AFP’s Payments Security Guide, underwritten by MUFG Union Bank, features key suggestions from the FBI Cyber Division on how treasury and finance professionals can shore up payments security.
Apply multifactor authentication
With cybercrime on the rise, multifactor authentication is a must. Smart criminals can find their way around two-factor authentication rather easily these days, but authentication with three or more layers is tougher to crack.
“If you’re using two-factor authentication and you have a person who’s willing to go above and beyond that, they’re going to go after your authentication methods,” said Jason Truppi. “It’s a constant battle that you’re just going to have to deal with. So you have to think about those things. Now people are using three-factor authentication.”
Truppi noted that there are some very strong screen-based authentication methods that companies would be wise to employ. Generally, when a criminal hacks into a computer, they don’t get the full desktop screen. They are essentially just looking at a command line prompt until they can escalate privileges and get further. “So one of the things they’re doing for remote users is presenting almost like a CAPTCHA, but it’s specific to a corporate desktop,” he said. “It might show you a grid and ask you which two parts of the grid are colored in. And so that means you have to actually be sitting at the keyboard. You have to have some sort of physical token, along with a username and password. That’s going to eliminate the majority of the hackers trying to connect remotely.”
The difficulty in implementing these types of strong multifactor authentication tools is the cost. One might assume that large multinational corporations would be the ones to invest in this kind of protection, but when you consider that they may have to secure 300,000-plus machines, you can understand why this is not a viable option. Instead, it’s typically mid-sized companies that adopt these methods, Truppi said.
Carefully vet anyone who accesses your network
The Target breach should serve as a cautionary tale for companies that are considering allowing a third party to gain access to their network. Target was breached because they gave a third-party HVAC provider access to its network, and that company did not have strong security.
“The bad guys are going to go after the weakest link and try to use him to get inside,” said Special Agent Clyde Ellis.
Tom Hunt, CTP, AFP’s director of treasury services and a former treasurer for a major manufacturing conglomerate, said that what really struck him about the Target story was how similar the scenario was to the way his former company operated. “Anyone using a vendor/bank payment portal might be subject to similar data access if the portals are part of their broader networks and aren’t segmented accordingly,” he said.
In addition to making sure your vendors’ security controls are up to snuff, it’s also important to look into the vendors themselves. Sarah Schaus, assistant vice president and assistant treasurer for Allianz Life Insurance Company of North America and a member of AFP’s Treasury Advisory Group, said that her team put a system in place that carefully screens its vendors to make sure they’re legitimate. “We search the IRS database to ensure that the TIN number matches what’s on the W-9,” she said. “We use Google to find their address and make sure they’re a legitimate business. We also use two people to set up a new vendor.”
Beyond vendor relationships, there are also implications here for mergers and acquisitions. Truppi explained that a lot of big banks put themselves at risk through rapid acquisitions. “They’re acquiring companies and their board just says, ‘Get them in the corporate LAN. Get them sucked in. We don’t care what their security looks like; we need to get them online into our corporate network.’ And that’s a serious, serious problem,” he said.
Given the long, often arduous process of acquiring or merging with a new company, there is absolutely no excuse for not doing your due diligence and carefully vetting the new company’s security practices. “They should at least match whatever you have in place,” said Truppi. “As long as your security requirements are good, of course. I mean, you could be the bad one, right?”Download Payback: Securing Your Payment Channels, Underwritten by MUFG Union Bank, N.A., here.