With a threefold increase in the number of corporates who had been hit by a ransomware attack in the last year compared to a year prior, corporate treasurers have been forced to swallow the large, uncomfortable pill of the threat of cyberattacks and fraud on their organizations in a short amount of time.
But Strategic Treasurer, which highlighted that statistic in its latest Treasury Fraud & Controls survey report sponsored by Bottomline Technologies, found an impressively high level of optimism among corporate treasurers with regard to their outlook on cybersecurity – perhaps too high, said Craig Jeffery, founder and managing partner at Strategic Treasurer.
"Even though people feel better, I don't think we should be as optimistic with the progress that we made," he told PYMNTS in a recent interview. "There is a lot more to be done."
In a survey of treasurers, cash management professionals, CFOs and other professionals in the treasury department, researchers found that nearly two-thirds of respondents (61 percent) feel they are in a better position this year to combat fraud within their organizations compared to last year. While most agreed that the threat of fraud has increased, Strategic Treasurer found that treasurers and their teams are increasing investment in cybersecurity and anti-fraud measures, including security controls, cyber fraud insurance, transaction controls and cybersecurity technologies.
Jeffery said he is "pretty happy" with the finding that treasurers are investing in security, and that many will continue to do so in the coming two to three years, particularly as they implement new systems and tools, like faster payments, that demand a more sophisticated approach to security.
Despite the progress, he noted that corporate treasury departments may not be nearly as prepared or safeguarded as they think. That's because fraudsters and cybercriminals are often steps ahead of their targets in terms of technology and strategy.
"The number of fraud attempts is massive," said Jeffery. "It's really high, and increasing, because it's so automated. Criminals continue to escalate their attacks, and the defense has grown, but you have to more than match what criminals are doing to gain back control."
Treasury professionals surveyed by Strategic Treasurer aren't strangers to these threats, it seems. According to the report, 29 percent that have experienced a system-level wire fraud attack have suffered a loss as a result. Nearly a fifth that experienced check fraud suffered a loss, and one-third of firms that were targeted by fraud said it came from a completely unknown source.
And yet, these professionals are widely confident in their cyber-defenses.
According to Jeffery, rising automation of cybercrime means businesses are often outpaced by criminals. Fraudsters can automate the process by which they infiltrate email accounts and learn to speak like a CEO or CFO to initiate a fraudulent wire transfer, a scam known as the business email compromise (BEC). They can scan dozens of files per second if they gain access to corporate systems, deploy Ransomware-as-a-Service tools and target multiple treasury and accounts payable departments at once.
"Criminals get a lot of feelers out there, a lot of fishing poles," said Jeffery.
He pointed to the report's finding that, just before the high-profile WannaCry ransomware attack occurred in 2017, only about 8 percent of businesses said they had experienced a ransomware attempt. Today, that figure is nearly 25 percent.
"That's a pretty rapid rise," said Jeffery. "That doesn't happen organically – it happens through automation."
Businesses may also be struggling to focus on the right threats when it comes to security. Jeffery noted that he's not as concerned about the business email compromise today as he is about other crimes like account takeovers, as success rates rise for these criminal activities. More than a fifth of companies said they cannot detect ACH or wire fraud before it leaves their companies. More commonly, these fraudulent transactions are only caught the day they post to the company's bank account (the same goes for check fraud, the report found).
Don't Leave It up to the Bank
One report finding that Jeffrey said stood out for him was the disparity between security strategies at corporates and at their financial service providers.
"What surprises me is how much more work needs to be done by corporations versus the banks," he said. "Banks are where the money sits, so they're more prepared. They have specific accountability for tracking and monitoring types of fraud. We expect that. But we also expect corporations to mirror that."
Three-quarters of banks say they have developed a "formal treasury fraud control framework," the report found, compared to just 29 percent of corporates. Instead, more than a third of corporate treasurers said their fraud and controls frameworks are more informal.
The particular area of security training and testing demonstrates this disparity, he added, noting that banks are more likely than corporates to have both formal systems testing and personnel training in place. Yet, as Strategic Treasurer warned in its report, much of the $120 million levied in fines last year by the Office of Foreign Assets Control were issued against companies, not banks.
"Training for attacks is not necessarily as comprehensive [as banks]," said Jeffery. "Some see it from more of an IT view, not necessarily a treasury or payables view. That's a massive gap that needs to be closed."
While corporate treasurers are optimistic today, Jeffery warned that these professionals may want to step back and reassess how positive they feel about their defenses.
"People aren't necessarily doing anomaly detection to determine if someone has accessed 50 records a minute," he said. "I'll be optimistic when I see more companies systematically monitoring things to detect anomalous activity earlier. If you reconcile your accounts every day, if you have standards in place, if people are systematically looking for things and their mindset is more prepared, we will be in a better place."