The recent global ransomware attack made headlines, particularly in the UK, because it attacked the country’s National Health Service, potentially putting lives at risk. But the real takeaway for commercial organisations is simple: Take cyber-security seriously, at all levels. And treasury is a key target.

The attack was hardly a surprise. Ransomware has been the cyber-attack of choice for at least a year now, as sophisticated malware producers focus on creating ever more profitable business models. In the case of ransomware, what are effectively cyber-criminal corporations (complete with R&D budgets and customer helpdesks) create the underlying malware and then sell on or franchise out those kits, to as many people as possible via the Dark Net. They then collect a percentage of the profits of that network, not only minimising the amount of work they need to do but also creating one more layer between themselves and the actual crime. It has been estimated that a single buyer of a ransomware package can make up to $30,000 a month until the exploit is shut down. This gives some idea of the likely profits for the original malware producer.

Nor is it a surprise that the attack was delivered through email and attachments – more than 90% of all compromises start with a simple phishing campaign. As for the revelation that, at least in the case of the UK’s NHS, the compromised organisation was still reliant on Windows XP, an operating system at least 4 versions off the current standard and unsupported by its creator for years, that is little short of disgrace.

For treasurers this should be a wake-up call. It shows that you cannot trust the centre to protect you or your critical systems.

Why? Two reasons:

First – as this attack shows – IT is overwhelmed. Even given the latest software, providing basic patch security is a huge problem across large organisations. Every patch needs to be tested against existing applications and then rolled out. There are patches for operating systems, hardware and applications issued daily. Patch management and other basic IT processes will continue to fail regardless of corporate competence.

Second, far too few boards are taking cyber-security seriously despite years of warnings. Yes, many have executed “awareness” programmes for staff, put up posters and hired external companies for training. But too few have hired a CISO and those that have rarely give them the power, budget or access to senior management they need to make a difference – which is why they so often leave after a year or so of frustration. They find out quickly that they’ve been hired as window dressing.

Companies need to spend the money and management time commensurate with the business risk. Earlier this year, a Deloitte study revealed that only five per cent of FTSE 100 companies have disclosed having a director responsible for cyber risks despite 9 in 10 of them having identified “one or more” elements of cyber risk in their disclosures. Only half of companies mentioned cyber contingency, crisis management or disaster recovery plans in their annual report and only half of those disclosed that these plans had been simulated in test scenarios over the year. It’s not good enough, although companies can be forgiven for wondering who they should buy security products from when some of the biggest providers are also, unwittingly, the source of so many problems. Treasury is especially vulnerable because it is at the forefront of digital transformation – a process itself fraught with security risks. New connectivity solutions and the desire to take advantage of big data analytics, creates yet another layer of (often third-party) security risks. It was only in mid-March for example, that security researchers at Onapsis uncovered a zero-day security flaw in SAP’s HANA database platform that would have allowed hackers to compromise vulnerable database systems without the need for valid usernames and passwords. The cyber security flaws, patched by SAP before any damage was done, include two SQL injection vulnerabilities and a flaw that allowed authenticated users to access information without the required privileges.

So what should treasurers be doing? First, they must take control of their own departmental email vulnerability. Email attachments are almost exclusively the vehicle through which ransomware and other malware is delivered, as well as targeted business email compromise attacks that directly threaten staff with the authority to make significant payments.

The most important responses revolve around attachments; should the department simply, disallow all email attachments? Would the use of virtual machines be feasible? How can critical treasury systems be isolated from internal and third-party systems connected to the internet? Consultants and vendors will say that these represent retrograde steps – a move away from progress. And they’re correct. Restricting the use of technology and creating air gaps between internal systems and the internet is not ideal. There are email solutions but they cannot provide a 100% guarantee of security because they all allow infected attachments to reach the desktop, where you and I can still mistakenly open them. So until treasurers can be sure that their corporate systems and their Cloud providers can protect them, they have little choice but to follow the recent example of an Austrian hotel. The hotel had recently installed a new key card system. It was duly hacked and encrypted so that the doors could not be opened or, if open, locked. The hotel’s solution? Re-fit the old physical locks and keys.

Come and meet experts and providers in cyber security at EuroFinance’s annual flagship treasury event in Barcelona this year on 4-6 October 2017