.
These policies are driven by our risk assessment protocol of interlocking procedures to guarantee paramount data security. Periodically, we identify the total inventory of assets — servers, workstations and data centers as well as information assets like customer data. Based on this, we assess the vulnerability for threats by gauging their likelihood and their potential impact. By identifying the controls in place, we determine the resilience of our security technology: is the firewall set up properly? Who has access to it and who’s in control of that access? To be prepared at all times for a worst-case scenario, we follow a four-pronged treatment strategy based on tried and trusted best practice standards: We accept a risk, if it’s low enough to be tolerated temporarily. Alternatively, we avoid it by removing a risk-bearing but non-critical part of the system. A third option is to transfer it – to an insurance company, for example, covering unforeseeable events – like a data center getting destroyed by a natural disaster like a flood or an earthquake. Option four – to mitigate an attack – we choose when the likelihood of an impending attack demands active measures, e.g. utilizing antivirus software, to reduce or neutralize its impact.
These security tools in the areas of technology and procedures are, of course, never complete without proper training of the people in charge of them. Hence, we provide effective training by custom-tailoring it for the respective recipients: What kind of knowledge, from a security aspect, do various employees in different roles need? An office administrator certainly requires different training than a Coupa Treasury user. Which goes to show, that cyber security — as well as cyber fraud — in the end is a people business. Despite the seeming supremacy of technology on both sides, it’s people who precipitate the damage and people who prevent it. And there’s the people at Coupa, whose business it is to empower the latter to beat the former. Now and in the future.
Want to learn more about our powerful treasury solutions? Time to discover Coupa Treasury.
