Opinions of contributing entrepreneurs are their own.
Here’s a sobering truth: 95% of cyber attacks can be traced back to human error. The more employees you have, the greater the risk of becoming a victim of cybercrime. We all imagine legions of hackers trying to break through our firewalls, and yes, occasionally some will get through. But the much more common truth is that unsuspecting employees inadvertently allow cybercriminals access to company systems and data, or are influenced by these hackers to perform questionable (or even illegal) actions.
Even worse are the deliberate fraudulent actions of the people sitting between the keyboard and the chair. Some employees themselves try to cheat the system by changing amounts, bank account details or other data in favor of their personal financial situation. Then there are other people from the outside who are up to no good, such as when a supplier or partner sends false or altered documents to the company, such as supplier invoices with false bank account details or wrong amounts.
None of these events is an indictment of company leaders, security practices, or judgment. They only emphasize that technology alone cannot stop every cyber-attack. The key to maximizing protection and minimizing exposure to these attacks is to combine technology with a human touch.
Related: Cybercrime Will Cost The World $8 Trillion This Year – Your Money Is At Risk. Here’s why prioritizing cybersecurity is key to mitigating risk.
1. Secure data starts and ends with people
Many cyberattacks succeed due to a simple but avoidable human error or an incorrect response to a scam. For example, an employee may reveal usernames and passwords after clicking a link in a phishing email. They may open an email attachment that unknowingly installs ransomware or other equally destructive malware on the corporate network. Or they simply choose easy-to-guess passwords. These are just a few examples that cyber thieves can use to attack.
Consider taking the following steps to ensure your business remains well protected to minimize the risks of human error.
- Strengthen employee awareness and training: Organize periodic training on cybersecurity best practices, recognizing phishing emails, avoiding social engineering attacks, and understanding the importance of secure data handling. In 2022, around 10% of cyber attack attempts were thwarted because employees have reported them, but they can only report such attempts if they recognize them.
- Build a culture of safety: Ensure that everyone in their role is actively protecting company assets by promoting open communication about security issues, recognizing employees who demonstrate good security practices, and incorporating security into performance evaluations.
- Apply stricter access controls: Access controls limit who can view or change sensitive company data and systems. By applying the “principle of least privilege” to access controls and educating employees about the risks of account sharing, unauthorized access and data breaches can be mitigated.
- Use password managers: Strong passwords are hard to crack, but challenging to remember. Password management software can create and store hard-to-guess passwords without users having to write them down.
- To enable multi-factor authentication (MFA): MFA adds an extra layer of security by requiring an additional authentication method, such as fingerprint or one-time code, in case an attacker steals an employee’s password.
- Implement fraud detection processes for incoming documents: These processes attempt to identify fraudulent documents (such as counterfeit invoices) upon receipt before they can be processed.
2. Reduce exposure to cyberattacks and fraud with technology and automation
While a lack of awareness, training, recognition, and processes are responsible for the success of most cyberattacks, you still need technological barriers to try and keep determined hackers out of your systems. Finance and accounting firms are top targets for cyberattacks and fraudsters, so the accounts payable systems are a prime target if they do get in.
In fact, 74% of companies attempted or actual payment fraud. Creditor fraud abuses AP systems and associated data and documents with mischief such as:
- Creating fake supplier accounts and false invoices for them.
- Changing payment amounts, bank details or dates on valid invoices.
- Tampering with checks.
- Making fraudulent expense reimbursements.
Related: What Is Phishing? Here’s how to protect yourself from attacks.
3. Keeping the bad guys out
Of course, you want your IT department to use technology primarily to thwart unauthorized attempts to access the network and systems. In addition to the venerable firewall, there are some reliable systems:
- Intrusion Detection and Prevention System (IDPS) monitors network traffic for malicious activity or policy violations and can automatically take action to block or report those activities.
- Artificial Intelligence (AI) plays an important role in cybersecurity by using machine learning algorithms to analyze data volumes, identify patterns, and make predictions about potential threats. It can identify attack vectors and respond quickly and efficiently to cyberthreats that humans cannot match.
- Data encryption ensures that only authorized parties with the correct decryption key can access the contents of a file, protecting sensitive data at rest (stored on devices) and in transit (over networks).
4. Protection against insider fraud
Whether a cybercriminal slips through all those barriers or an unscrupulous employee sets out to commit AP fraud, different types of automation can detect the cyberattack and prevent it from succeeding.
- Automated employee activity monitoring: This can help identify suspicious behavior and potential security threats. The software tracks user activity, analyzes logs for signs of unauthorized access, and regularly checks user access rights. Of course, employees need to know that they are being monitored and to what extent.
- Automate the payment process end-to-end on a single platform: It takes human error (and human scruples) out of the equation, except when there is an exception. Encrypted receipt/collection of electronic invoices from suppliers, automated matching of invoices to orders, and electronic payments — all without human intervention — are examples of how automation removes the opportunity (and temptation) to commit AP fraud.
- Document-level change detection goes one step further with this protection: This automated technology can detect when a stealthy cyberthief with access to the underlying systems makes unauthorized attempts to access, modify or delete sensitive documents, including orders, invoices and payment authorizations. These tools alert administrators and provide detailed audit trails of document activity, helping to detect and prevent AP fraud, whether external or internal.
- Detection of unusual data patterns: Warn AP employees to take a closer look before processing and paying the invoice. Using machine learning and AI, automated systems can compare data against historical records, spot suspicious changes to bank details, the legal name and address of the supplier and unusual payment amounts.
Related: How AI and Machine Learning Improve Fraud Detection in Fintech
It is almost impossible to fully protect yourself against cyber theft and AP fraud, especially when most of the vulnerabilities and culprits are human. You need to focus your security efforts on the perfect balance between state-of-the-art technology and the human between the keyboard and the chair. Good and continuous training can reduce the human errors that ensure that cyber attacks succeed. And technology and automation can help prevent attacks from reaching people in the first place. However, the right combination of the two is key to defeating would-be fraudsters.