It’s Cyber Security Awareness Month again. Every October, ACSC (Australian Cyber Security Centre) remind us to do due diligence on the basics of good security, from managing emails (and dodging those nasty attachments and dubious links) to raising awareness of some ingenious scams.
It’s no surprise that cybercriminals have realised the weakest link in any business’s defences is its people, and they haven’t hesitated to exploit this knowledge. Due to the critical nature of the role they play, your accounts payables team need to be more aware – and more protected – than ever.
So, here’s a quick recap on what you can do to raise your cyber defence game.
Cyber fraud can be internal and external, so don’t just focus on the idea of anonymous guys in hoodies sitting in dark rooms. It can be much closer to home.
According to the Association of Certified Fraud Examiners (ACFE) 2022 Report to the Nations, the average organisation loses 5% of its annual revenue to fraud each year and experiences a median loss of $117,000 before the deception is detected. 12% of these frauds occur in the accounting department, by company employees.
Along with other good advice, the online Australian publication Accountants Daily suggests segregating duties as a simple but effective accounts payable control. This can help prevent your employees from using their access and control to perpetrate fraud in the ordinary course of their responsibilities.
Stay password secure
Creating and remembering complex passwords is a pain, as is jumping through the hoops of Multiple-factor Authentication (MFA) when you just want to get stuff done. They slow you down and can be outright annoying.
However, common sense dictates that both are necessary in today’s world. The privacy of your private and business data (from contact details to payroll to payables) depends on you and your team.
It’s critical to ensure that all staff members practice good password hygiene, including a unique password for each system. Don’t be amongst the 66% of people who use the same passwords everywhere, for everything - despite knowing it’s poor practice.
Never use a sticky note or notebook to record your passwords – choose and use a reputable password manager solution to generate, store and encrypt them (check out the best for 2022 here).
Ensure your team knows what to look out for. Knowledge is power, but (unlike passwords) only if shared!
Cybercriminals are using increasingly sophisticated social engineering scams to successfully impersonate business executives and vendors to convince accounts employees to make payments to their bank accounts. More often than not, an unwary accounts person wouldn’t question an urgent payment request made by the CEO via email and respond quickly and efficiently. As you can imagine, it’s pretty near impossible to recover those funds.
Payments can also be diverted by spoofed vendor emails providing new bank account details or a link to change banking information.
Sadly, we’re not talking about small change here. In one instance, the CFO and CEO of FACC, who supply parts to Airbus and Boeing, were targeted. A cybercriminal tricked a FACC accounting employee into transferring $87 million – yes - $87 million - to a foreign bank account for a fake purchase. Unsurprisingly, both senior executives were told to clear their desks after FACC concluded the 17-year veteran CEO had “severely violated his duties, in particular in relation to the ‘fake president incident’.”
Stay scammer savvy - automatically
If you’re a Redmap customer, you are already leveraging our AP Automation to minimise the fraudulent approval or mistaken payment of scammer-submitted invoices. So, pat yourself on the back!
With AP Automation, vendor invoices must match company purchase orders and any that vary or don’t have an order number enter an exception queue for individual scrutiny.
We blogged on this topic very recently, so if you missed it, check out how Redmap helps you reduce the risk of fraud.
Stay on top of your security software
While it won’t protect you from an insider or social engineering scam, security software is a non-negotiable for any size or type of business.
Essential tools include a next-generation firewall, antivirus software, domain name system (DNS) protection, endpoint detection and response solution, email gateway security, enterprise password management, and threat detection. The list goes on – so talk to your technology partner about what’s needed for your business.
Stay safe out there with these 5 best-practice controls
- Authenticate, authenticate, authenticate. Wherever able, set up Azure AD (Active Directory) / SAML (Security Assertion Markup Language) to authenticate with Redmap.
- Stay current. If using MyRedmap, ensure you have updated to the latest version. As cybercriminals get smarter with their attacks, we get smarter at defending your solution.
- Protect your data. If you have onsite integrations to upload data, ensure they're using TLS 1.2 to connect with our services. Check with us if you're unsure in any way.
- Secure your emails. Talk to your IT providers about setting DKIM/SPF/DMARC records on your email exchanges to validate the legitimacy of emails and push spam/phishing emails to junk or your trash.
- Don’t share. No reputable organisation – from telco to bank to your favourite AP Automation software partner – will ever ask for your access password. If they do, don’t provide it (or share it with a teammate). Ever.
Stay in touch
You can always rest assured that where we do have access to your systems with Redmap-specific accounts, your data is encrypted, and access is controlled. So, you can take that off your ‘to worry about’ list.
But if you’re not sure about any of the other controls we’ve suggested you need to implement, ask us. We’re happy to help.