Cybersecurity expert Asela Waidyalankara says that technical safeguards exist to prevent incidents like the recent cyberattack involving a USD 2.5 million Treasury payment, stressing that stronger controls could have minimised the impact.
He explained that the method used in the attack is known as Business Email Compromise (BEC), a tactic commonly seen in the private sector, where hackers intercept communications and redirect financial transactions.
According to Waidyalankara, Sri Lanka’s banking sector has largely avoided such incidents due to strict cybersecurity requirements enforced by the Central Bank of Sri Lanka, including compliance with ISO 27001, an international standard for information security management.
He noted that if similar safeguards had been implemented in institutions handling public finances—such as the Treasury—the risks associated with such cyberattacks could have been significantly reduced.
Waidyalankara explained that BEC attacks typically involve intercepting invoices sent between organisations, altering payment details, and diverting funds to fraudulent accounts.
“The Business Email Compromise method was used in this attack. This is a common issue in the private sector. Hackers intercept invoices, change account details, and redirect payments. The concern here is that this involved a financial transaction within a government institution,” he said.
He further emphasised that effective mitigation depends on proper use of available tools, including updated and securely maintained email systems, timely software patching, and strong internal oversight mechanisms.
Waidyalankara also pointed to structural weaknesses in cybersecurity management within institutions, noting that unlike banks—which undergo annual external audits under ISO 27001—similar standards may not be consistently applied across all government entities.
“While ISO 27001 does not guarantee immunity from cyberattacks, it provides a framework to minimise risks,” he said, adding that institutions managing national finances should adopt comparable controls.
He concluded that the scale and responsibility of the General Treasury demand robust cybersecurity frameworks, noting that stronger governance and adherence to established standards could help prevent similar incidents in the future.
