I sat down (virtually, of course) with the host, strategic treasurer, Craig Jeffrey, and had an insightful discussion about cybersecurity for payments and financials, fraud tactics and trends, system and infrastructure vulnerabilities, and the advanced solutions that can be used to verify suppliers and prevent payment fraud.
In this post, I’d like to share some of the highlights and key takeaways from the podcast.
Let’s take a look.
The impact of Covid on payments protection
We started out by taking a look at the impact Covid has made on organizations in their attempt to protect corporate payments against cyberfraud.
According to a survey by the Treasury Coalition, respondents had reported a 36% increase in fraud attempts since the outbreak of the pandemic. And such attempts are being made on companies of all sizes, but especially on those with revenues at more than a billion dollars, coming in at 87% of those that are being targeted.
As we can see, the burden to protect has dramatically increased in the age of pandemic.
Though, it’s also important to note that the challenge of payments protection had been around long before Covid, primarily because the relevant processes are manual and lack standardization.
And, now with so many people working from home in greatly varying technology environments, it’s become harder than ever for finance professionals to protect the company’s payments while ensuring finance-related business continuity.
The opportunity for cyberfraudsters to attack and succeed has never been greater. There are so many new vulnerabilities now that have been exposed. An attack can happen during the supplier onboarding process, it can happen when business or bank account information change requests come in, when the data is “at rest” on your ERP system and during the payment process.
With people working from home – each of these processes introduces a new set of questions that many are not sure how to answer. For example, when needing to verify bank details whether for a new supplier or one that is requesting bank details change, employees are asking themselves: “Who is it at the payee organization that I can call to verify details”? Because, making calls or sending emails is typically part of the verification process.
But people are not in the office, and not answering the phone. It’s not clear how these verifications can be made. It’s become too difficult to find the right person to speak with and to be confident that reliable information is being provided. So, quite often, the requisite procedures are not being adhered to.
Yes, this has always been a challenge, and – consequently – a vulnerability in the verification process. But since Covid it’s become so much worse.
Using technology as a weapon
It’s not just about the unavailability of relevant stakeholders, it’s also about language and time zone barriers. And, to make things even more complicated, fraudsters are more and more using advanced technologies such as AI based voice cloning to dupe unsuspecting employees into authorizing payments to their own fraudulent accounts.
There’s also the issue of the new vulnerabilities in the technology and communications infrastructure of work-from-home employees. People are using their home WiFi to connect to work-related systems. And these networks are not secure like those in the office. Moreover, people are using personal devices more these days to perform work related tasks, further deepening the vulnerabilities.
There are numbers from the industry that show how great the risk has become. In a discussion I had recently with our partners at KPMG they have shared that according to their research employees are now five times more likely to click on malicious links.
Though it’s not just unintended activities by employees that serve as a threat. Insider fraud is also growing, with the 2020 Cost of Insider Threats global report published by the Ponemon Institute and sponsored by IBM indicating a 31% increase over the past 2 years. Moreover, the 2020 Global Economic Crime and Fraud Survey published by PwC indicates nearly 50% of reported incidences resulting in losses of US$100 million or more were committed by insiders.
There is no doubt, the challenge is great. But no company can afford to ignore the payments protection mandate.
My father used to say that hope is not a strategy. Organizations can’t bank on being lucky forever. Eventually the statistics will catch up with them. As they say, there are two types of companies – those that have been hit by a cyberattack, and those that are going to be.
The 3 pillars of payment protection
This is why it’s so important to make sure that there are three key payments protection pillars in place. The first is collaboration around infrastructure security. That is, it is critical for the IT and security teams to collaborate with the finance teams on ensuring payments protection in general and specifically while considering that working from home at least part of the time is a new working model that is expected to stay with us for the long run. This is not exclusively an IT issue, nor exclusively a finance issue either. It’s about both..
The second pillar is implementing best practice processes. You must identify key processes, redefine a new baseline and publish via ongoing training. And the third is to introduce technology and automation to payment related processes, instead of relying solely on manual, error-prone controls. This should include supplier onboarding and account validation, as well as payment validation processes.
No time like the present
After all we discussed, and you’re invited to check out the full podcast for more details, you could say that the bottom line is that it’s never been a better time to invest in the processes and technologies that will help you protect your payments.