As an IT guy, I am always worried about security. Recently I have seen an increase in cyber attacks against companies. In Finland, a private psychotherapy center has been hit by a ransomware attack, and in Germany, a software company has experienced a similar kind of attack. This made me think of taking the topic of security up in this blog post. I think we can agree that a companies cash is pretty high on the list of things that need to be protected from outside intrusion.
Ransomware attacks in short work in such a way that a criminal gains access to an organization's data and removes their access. Then blackmails the organization to pay for the data to get it back. Often there is also a threat of publishing information online.
A 360-degree view on information security
It's 2020, or even almost 2021 and one would think that security is baked into all decisions we are making. One would think data protection and security measures are baked into our identity as digital people, especially in a year where we are working remotely more than ever.
But is it though? The breaches show that security is too often seen as something to kind of 'wing it'. And there is an eternal question whether the best way to a secure IT environment is to educate the employees to make the right decisions or to put measures into place. I personally believe that security and combatting fraud is a combination of people, processes and tools. Security literacy is a skill everyone should have and constantly develop and companies can further support this by making use of tools such as multi-factor authentication to mitigate risks and implementing processes to keep their corporate environments safe.
I think security deserves a 360 degrees view in an organization that is implemented throughout their solution landscape.
Login & User access control
This is a simple thing organization can implement either with Single-Sign-On and/or multi-factor authentication. Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user logins. A user is only granted access after successfully passing all authentication phases. The different factors are based on different things as opposed to a simple password which bears some vulnerability. The first authentication phase is based on knowledge. A person needs to know their user name and password and this can also be initiated through single-sign-on with corporate credentials for a further security increase. The second authentication phase is based on possession. A person must possess and have access to a mobile phone to for example receive a code per text message or a phone call to double authenticate the log-in.
In practice, this means, even if a user name and password get compromised, cybercriminals will still not be able to log in to the account protected with multi-factor authentication. And neither does a stolen mobile phone as both phases are required for a successful login.
One of the potential downsides to multi-factor authentication is that it adds one extra step in the process. And I can admit myself, every time I am going through the process of logging into our internal tools, I am sometimes a bit impatient while waiting for the text message. But it's a small trade-off for security. Especially since single-sign-on also adds convenience.
Single sign-on means that people can log into systems with their corporate credentials and just speed up the process on that end. It's fast and adds an additional security layer which is extremely powerful if paired with MFA.
This is a crucial part in terms of security. I believe that monolithic enterprise platforms are dead and best-of-breed solutions that are highly integrated are the future. This best-of-breed approach however also ads emphasis on the need to ensure the integrations are safe. Which data is traveling via which channels from where to where? How is the data in transit being secured from theft and man-in-the-middle attacks?
The first step is to map out all needed integrations and systems and create a use case scenario and based on this define the needed setup. For instance, in the context of cash management, you might for instance end up protecting payment information with higher security standards than a simple accounts payable extract that is used to cash forecasting only. The key is to have a company-wide and regularly maintained risk analysis process that recognizes risky areas, measures the levels of set controls (preferably audited by external experts), and constantly comes up with better and better controls.
User access control
Understanding and carefully designing which user has access to which data and processes is not bullying your employees but is a crucial step in setting processes in place that further support security. In our case, our customers need to answer questions such as: which user can approve payments, who can add a new account number to the system, who can manipulate user rights, who can make a manual payment, or who can view balance information from banks and the likes.
I would like to encourage our customers to have a look at this free-of-charge access control matrix. It is a great tool to view and audit what is considered good practice in payment approval by many corporates. You can use the matrix as a guide to implementing similar processes in your organization.
Infrastructure and Platforms
Making sure that you run your IT infrastructure and solutions on secure platforms is a crucial control point. One would think that in this day and age that shouldn't be a question anymore, yet I would recommend checking this anyway. How is the user access to databases and servers or other backend artifacts controlled? Are your administrators using multi-factor authentication? Have you segregated the so-called privileged access and user accounts? Do you keep a list of such accounts? Do you collect logs from your systems and store them securely?
Many industry standards come in handy here. For us, relevant standards are for instance ISO 27001 and ISAE 3402 auditing framework. In our domain particularly relevant is SWIFT Customer Security Program (CSP) which is a security framework developed and derived for the financial industry from such international standards as NIST and PCI DSS. All these standards should not be considered just as acronyms but a toolbox that can help you to build a company culture that takes security seriously in every step and by every employee in every role.
Security comes from within
These are some of the steps and measures that organizations can take. But while this is coming from me, an IT guy, I will almost go so far ahead and echo the statement from my colleague, Jukka Estola, that really, no software can save you. Above are the steps that each organization can take to ensure that their setup is secure. Let's face it, there is no such thing as absolute security. But by establishing a strong security culture in your organization I believe you can make it really hard for criminals to gain access to our systems.
If you want to reach have an assessment of your security measures in terms of people, processes, and tools for your cash management, please get in touch with us and we will assess your setup and provide you options on how you can further tighten your security. Cash is king, but hopefully a well-protected king.