What you need to know about “Need to Know”
All your attempts to avoid digital fraud can amount to nothing if you don’t have the right internal access control settings. You need to ensure every person in your organisation has access to the information they require to carry out their job, without the ability to access unnecessary additional information. In this blog we will explore what you need to know about Need to Know (N2K), why it’s so important in the fight against digital fraud and why alone it isn’t enough to protect you.
Trusting Your Team
We get it. Trust sits at the heart of teamwork. Without trust, building an effective team would be all but impossible for any organisation. That is particularly true for Accounts Payable (AP) teams. After all, the AP team oversees the outward flows of the organisation’s funds. As a CFO, if you don’t have trust in your AP team, it would be pretty difficult to maintain business operations.
That’s why many CFOs avoid contemplating the prospect that any member of their AP team may not be trustworthy. Nobody likes to think that a member of the team may be acting against their organisation’s best interests.
However, as an executive, you have a responsibility to your board and shareholders to implement effective risk management strategies. That means you need to consider the possibility that at some point in the future, a disgruntled employee may look for an opportunity to engage in fraudulent activities against your organisation.
That’s why it is essential to adopt appropriate internal controls that restrict the level of information individuals have access to. Ensuring that individuals have access to information they need, but not to information they don’t, sits at the heart of the N2K principle.
The “Need to Know” Principle
According to the Australian Cyber Security Centre, N2K is defined as follows:
“The principle of restricting an individual’s access to only the information they require to fulfil the duties of their role”.
N2K is a principle that closely aligns with information classification protocols. Under the Australian Government’s Protective Security Policy Framework (PSPF), N2K principles apply to all “sensitive and classified information”.
This reflects the need for personnel to access specific information only in circumstances where there is an operational requirement to do so. By implementing N2K, it helps personnel understand the responsibilities they have to protect information, including the correct methods for its storage, handling and dissemination.
Aligning N2K With IT Configurations
Adopting N2K requires close coordination with your organisation’s IT and security teams. As CFO, you have a responsibility to ensure the right people have access to the right systems and data. Get it wrong, and people will have access to too much information, exposing you to greater risk of fraud.
The risks associated with the wrong IT settings were recently highlighted in a report titled “Local Government General Computer Controls” by the Western Australian Auditor-General.
The report highlighted the fact that staff at one local council were using shared generic login credentials to access a server that hosted files storing sensitive financial data. With unrestricted access to the files, any staff member could potentially redirect payments for council rates, infringements, license and application fees to another bank account. Simply changing a file that was hosted on the shared server was all that was required to commit fraud.
With access to the server not restricted in any way, and no activity on the server being monitored or logged, it would have been almost impossible to identify the responsible party in the event of any fraudulent activity.
Concerns About N2K
When implementing an N2K policy within your organisation, it’s also vital to ensure that it isn’t being used to hide nefarious activities.
N2K can potentially be used by certain individuals to block others accessing information in order to avoid scrutiny. This lack of transparency may lead to inefficiencies, poor business outcomes and potentially hide illegal activities.
When implementing an N2K framework in your organisation, you need to strike the right balance between safeguarding confidential information, whilst ensuring sufficient checks and balances are in place to prevent it being abused.
How can eftsure help?
The unfortunate reality is that sometimes staff in any organisation will attempt to engage in fraud by accessing and manipulating financial data, such as bank account details. This could see supplier payments being redirected to a bank account under the disgruntled employee’s control.
Whilst it is important to have appropriate N2K settings in place to prevent such fraudulent activities, N2K alone may not be able to prevent all fraud attempts by a determined disgruntled employee. Furthermore, N2K may actually hide their fraudulent activities by reducing levels of transparency.
Eftsure helps you secure electronic funds transfer (EFT) payments. Our collaborative fraudtech solution verifies your EFT payments in real-time against a database of nearly 2 million Australian organisations. In cases where a disgruntled employee has managed to manipulate supplier banking data, you’ll be alerted to the fact that the information in your systems don’t match those used by other organisations to pay the same supplier. This crucial information can help you avoid attempts to defraud your organisation.
Contact us today for a no-obligation demonstration of the many ways eftsure can help your organisation avoid fraudulent activities.