President Obama gave treasury and financial professionals some assistance in their fight against cyberattacks Wednesday when he signed an executive order establishing the first sanctions program to impose penalties on individuals and organizations outside the U.S. involved in cyberattacks and commercial espionage online.
The executive order labels malicious cyber activities as a “national emergency” and gives the Secretary of the Treasury the authority to impose sanctions on anyone overseas who engages in such activities and freeze their financial assets. The Administration said it is only targeting actors whose malicious activities could pose a significant threat to the national security, foreign policy, economic health, or financial stability of the U.S. Specifically, these activities include:
- Damaging or significantly compromising critical infrastructure
- Significantly disrupting the availability of a computer or network of computers
- Misappropriating funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain
- Knowingly receiving or using stolen trade secrets that were stolen through hacking
- Attempting, assisting, or providing material support for any of these actions.
The President wrote that the increasing prevalence and severity of illicit cyber activities originating abroad “constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the Unites States.”
The recent CTC Guide on Cybersecurity, supported by Marsh & McLennan Companies, named cyberespionage as the most serious of the four major external threats today’s businesses are facing. The guide listed the dangers of a government or business obtaining access to a company’s intellectual property (IP), which could include core production information, such as formulae and production methods. “The loss of control of this data may allow another company to produce the same items more cheaply, threatening the long-term future of the target,” the guide explains. “Third parties may also want access to negotiating positions and tender documents when bidding for contracts.”
But while these sanctions appear to be a step in the right direction, they are not a substitute for investing in good cybersecurity protections at your organization. Special Agent Jason Truppi, FBI Cyber Division, who spoke with AFP for its upcoming Payments Security Guide, has a message for any treasury or finance professional who believes that their company’s system is completely secure: “What is made by man, can and always will be breached by man.”
Treasurers have to accept that their organizations will be exposed to cyberattacks, many of them minor. But if they can eliminate the majority of the noise, they’ll be able to see the biggest threats that are out there and identify those that have advanced knowledge of how to get the most data out of their system. To do that, Truppi explained, a best practice is to bring in industry experts who see these types of attacks on a daily basis.
Truppi also recommends a pair of documents that can help corporate treasurers shore up their systems:
- The Framework for Improving Critical Infrastructure Cybersecurity: The National Institute of Standards and Technology (NIST)’s outline for reducing cyberrisks to critical infrastructure.
- Defensive Best Practices for Destructive Malware: The National Security Agency (NSA)’s guidance on detecting and preventing malware intrusions.
Download the CTC Guide, Cybersecurity: Setting a Cyberrisk Management Strategy, here. Also, be on the lookout for the AFP Payments Security Guide, Payback: Securing Your Payment Channels, available for download next week.