Remote Work and Securing Your AP Function
Here we are again. Many of us thought lockdowns were behind us. Unfortunately, this pandemic had other plans. Once again, workers across Australia have packed their laptops and headed home to resume remote work.
Managing a remote Accounts Payable (AP) function comes with a myriad of challenges, first among them is an increased risk of both external and internal fraud.
In this blog, we will explore what you need to be looking out for, and how you can keep your organisation secure.
External Fraud and Remote Work
According to a recent KPMG survey, 65% of Australian businesses say the risk of fraud increases with remote working.
Remote working is set to be a permanent feature for many Australian organisations, both due to the pandemic, as well as the need to offer employees flexible work-life balance arrangements. Managing the increased risk of external fraud is set to be an ongoing challenge for many organisations for the foreseeable future.
Every organisation should be embracing appropriate systems and technologies to help mitigate the risk of:
Business Identity Theft
Many of us are aware of the risks posed by personal identity theft. Criminals routinely attempt to steal information they can use to fraudulently obtain loans or credit cards in the names of unsuspecting victims.
Increasingly, criminals are also seeking to compromise corporate information to defraud organisations in similar ways. When successful, these attacks can result in seriously impact cash flow, damage your brand reputation and even negatively impact your credit score.
Some of the other consequences organisations routinely face when confronted with business identity theft include:
- Costly Legal Action: Launching civil action against perpetrators can be lengthy and costly. Even if loans or credit cards incorrectly issued in your name are nullified by issuing financial institutions, attempting to recover additional costs incurred due to impacted cash flow can be an incredibly difficult and expensive process.
- Digital Forensics: The services of highly experienced digital forensics investigators may be necessary to identify precisely how the theft took place and to compile the evidence required to litigate. This may also be required for your organisation to meet its obligations under the Notifiable Data Breach Scheme, such as reporting breaches to affected individuals.
- Business Continuity Impacted: When impacted by identity theft, many businesses may need to shutdown systems for days, weeks or potentially months, until the breach is fully understood. Keeping systems live before you know the full extent of any breach may expose you to additional theft. Sometimes, identity theft occurs at the same time as a ransomware attack, so you need to act with a high degree of caution. This can lead to long-term ramifications, the loss of customers, market share and potentially result in permanent damage to your organisation.
- Reduced Efficiency: During the downtime, your employees will not be able to continue working as normal. This loss of efficiency can set back business activities by many months.
- Data Recovery: When any organisation experiences significant data theft, the cost of recovering the lost data can be very high. If data recovery is even possible, it will likely need the assistance of experts.
- Corporate Reputation: It’s one thing to quantify the direct costs of identity theft. However, quantifying the costs associated with damaged reputation is another matter entirely. Public companies may experience a significant drop in their valuation and share price. Owners of private companies may find themselves unable to sell their business, attract investors or raise capital.
- Management Failure: When an organisation faces identity theft, shareholders may lose confidence in the management and executive teams. This may lead to management being replaced and may see employees being sued for the loss if they were deemed to be negligent or there was dereliction of duties.
- Opportunity Costs: The distraction that follows an instance of identity theft means the organisation is not focused on normal strategic work, resulting in missed opportunities for growth and expansion.
Invoice and Payments Fraud
Invoice or payments fraud is another external risk that rises exponentially as staff work remotely.
Sophisticated syndicates of fraudsters use a variety of tactics to deceive AP staff into making payments to bank accounts under their control. Most commonly, this takes the form of Business Email Compromise (BEC) attacks.
- Deception: Using tactics such as phishing, fraudsters are known to gain access to email accounts used by both an organisation’s suppliers, as well as its senior executives, such as the CEO or CFO. By sending fake emails to AP staff, they seek to deceive them into paying invoices to the fraudster’s bank account. With staff working remotely, and with internal communications disrupted, it may be easier to successfully deceive staff who cannot easily determine the veracity of emails. Telephone verifications can also be more challenging, as suppliers and executives are often also working remotely.
- Hacking: Rather than seeking to deceive staff into sending payments to the wrong bank account, fraudsters may hack into an organisation’s systems in order to manipulate the data in ERPs, Master Vendor Files, or the text-based ABA files that are used to upload payments to online banking portals. With staff working remotely, they may be using personal devices to do work. They may also be accessing systems using home Wi-Fi routers that don’t have the same security features as enterprise routers. This can leave your organisation’s perimeter vulnerable to penetration by malicious actors. Remote working staff may also be more prone to click on suspicious emails, enabling hackers to install malware and infiltrate your systems.
Internal Fraud and Remote Work
According to the KPMG survey, 62% of respondents said that employees were the biggest single source of risk. Insider threats represented their most significant fraud and corruption challenge.
This is not surprising when you consider that those with inside knowledge are often best placed to exploit vulnerabilities and take advantage of an organisation, particularly when it is distracted.
Remote working staff are often able to take conceal their conduct and delay detection.
- Limit Access: Make sure staff have access to those applications and files they need. Implementing a “Need to Know” approach to your internal controls will help ensure only those who need access to particular applications or files, actually have access to them. It can ensure that in the event of an internal fraud, identifying the responsible individual will be much easier.
- Internal Network Segregation: It is vital to ensure that access to different systems on your network are restricted. By implementing internal segregations, you can limit lateral movements of individuals across the network, again limiting the opportunities for internal fraud.
- Password Controls: Ensure all data is password protected. Only those members of staff that need access to a particular set of data have passwords that can access it.
- Segregation of Duties: One of the most important internal controls you can implement is segregation of duties. This means that whoever is inputting data into your systems is not the same person who verifies the accuracy of the data. Likewise, the person processing payments is a different person. Such segregation means that there is a reduced risk of internal fraud, as it would require the involvement of multiple parties to succeed.
How can eftsure help?
Organisations need to embrace technologies that can help mitigate the increased risk of both external and internal fraud due to staff working remotely.
The fact is management are going to face the challenges associated with remote work for the foreseeable future. By integrating eftsure into your accounting environment, you have a system that can help you ensure payments are being directed to the intended recipient, and you are not being defrauded, whether by external or internal actors.
Our unique fraudtech platform verifies your EFT payments against a database of nearly 2 million Australian organisations. This gives you assurance that the payment details in your possession match those used by others when paying the same supplier.
With eftsure able to verify payments in real time, at the point of payment, the opportunities for fraud are substantially diminished.
Contact eftsure today for a demonstration of how we can help keep your AP function running securely as staff work remotely.