Strategic Treasurer recently released the \”2019 Treasury Fraud & Controls Survey Report,\” its fourth annual analysis of the fraud statistics that impact corporate payments. Covering 100 questions asked of nearly 300 worldwide respondents in a range of roles from cash manager to the C-Suite, the paper provides organisations with valuable insights on the various issues surrounding fraud and payment security.
Many issues in this edition mirror insights learned in the 2018 and 2017 versions – common-sense items such as the fact that fraud is on the rise and both financial institutions and corporates are having to spend more to combat the threat.
There are many new insights highlighted in the report that organisations understand as they asses their own security strategies.
Here are the three biggest issues to be aware of:
- The vast majority of organisations are spending about the same on treasury fraud prevention
Don't get a false sense of security from the fact that more than three quarters of organisations plan to spend about the same on treasury fraud prevention, detection and controls.
As with most things, costs rise every single year. If you think about your personal expenses, you're paying more now for the same insurance coverage, groceries, clothes etc. than you were a year ago. It's the same with fraud protection. If you're budgeting the same amount this year as you did last year, those funds will not go the same distance because fraud threats are growing in both in scope and severity, with fraudsters getting more creative in their attack strategies every day.
Spending the same to defend your organisation essentially means your protection level will be moving backwards– and that's not a good place to be when the security of payments is at stake.
Something else that needs to be considered when it comes to security is where those funds are spent. If you aren't thoughtful about the protections you employ, it's possible to waste your entire budget on efforts that are little more than placebos giving only the impression of security without providing any real protection.
- Segregation of duties ranks highest in importance among all the layers of security
Segregation of duties certainly ranks high in any comprehensive security plan because it significantly reduces the risk of internal fraud threats. But the best security is always holistic, with other elements such as encryption, firewalls and principle of least privilege all combining to create a powerhouse of security that protects organisations from all angles.
That's the critical mistake businesses often make – putting too much faith in a single source of protection.
Take home security for example. Having walls and a door are a necessary level of protection against potential threats. Locks provide a second level of protection. While most homeowners stop there and consider that an adequate level of defence, it could hardly be considered robust. Installing a series of security cameras and an alarm and their risk would be reduced even further. Adding a moat filled with alligators would provide an even greater level of protection (in addition to being just plain cool) and would provide tremendous peace of mind that everything possible had been done to secure the environment.
- Security training practices are in need of enhancement
Security experts agree that humans are the weakest link in the entire chain of security. That's why effective training has the single biggest influence in the success of a fraud protection strategy.
Business email compromise (BEC) is a perfect example of this. Ranked by nearly 80% of the survey respondents as the most pervasive threat they face, BEC relies on human vulnerabilities to be successful – and it's having a very damaging effect on the payments industry.
Training could eliminate many of these shortcomings, but unfortunately, organisations fall short on training in the areas of frequency and scope. Educating staff in the aftermath of a fraud event, or when they've been hired, isn't enough. Employees need to be prepared for the rapid evolution of the fraud threats they might encounter, and as such, they should be trained annually with a curriculum that covers elements such as how to identify suspicious activity, what good security hygiene practices entail and how to respond to an attack. Tests should also be given to gauge employees' comfort level and proficiency with the topic, with training schedules adjusted accordingly based on results.
Fraud isn't a new issue for organisations. It's been around since the days of bartering and is just an unfortunate reality that has to be dealt with as a part of doing business.
But it doesn't have to be the sole focus of your business. Understand where you stand today in terms of security and forge partnerships with the specialists who understand your risks and can help you to protect against them. Then you can get back to the activities that grow and optimise your business.