| 13-10-2021 | treasuryXL | Nomentia |
One would think data protection and security measures are baked into our identity as digital people, especially in a year where we are working remote more than ever. But is it though? The breaches show that security is too often seen as something to kind of ‘wing it’. And there is an eternal question whether the best way to a secure IT environment is to educate the employees to make the right decisions or to put measures into place.
We personally believe that security and combatting Fraud is a combination of people, processes, and tools. Security literacy is a skill everyone should have and constantly develop, and companies can further support this by making use of tools such as multi-factor authentication to mitigate risks and implementing processes to keep their corporate environments safe. We think security deserves a 360 degrees view in an organization that is implemented throughout their solution landscape.
Login & User access control
This is a simple thing organisations can implement either with Single-Sign-On and/or multi-factor authentication. Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user logins. A user is only granted access after successfully passing all authentication phases. The different factors are based off of different things as opposed to a simple password which bears some vulnerability. The first authentication phase is based on knowledge. A person needs to know their username and password, and this can also be initiated through single sign on with corporate credentials for a further security increase. The second authentication phase is based on possession. A person must possess and have access to a mobile phone to for example receive a code per text message or a phone call to double authenticate the log-in.
In practice this means, even if a username and password get compromised, cyber criminals will still not be able to login to the account protected with multi-factor authentication. And neither does a stolen mobile phone as both phases are required for a successful login.
One of the potential downsides to multi-factor authentication is that it adds one extra step in the process. And I can admit myself, every time I am going through the process of logging into our internal tools, we are sometimes a bit impatient while waiting for the text message. But it’s a small trade-off for security. Especially since single-sign on also adds convenience.
Single sign on means that people can log into systems with their corporate credentials and just speed up the process on that end. It’s fast and adds an additional security layer which is extremely powerful if paired with MFA.
This is a crucial part in terms of security. We believe that monolithic enterprise platforms are dead and best-of-breed solutions that are highly integrated are the future. This best-of breed approach however also ads emphasis on the need to ensure the integrations are safe. Which data is travelling via which channels from where to where? How is the data in transit being secured from theft and man-in-the-middle attacks?
The first step is to map out all needed integrations and systems and create a use case scenario and based on this define the needed setup. For instance, in the context of cash management you might for instance end up protecting payment information with a higher security standards than a simple accounts payable extract that is used to cash forecasting only. The key is to have a companywide and regularly maintained risk analysis process that recognizes risky areas, measures the levels of set controls (preferably audited by external experts) and constantly comes up with better and better controls.
User access control
Understanding and carefully designing which user has access to which data and processes is not bullying your employees but is a crucial step in setting processes in place that further support security. In our case, our customers need to answer questions such as: which user can approve payments, who can add a new account number to the system, who can manipulate user rights, who can make a manual payment, or who can view balance information from banks and the likes.
Infrastructure and Platforms
Making sure that you run your IT infrastructure and solutions on secure platforms is a crucial control point. One would think that in this day and age that shouldn’t be a question anymore, yet we would recommend checking this anyway. How is the user access to databases and servers or other backend artifacts controlled? Are your administrators using multi-factor authentication? Have you segregated the so-called privileged access and user accounts? Do you keep a list of such accounts? Do you collect logs from your systems and store them securely?
Many industry standards come handy here. For us relevant standards are for instance ISO 27001 and ISAE 3402 auditing framework. In our domain particularly relevant is SWIFT Customer Security Program (CSP) which is a security framework developed and derived for financial industry from such international standards such as NIST and PCI DSS. All these standards should not be considered just as acronyms but a toolbox that can help you to build a company culture that takes security seriously in every step and by every employee in every role.
Security comes from within
Above are the steps that each organization can take to ensure that their set-up is secure. Let’s face it, there is no such thing as absolute security. But by establishing a strong security culture in your organization we believe you can make it really hard for criminals to gain access to our systems.
If you want to reach have an assessment of your security measures in terms of people, processes and tools for your cash management, please get in touch with us and we will assess your set-up and provide you options how you can further tighten your security. Cash is king, but hopefully a well-protected king.