Corporate payment security demands focus on internal fraud

As more uncertainty arises, data calls for greater protection – particularly whilst cyberattacks, data fraud, and theft are now amongst the top global risk landscape. Within businesses, cyberattacks remain a threat that must be contained as they present a significant risk for treasurers, causing not only operational damages but also a great financial loss for the company. For this reason, it is vital to identify the key risks behind a lack of cybersecurity and how these can be tackled within an organisation.

Risks associated with fraud

The targets of cybercriminals range from corporates to government payment infrastructure – but most importantly, fraudsters perceive purchase-to-pay and payment processes as attractive targets as this is where cash flows out of the business. According to HLB’s 2020 Cybersecurity Report 53 percent of organisations have seen an increase in suspicious activity that could lead to a breach this year, while 57 percent admitted their security procedures were not prepared for a working from home environment.

Over time, fraudsters have developed sophisticated attacks which demand even more awareness. Cybercriminals now identify and stalk potential targets, learn the weaknesses of victims, and then develop a plot – a technique called ‘whaling.’ Above all, corporate payment security does not only imply preventing cyberattacks and external fraud – but also requires averting internal fraud – which counts for most of the attacks within an organisation.

In fact, fraud and theft are more likely going to be committed by an internal actor than an external fraud, meaning businesses fail to adopt a holistic view of the payment process.

A survey conducted by PwC revealed that 78 percent of companies said they had been victims of payment fraud – highlighting that organisations do not take enough measures to tackle fraud. Often, businesses tighten their payment approval policies, but this still leaves a loophole for fraudsters.

Organisations that fail to recognise the risk of internal fraud put themselves in vulnerable positions, particularly as senior and middle management represents the largest source of internal fraud. Mitigating the risk of both external and internal payment fraud is therefore crucial for a company’s data safety.

Internal risks include fake vendors, supplier kickbacks, or travel falsification. External risks, however, imply fake invoicing, social engineering, or frauds such as CFO attacks.

Building payment security

The survey led by PwC found that 10 percent of companies have not performed any risk assessments in the past two years. Businesses should yet consider payment security as a top priority whilst adopting a proactive approach.

Key measures for organisations to increase their payment security include:

• Assigning an owner to the process: There should be one process owner controlling the safety of the process
• Documenting the process: This will identify the inefficiencies, safety issues, and irrelevant steps within the payment process
• Boosting automation: Adopting an automated process will increase efficiency and security
• Handling deviations with care: This will remove ad-hoc payments and put into place policies in which payments with a purchase order or registered vendor are accepted
• Avoiding back doors: Avoid creating routes that enable fraudsters to bypass well-designed process steps
• Keeping incoming cash extra safe: Ensure there is no access to cash in all the organisation’s bank accounts across the world by implementing best practices to cash forecasting
• Auditing the process

Principles for secure user right management also include:

• Principle of least privilege: A continuous updating and auditing privileges
• Four eye principle: Verification of purchase invoice by multiple entities
• Segregation duties: Avoiding risky combinations
• Secure authentication: Adopting Multi-Factor Authentication (MFA), which requires more than one verification method and adds a layer of security for log-ins. The user is only granted access after successfully passing all the authentication phases
• Centralised identity management: Allowing single sign-on (SSO) for users. Can be extremely powerful if combined with MFA.

When looking to secure their data, more and more organisations are adopting cloud systems due to its cost efficiency and convenience. This also provides businesses with flexible integrations.

Automation will enable a business to identify threats in the early stage, but cooperation within an organisation remains at the core of payments security. Businesses constantly face significant risks with the safety of their data, meaning a holistic view to payment security is necessary.

Technology, people, but also corporate values are at the epicentre of data protection – risk mitigation requires more than one measure to be taken. It’s about building a culture of security within an organisation to ensure cooperation between employees, which will make it significantly difficult for criminals to gain access to systems.

To find out more about Nomentia, click here.