In the world of Information Security, or InfoSec, the three ingredients that constitute the CIA triad, confidentiality, integrity and availability, are considered absolutely essential for safeguarding data assets. In fact, whenever any type of data breach occurs, it is almost always a failure in one of these three essential ingredients.
Whilst the CIA triad is well-known within InfoSec circles, it is equally applicable in Accounts Payable. After all, Accounts Payable teams are responsible for safeguarding considerable data assets. These include information on the company’s finances, supplier data and all outgoing payments. A breach of any of this data can open the way for cyber-criminals to defraud an organisation through invoice redirection scams, including Business Email Compromise (BEC) attacks.
Whenever a data asset needs to be safeguarded, it is absolutely essential that the data be kept private, with access restricted on a need-to-know basis. This principle sits at the heart of confidentiality.
By restricting access to sensitive Accounts Payable data, it is possible to limit the chances of that data being manipulated. Furthermore, in the event that the data is manipulated, it will be easier to trace back how the manipulation occurred, potentially identifying the culprit.
To protect the confidentiality of Accounts Payable data, it is essential that access to systems and files be carefully controlled. Any individual accessing such data should be required to authenticate. Privileges should also be restricted based on the extent of access an individual requires. Some individuals may have read-only access to confidential data, whilst others are granted the ability to write, i.e. enter and change data.
Data access controls should align with an organisation’s Segregation of Duties policies. For example, if one member of the Accounts Payable team is responsible for entering data from invoices into the ERP system, they clearly need write access. However, another member of the team may be tasked with 3-way matching, in which case read-only access may be sufficient.
Every Accounts Payable department should have clearly established policies for accessing data. Implementing the right data access policies will help ensure your data assets remain confidential.
There may be data residing in an organisation’s ERP or Vendor Master File. But can that data be trusted?
Data integrity is all about knowing whether data is complete, up-to-date and accurate. For an Accounts Payable team, data integrity is critically important. Before paying a supplier’s invoice, it is essential to know with certainty that the data is genuine.
In a world of escalating cyber-crime, no Accounts Payable team can afford to cut corners when it comes to data integrity.
Data integrity requires safeguarding information as it is acquired, transferred, handled and stored.
For example, supplier banking data is acquired through emailed invoices. This requires secure email systems. Data from the invoice is then transferred into the ERP or Vendor Master File. Segregation of Duties can help ensure this process is accurate. Various members of the Accounts Payable team may need to handle the data, requiring careful consideration of access rights. Finally, data at rest should be encrypted to ensure it cannot be tampered with in storage.
Clearly, there are many considerations when it comes to guaranteeing the integrity of data throughout its lifecycle.
The integrity of data can be undermined by cyber-attackers, or due to human error. However, with the right controls at every stage of the data lifecycle, it is possible to ensure a high degree of integrity for Accounts Payable data.
Data is of little value if it is not readily available. For data assets to be available, they need to be accessible to authorised individuals from the right location, at the right time and in the right format.
To achieve data availability, both the hardware and software systems that are integral throughout the data lifecycle must be operational. For Accounts Payable teams, this usually means work-critical applications such as an ERP, Vendor Master File, online banking portal or email client, all need to be functioning as intended. Hardware issues, such as server disruptions, can also impact availability.
Increasingly sophisticated invoice redirection scams can see cyber-criminals targeting email clients to launch BEC attacks. This can disrupt access to mailboxes, impacting data availability, e.g. by preventing suppliers sending invoices by email.
For Accounts Payable teams, it is critical to work in close coordination with IT and cyber-security departments to ensure that all necessary hardware and software systems are as secure as possible.
Safeguarding data is critically important for any Accounts Payable department. Without adequate data security, organisations can find themselves increasingly vulnerable to a range of cyber-attacks and fraud attempts.
Following the CIA triad offers a valuable model for any CFO or Accounts Payable manager seeking to ensure their department is following industry best-practice methodologies.
With eftsure’s automated approach, aligning with the CIA triad is made considerably easier.
Not only does eftsure align with an organisation’s Segregation of Duties, helping ensure data remains confidential, but it also represents the gold-standard in achieving data integrity. By continuously verifying supplier banking data against our database of over 2 million Australian organisations each time an EFT payment is transferred, eftsure provides a level of integrity that is practically impossible to achieve any other way.
To learn how eftsure is helping Accounts Payable departments across Australia safeguard their critical data, and how your organisation can also achieve CIA triad alignment, contact us today.