Are you confident that cybersecurity controls in your bookkeeping and accounting operations are effective? In this article, I’ll address five key cybersecurity steps to protect your financial operations and help against the prevalent threat of payments fraud.
Your Business or Organization Is Susceptible to Fraud!
If you think that only large corporations are vulnerable to attacks, think again. According to Ponemon Institute’s 2018 State of Cybersecurity in Small & Medium Size Businesses sponsored by Keeper Security, small businesses increasingly face the same cybersecurity risks as larger companies, yet only 28% of those surveyed feel they’re highly effective in mitigating those threats, vulnerabilities and attacks.
According to the Ponenom report, most businesses surveyed experienced a cyber attack or data breach with severe financial consequences. Phishing/social engineering was the number-one type of attack experienced, followed by web-based attacks and general malware.
Imagine a scenario where payment data from your business or not-for-profit organization is compromised. I’m guessing you’ve already got a full workload as it is – so preventing issues in the first place is the way to go, since not only will you be protecting your brand, but you’ll also avoid the heartache and financial pain of the remediation process in the event your financial data is compromised.
Manage your risk of payment fraud by taking these 5 key steps:
1. Train your staff
Business Email Compromise (BEC) schemes are now common events. According to a Symantic Internet Security Threat Report, “In 2018 employees of small organizations were more likely to be hit by email threats – including spam, phishing, and email malware – than those in large organizations.” BEC schemes include fraudsters impersonating an employee, supervisor or existing vendor and requesting that payments be made to a fake bank account.
To prevent BEC schemes from occurring in your office, raise staff awareness about the common schemes that can occur. Regular reminders are a must, since it’s common for busy colleagues (including you) who are in the midst of their hectic daily schedules to inadvertently open up questionable email attachments or haphazardly respond to questionable email requests. So, instill in your team a healthy dose of skepticism when it comes to payments requests.
When a suspect payment request arises, everyone in your office should know the proper protocols. This includes how to correctly follow-up to validate the questionable request. You wouldn’t want your bookkeeper to just contact the purported vendor by calling back the phone number on the email in question, right? Don’t assume everyone knows what to do, so be very specific on how to verify the validity of a request and the appropriate bank account instructions to avoid leaving anything up to chance. And don’t forget to train your part-time and temporary staff too.
2. Implement bill approval processes
Having a second set of eyes involved in reviewing and approving requests for payment is another type of control used by many companies. To facilitate an efficient process, you can establish a dollar limit for approvals, so that anything over a certain amount needs a second review and approval. Using a cloud-base payment app such as Bill.com can facilitate your payments and the approval workflow.
3. Use Positive Pay
Positive Pay is a service offered by banks in which the bank verifies that the checks presented for payment match the list of checks you’ve issued. The bank performs this double check prior to payment, to make sure the information matches. If there’s a mismatch, the bank alerts you before any funds are issued, so you prevent losses from check payments fraud.
4. Strengthen your Bring Your Own Device (BYOD) practices
Do you allow your staff or contractors to use personal devices to access your office’s data and conduct work? According to a Keeper Security article, hackers take the path of least resistance, which is often times employee-owned mobile devices. Therefore, you need strong cybersecurity policies for personal devices if you’ve decided to allow employees to use them for work. Make sure employees protect the physical security of their devices and maintain the latest version of software (to keep security updates current). Enforce limitations on what can be accessed on them and require that the data be encrypted on these devices. Strong password controls should be implemented for both work and personal devices.
5. Check in with your outside bookkeeping and accounting firm
If you use an outside firm/person to do your bookkeeping and accounting, be sure to have a robust discussion with them to gauge the firm’s commitment to protecting the security and privacy of your information. Get comfortable that your outsourced firm is committed to strong security measures. The firm should have a formal security policy that includes strong technology safeguards for prevention, monitoring, detection and encryption, controlled access, ongoing employee security awareness training, and back up and maintenance procedures. If you use a web-based system(s) to conduct your bookkeeping and accounting operations (think QuickBooks Online, Bill.com, or the various payroll service providers out there), then typically, most providers of such services undergo stringent security procedures or SSAE16 attestations that test their data center’s level of security.
If you have questions and/or would like to pursue other actionable steps to ensure your business or not-for-profit organization’s continued success, please reach out to me, I’ll be happy to talk with you. Orin Schepps, Founder and CEO @consultanceaccounting https://www.consultancellc.com
Ponemon Institute. “2018 State of Cybersecurity in Small & Medium Size Businesses.” Keeper Security, 2018. <https://start.keeper.io/2018-ponemon-report>
Symantic. “ISTR Internet Security Threat Report.” Symantic, February 2019. <https://img03.en25.com/Web/Symantec/%7B1a7cfc98-319b-4b97-88a7-1306a3539445%7D_ISTR_24_2019_en.pdf>
Keeper Security. “5 Cybersecurity Tips For Small and Medium Sized Businesses.” Keeper Security, 27 September 2016. <https://keepersecurity.com/blog/2016/09/27/5-quick-cybersecurity-tips-for-small-businesses/>
Bill.com. “Protecting Yourself From Business Email Compromise (BEC) Schemes.” Bill.com, 26 March 2019. <https://support.bill.com/hc/en-us/articles/360015918451-Protecting-yourself-from-Business-Email-Compromise-BEC-schemes>
MDL Technology, LLC. “Cybersecurity Tips for Accounting Firms in 2018.” MDL Technology, 8 January 2018. <http://www.mdltechnology.com/cybersecurity-tips-accounting-firms-2018/>