[Ed. Note: This story has been updated.]
COPENHAGEN, Denmark -- With the rise of business email compromise (BEC) scams , treasurers know that they have to be more suspicious than ever when they receive a request for information or a payment from a questionable source.
But what if the request comes from a legitimate source?
Treasurers should be wary of those too, said Richard Turner, president EMEA for security firm FireEye, following his session on cyberthreats at the EuroFinance International Cash & Treasury Management conference.
In an exclusive interview, Turner told AFP that criminals are becoming so crafty in their social engineering techniques that some fraud rings are actually hiring legitimate organizations to call or email companies to inquire about information. Therefore, financial professionals need to be careful about giving information out—to anyone.
“Everyone needs to adopt a state of continuous vigilance,” Turner said. “It’s pretty easy for someone who has really got the ambition to compromise the organization that you work for and steal money from you. It’s relatively easy to get information and paint a detailed picture of who you are, where you work, and what your interests are.”
Financial professionals need to have protocols in place to make sure the requests they receive are legitimate and, if they don’t, then it’s up to the staff members themselves, Turner explained. “If I don’t have a process to really validate that it really is a CEO asking me to make a transfer—then you have to get people to be inquisitive,” he said. “People fall for quite simple attacks. They’re launched by sophisticated organizations, but often the attack itself is pretty straightforward.”
For example, an employee in human resources might receive an email that appears to be from a prospective employee. The email has a CV attached to it. “You’re probably going to open it,” Turner said. “And why not? You’re in the HR department; someone sends a CV, you’re going to open it. So you’ve got to make people think, ‘Who is this person? Is this coming from a place I recognize?’ And they need to be skeptical if that’s not the case.”
Turner noted that even poorly written emails that are obviously fraudulent get responses. “There’s a lack of savvy of victims,” he said. “Individuals need to take more of a proactive role in security. It’s not all about technology. So be vigilant and if you don’t know it to be true, be suspicious of it. Because if you’re an enterprise and you get breached, you’re a victim but you also can be held responsible.”
Turner added that many organization spend too much time dealing with “noise level” security issues with firewalls that have nothing to do with that one, deliberate attack that could bring the whole company to its knees. Noise-level attacks include small malware attacks, traditional viruses, etc. Intrusion prevention systems (IPS) or intrusion detection systems (IDS) catch these attacks, but they miss the ones that actually matter. “There’s an awful lot of security technology that just creates alerts,” he said. “Intrusion prevention and intrusion detection in particularly have a habit of generating a lot of alerts. Most people looking at those alerts get more alerts than they can deal with.”
Companies like Sony and Target are prime examples of major corporations that spent huge amounts on cybersecurity but missed the individualized attacks that actually mattered. “And again, that stuff isn’t just technology; it’s the ability to respond,” Turner said. “A successful security strategy is one that allows you to return to normal, productive business operations as quickly as possible with the minimum business impact. That is the objective. It’s not about how to stop getting viruses, because that won’t work.”
Lastly, Turner advised treasury and finance professionals to avoid looking at security as part of compliance. “So most organizations try and get to that compliance level with the minimum amount of cost and effort involved,” he said. “The reality is that there is no standard model for security for every business. It’s got to be risk-based, proportionate and relevant to the organization in question.”Check back here, or on Twitter, Facebook or LinkedIn, for more updates from EuroFinance.