Treasury and finance departments are all-too-familiar with cyberattacks that strike their organization’s website, or steal data. But a new kind of cyberattack on its way is even more disturbing, warns one expert.
Integrity attacks are cybercrimes where the hacker actually manipulates the organization’s data. That’s what happened in the 2012 cyberattack against Saudi Aramco, the world’s top oil producer that supplies more than 10 percent of global oil demand. This attack resulted in the Saudi Arabian oil and gas giant being forced to throw away 30,000 computers and coming close to taking its oil rigs offline.
The attack on Saudi Aramco “essentially wiped out all of the data infrastructure at the world’s largest company,” said Alec Ross, author and senior advisor for innovation to Hillary Clinton, speaking at the recent EuroFinance International Cash & Treasury Management Conference.
“For the treasury function, what is scariest is the changing nature of cyberattacks,” said Ross, who expects treasury and finance departments will experience integrity attacks within two to three years.
What treasurers can do
Ross advises treasury departments to take action now to prepare themselves for integrity attacks. Some steps to take:
- Get some cyberexpertise on the board. Every board of directors at every company should have at least one individual who really understands cybersecurity.
- Invest in cyberinsurance. Although it may be expensive, it is important for companies to purchase cyberinsurance to mitigate against financial losses that come from integrity threats.
- Use offline backups. Most data backups at Fortune 500 companies go to the same internet-based systems that would be the source of the original attack. Thus, the backups can also be attacked. Ross recommends that treasurers speak with their chief innovation officers and chief technology officers and make sure the company has invested in offline backups.
- Understand your own cybersecurity. Quite simply, just as a treasurers need adequate financial skills to perform their job functions, they need to be knowledgeable about cybersecurity.
“In the same way in which everybody needs to be able to read a balance sheet, I think everybody who wants to continue to ascend in their career needs to understand the very basics of cybersecurity,” Ross said. “If you run the treasury inside your company, you cannot just say that ‘the CIO or the CTO is in charge of my data integrity, my system’s integrity and my trading system’s integrity.’ You need to spend time with that CIO, CTO or outside consultants and become sufficiently conversant in it, so that if there is a problem, you can actually add value.”