Information security is among every company’s biggest concerns today. And according to Eric Adams, Chief Information Security Officer at Kyriba, a treasury management software company based in San Diego, California, one of the most challenging segments of that threat is payment fraud.
Old ways of ensuring payment security aren’t working against today’s highly sophisticated attacks. In a talk with StrategicCIO360, Adams details the latest types of payments fraud and how professionals charged with data security can prevent significant losses to their organization’s bottom line.
What keeps information professionals in charge of security up at night lately?
Data security of all kinds and specifically payments fraud are definitely top of mind. Boards and investors are asking for the highest levels of security compliance to minimize risk of unnecessary loss that can be financially destabilizing and negatively impact a brand’s reputation.
Unfortunately, one of the most targeted areas in finance is payments fraud. Weak internal controls, associated with technology not synched and configured to support those policies, and weak procedural guidelines or primary controls create opportunities for internal or external attacks. Collusion is a relatively uncommon attack and represents minimal risk for most finance organizations. However, in situations where systems are not configured in support of corporate policies and approvals guidelines with proper capabilities and monitoring, some glaring weaknesses can be exposed.
One common scenario is the introduction of fraudulent invoices or purchase orders into an organization’s financial supply chain. The perpetrator of a fraudulent attack can create documents and through various sophisticated schemes can send them into an organization’s accounts payable department. Alternatively, and at times more common, are requests to modify counterparty or vendor banking-settlement details so payments are routed to the fraudster’s own account.
Payments fraud is at an all-time high. A recent survey by the Association of Financial Professionals found that 82 percent of organizations have been the target of multiple attempts of fraud. Reliance on spreadsheets, along with the use of bank portals for payments management, no longer provides protection against sophisticated social engineering scams that target treasury.
How can companies pay better attention to this and plan ahead?
In general, organizations that adopt cloud-based finance solutions are in a better position for business continuity under any circumstances. Chief Information Officers should be renegotiating contracts or removing any possible overlaps in services they are purchasing or have purchased before the pandemic, in addition to displacing antiquated capabilities with more current and proven technology.
More than that, boards and CEOs should champion their IT leaders in support of adopting the right technology and employing critical personnel to protect the company from sudden stops in liquidity or reputational damage due to fraud attacks and deploy enterprise-wide liquidity management solutions to unlock growth for the organization.
As a means of delivering optimal growth potential, Kyriba’s chairman and CEO Jean-Luc Robert advocates for a new position, the Chief Liquidity Officer, to manage all areas of liquidity across the enterprise. This position is a single, authoritative point of accountability that oversees the lifecycle of liquidity and reports to the CFO. The CLO would develop a holistic strategy and be empowered to execute based on the company’s enterprise objectives. Beyond simple operational savings, the CLO can provide other benefits, including better return on investments, fewer missed earnings targets and faster growth through the additional liquidity made available.
There have been reports about increased fraud and security issues with global companies as more employees work from home. What are your thoughts on this and what can CIOs and their IT departments do to prevent this?
CIOs should be taking every action they can to make sure that the services they are using are safe. There are at least four main categories for consideration.
Compliance obligations: We recently achieved ISO 27001 certification, a globally recognized standard, that validates our processes are correct, mature and able to maintain our clients’ data security. In addition to the ISO 27001, there are others such as SOC, SWIFT and GDPR. Depending on your type of business in the marketplace, the proper compliance type should be considered.
Information and risk protection: Establishing best-practice policies and procedures, third-party risk assessment, contract reviews, security awareness training, business continuity planning and more.
Cyber defense center: Enterprise-level security today is multifaceted. Incident response management in real-time is critical, along with threat and vulnerability management, constant detection and monitoring of potential intrusion and ongoing reporting.
Security partnerships: This is an important area for educating your staff, partners and client-facing teams and includes security deployment reviews and departmental training.
How can other CIOs and CSOs work together to prevent the surge in security breaks? What should they know before they invest in another costly project?
The savvy CIO is always working closely with a vendor that can offer expertise in data management and help offload IT resources. CIOs today are looking for ways to minimize IT impact and instill confidence in the CFO and the finance organization that preservation of cash and liquidity is prioritized.
CIOs and CSOs should focus on continuous process improvement by continually analyzing gaps and risks and then making plans to address them with risk treatment plans. Documenting the system and regular systems testing are important procedural steps that help measure the effectiveness of IT security controls. From these tests, IT leaders will have a stronger gauge to determine where technology upgrades or additional staff resources are required.
One critical focal point for CIOs and CSOs should be the creation or revision of an enterprise-wide business continuity plan. Before the pandemic Kyriba had established its BCP in anticipation of natural disasters. As part of our plan, we documented key roles and personnel to ensure all our essential systems were operational. This helped us not only prepare for situations like the pandemic but, most importantly, the BCP plan gave us capacity to operationalize the demand to convert our workforce from the office to work from home overnight, ensuring our clients were operational and supported.