While these technologies deliver never before seen efficiencies for businesses, they aren’t without risks, with new cybersecurity threats arising daily.
The following steps are specifically designed to protect your accounts payable function from cybercriminals.
Invoice verification process: Invoices and purchase orders must be matched to verify and confirm payment requests are expected. It is wise to limit the number of personnel that can approve invoices, and ensure they are accountable for validating the legitimacy of the invoice, the amount and the payment details.
Two-factor authentication: Two-factor identification is a two-step process requiring a user to provide a first layer of authentication such as login information, in addition to a secondary piece of information such as randomised access number, additional security pin or similar before being able to undertake an activity. A simple example is the pin number sent as a text message to your mobile phone to verify and proceed with the transaction. Introducing two-factor authentication – usually in the form of physical toggles/tokens or mobile apps adds an additional layer of security to protect your organisation. Not all banks accommodate tokens for all users, so ensure someone in the payment chain uses two-factor authentication. No transactions should be created and authorised without a user in the payment chain using a token. This could be the person who creates the transaction and/or the authoriser(s).
Setting payment limits: While it may be reasonable to allow single authorisation for small value transactions (this will vary depending on your organisation’s controls and risk tolerance), it’s wise to implement more robust processes for transactions involving larger amounts.
Payment authorisation process: We strongly recommend all transactions greater than the ‘small value’ have two authorisers. It is also possible for banking details to be changed by a hacker before the transaction is first authorised, so the authorisers must check the on-screen bank account number and details against the paperwork prior to final authorisation.
Validating payment details: For all new suppliers and changes to existing payee details, the account details should be validated by telephone. Never validate the changes via email. Use previous invoices, purchase orders, company records, web searches, business cards, previous correspondence or even the Yellow Pages to find the phone number to ring and confirm the BSB and account number. Don’t use the contact details provided in the invoice. Ensure the personnel undertaking the verification are properly trained to follow a check-list approach.
Additional steps for added protection
In addition to the protections above, the following controls should also be considered to safeguard your organisation against cyberattack.
- Encourage the bank and your personnel to monitor transactions and to advise of suspicious activity – particularly with changes that occur after initial entry, international transfers and RTGS payments. Be sceptical and look for unusual events including rejected and unexpected transactions, and transactions that are resubmitted.
- Do not save your passwords in your internet browser. Instead, ensure personnel enter their credentials each time they login.
- If practicable, isolate banking to a desktop used for the sole purpose of banking. It must not have email access.
- Limit access to banking and payment systems during specific times – typically those outside core business hours. Blocking attempts to login outside of these times minimises the likelihood of undesired activity while you’re away from the office.
- To reduce the risk of payments being amended, where possible and practicable use Direct Entry Payment files rather than manually entering the transaction.
- Consider whether the person entering payments should have authorisation capabilities, even if they are required to use two-factor authentication to access the banking systems.
- Dual administration should exist for password resets, changes to authorising limits, etc. Administrators should require two-factor authentication to obtain access.
- Ensure the method of delivery of payment requests to the accounts payable team is secure. This may even require physical delivery – remembering that a hacker can replicate your approval process if this process is undertaken online.
- Develop a preferred supplier list that is managed and checked by an independent person. Preferred supplier details can only be added or changed if they are validated.
- Consider a ‘know your payee’ solution which checks the payee name against the BSB and account number. There are new developments in this area.
- Consider daily banking limits or even user limits.
- Authorisers should process transactions in smaller batch sizes and should limit the time between each screen refresh and authorising. Changes may be made to transactions between the time the screen loads and the time the transaction is authorised. Refresh the screen regularly.
- Monitor ScamWatch and the Australian Cyber Security Centre news page and register for the Stay Smart Online alert service.
A robust approach to cybersecurity involves planning, ongoing training, maintenance, monitoring and more. For guidance or assistance with your unique cybersecurity needs contact Pitcher Partners for a confidential discussion.
Understand the cyber risks to your organisation. Click here.