By Geralyn Cassone
Companies must create additional layers of security to turn back fraudsters.
The Target breach was the wake-up call. The fraud landscape has changed dramatically in all phases of business, and companies must be more aggressive in preventing it.
In corporate treasury most departments have their own list of internal treasury controls aimed at reducing fraud and protecting company assets. These likely focus on more traditional measures such as the segregation of duties, encryption, secure access mechanisms, centralization of process and the like. While these are still vital to a tight security plan, today’s need for control has expanded well beyond these traditional mainstays of prevention. Today, additional layers of security need to be incorporated to adequately prevent access to data from threats due to software vulnerability and the use of mobile devices for company business.
Examples of software vulnerabilities include recent exploits identified in Java, Adobe Reader and Acrobat whereby a hacker could take over an end-user computer. For treasury, a hacker taking over a computer used for initiating, approving or releasing cash is a serious threat given that unauthorized access to cash is often cited as the biggest security concern of treasurers. A reported incident of end-user computer fraud has made it real for at least one treasury organization.
All the more reason to take action ensuring a good model of prevention is in place, protecting your treasury operations.
Persistence Remains
Fraudsters remain undaunted and aware of the slow progress that is being made in keeping them out. The 2013 AFP survey on Payments and Fraud Control shows that 61 percent of organizations experienced a fraud attack in the prior year, which is still stubbornly higher than 55 percent base year level (2004).
Paper checks aside, the survey shows all other payment types with increasing incidents of fraud attempts including ACH and corporate card payments. So while checks have by far the highest incidence rate (87 percent) of all payment types, what is disturbing is the year-over-year change in non-check payments which are increasing at an exponential rate.
As in prior years, the survey reports that payment fraud incidents are more frequent in larger organizations and in those with more payment bank accounts. As noted in the survey summary, “This category of companies does not appear to be gaining ground in mitigating the fraud threat.”
One reason may be that fraudsters typically attack the weakest points in the process; companies, their employees and their employees’ devices. Larger organizations have more people, devices and accounts to play with. And the expansion of technology and the use of smart phones all add to the complexities of trying to secure data from end to end. More sophisticated technology is creating more sophisticated types of attack.
And fraudsters are not shy. An uninformed employee can be easily fooled even by an incoming phone call. In one incident a call was directed to a company employee who was given a false scenario in order to extract information. The caller apparently had enough knowledge of certain treasury transactions to be dangerous and could have possibly been considered legitimate. An unknowing employee released confidential financial information.
The biggest risk in most companies, according to Milton Santiago, a Bank of America Merrill Lynch (BAML) portal and treasury e-commerce executive, is human behavior. Employee behavior inadvertently opens the door to fraud when they are directly contacted by criminals or use company devices for personal use. Even employees creating a social media sites can be an invitation for hackers. Personal names and information available on sites are used by fraudsters when contacting individuals and can create a sense of comfort that the contact is legitimate.
Companies Need to Step It Up
The AFP survey found that 64 percent of respondents spoke with their banks about fraud and prevention – have you?
When it comes to fraud prevention, “the weakest link is companies, not banks”, Mr. Santiago noted in his talk on security insight at the fall E&CTPG meeting. A lack of good internal controls often leaves companies vulnerable to fraudster attack. In a previously provided white paper, Mr. Santiago offers smart advice on how corporations can take steps to establish tighter controls and strongly suggests that employee education is the key to warding off many fraud attempts.
For instance, some companies don’t place a high enough priority around the administration of security patches and updates to their systems. These companies leave it up to the users to monitor outdated software and install the latest security updates without the oversight of IT.
Copy-cat your bank is one way to build prevention into your operations. Incorporating best practices and ensuring compliance takes time and resources and is often inconvenient. For smaller operations, it is even more of a chore. Mr. Santiago offers help, he suggests that organizations leverage off of their banks’ security structures and in doing so will do a better job of warding off fraud.
Accordingly, using the same control measures and tools the banks have in place is one route to adding security in your infrastructure. For example, back-end applications exist that monitor fraud after processing has occurred and develop a history of patterns will help identify unusual activity and detect a possible attack.
Establishing a Good Prevention Model
Your optimal model of prevention should encompass both the steadfast, traditional measures of separation of duties, segregating bank accounts, secure access, positive pay and tiered authorizations, to name a few. However, it also needs to include new controls that add those extra layers of security needed today. According to BAML’s best practices for preventing fraud, a good corporate security model entails four segments as shown in the chart below:
As the chart shows, the new layers of security include employee education and raised awareness of types of fraud attacks, particularly when using online systems and more importantly, when using them outside of the office. Mobile device tracking and usage is also creating the need for a whole new area for prevention management and is further discussed below.
Additionally there needs to be a clear plan for how treasury and the company as a whole reacts to a security breach, as well as a communication vehicle for reporting suspect fraudulent activity, internal and external, anonymously and confidentially. An optimal plan for prevention will also revisit, re-educate and measure compliance often. While 75 percent of organizations that see fraud threats do not suffer actual losses from fraud, breaches and other things like hacking can create havoc and certainly open the door and provide opportunity for theft. Now is the time to incorporate a good model of fraud prevention. Look deeper into what would constitute a good model from your treasury operation’s perspective; talk to both your banks and other industry experts about their approach to fraud prevention
Building Mobility Management
Enterprise Mobility Management (EMM) is becoming critical for businesses given security concerns around the growth of hand-held devices and increased employee mobility. The goal of any EMM program is to secure company data from end to end, from the data center to the point of remote access—and while that data is in transit. It includes IT standards of encryption and controlling data access, which are not new to treasury operations control, but add complexities such as the ability to wipe data from lost/stolen devices and impact assessments of network traffic.
Computer-maker Dell recently released a report, “Mobile Security: Protect Corporate Apps & Data,” summarizing where mobility capabilities are critical in an organization: (1) in managing devices (2) in optimizing infrastructure and (3) in developing & modernizing apps. The company also listed the five top mobile threats:
- Data loss from lost, stolen or decommissioned devices
- Information-stealing mobile malware
- Data loss or leakage through third-party applications
- Vulnerabilities within device’s OS or design and third-party applications
- Insecure Wi-Fi networks or access points
For mobile usage, the blurring of lines has created a new issue. An IDG Mobile Survey 2013 reported that 41 percent of smart phone owners use the same device for both personal and business use. If you have ever handed your smart phone to your child to play a game or use a personal app, and that phone is also used for business, you are opening the door to fraud and putting your company at risk. Additionally, 50 percent of mobile phone users don’t password protect their devices, so the probability of theft is even greater if that device is lost or stolen.