securing the business of payments: stepping up protection against cyber threats
TRANSCRIPT
© 2016 CIT Group Inc. CIT and the CIT logo are registered service marks of CIT Group Inc.
Securing the Business of PaymentsStepping Up Protection Against Cyber Threats
For more articles like this, visit:
cit.com/knowledgecenter
While electronic payments have simplifi ed business in many quarters, the technology has also bred new opportunities for crime. Security experts are uncovering new threats at a rapid clip. Email scams posing as legitimate requests are increasingly sophisticated. Meanwhile, at the traditional end of the banking spectrum, checks are still highly susceptible targets in a world where anyone can snap a picture with a mobile phone to deposit funds into an account.
Within small and mid-sized fi rms, staff may have limited resources to manage threats, leaving many organizations potentially more vulnerable to cyber-related attacks. But with proper awareness, preparation and a plan for decisive action in the event of a breach in payment protocols, companies of any size can mitigate their exposure and reduce the impact of such assaults.
“Companies tend not to think about these threats, especially when they’ve got one person running the show,” says Greg Wintroath, Managing Director of CIT Treasury Management. “But this should be part of their DNA. This is part of the survival of the company.”
Risks within cash management
Within a company’s cash management and payment systems there are a number of specifi c activities that can be targets for cyber criminals. On the account management side, checking and interest-bearing accounts, image archiving and even electronic statements might carry risk. There are deposit-related services such as the processing of electronic payments. In addition, bill pay procedures, company credit cards and disbursements all generate digital trails that can expose businesses to threats.
That was the highest amount of fraud since 2009 and topped the fi gure for 2014, which stood at 62 percent.
A majority of the survey respondents called mobile payments a key concern. Notably, the survey found that
“It is tempting to think that the problem
is too daunting to track, let alone attack.
According to a 2016 survey by the
Association for Finance Professionals
(AFP), nearly three-quarters of U.S.
companies had experienced an episode
of fraud related to payments in 2015.”
Growing volumes of business payments are “digital-only.” From retailers to large manufacturers, organizations of nearly every stripe process and track income and expenditures through virtual transactions. There are now tens of billions of electronic payments each year, allowing companies to capture the benefi ts of automation.
© 2016 CIT Group Inc. CIT and the CIT logo are registered service marks of CIT Group Inc.
Securing the Business of Payments
Stepping Up Protection Against Cyber Threats
2
For more articles like this, visit:
cit.com/knowledgecenter
checks were the most commonly targeted payment method, followed by wire transfers. In the meantime, card chip-and-PIN systems currently being rolled out en masse were seen as the most effective method of battling fraud, according to the survey.
While stories about major breaches are the ones that tend to drive headlines, hits on smaller organizations may actually be more widespread and are proportionally more damaging. According to the AFP survey, in 2015 organizations with fewer payment accounts were more susceptible to fraud than organizations with at least $1 billion in revenue and more than 100 payment accounts.
“There’s always an opportunity to implement some level of fraud prevention control on an account,” Wintroath says. “And all too often, what businesses—middle market-sized business, even some large corporate businesses—think is, ‘All I need to do is protect my payroll account, my general account.’ That’s where the big balancers are and that’s where the big transactions are.”
Wintroath notes that fraud is rampant and that small companies are often going to be the most vulnerable and susceptible to those kinds of invasions. “The big challenge for smaller companies is their ability to protect their assets, to control their networks and to control digital information,” he says.
Vigilance against sophisticated attacks
A hacking attack into payment procedures is a nightmare scenario for any business. By taking over accounts, a cyber criminal can order virtual transfers and literally erase cash from a company’s accounts. Criminals are savvy enough to create email addresses and other correspondence mirroring legitimate communications that can convince employees to divulge passwords and other information that can lead to fraudulent transactions.
So prevalent is the scourge of “phishing” that the government is working to track the threat. The FBI reported in 2015—with fi gures from January to August of that year—that there had been a 270 percent increase in identifi ed victims and loss because of business email compromise (BEC) scams.
Whether the attacks come in the form of malicious emails or other means, there are a number of steps companies can take in order to ensure that they are aware of these threats:
Take an inventory of the company’s threat
profi le. That can start by assessing any threats over the past year, looking at the frequency of any instances of cyber crime, and determining whether the attacks amounted to trends or isolated events. That type of information can help an IT manager, a CFO, or a CEO plan a course of action.
Establish clear divisions of duties for
payments. It’s a good idea to have precise guidelines for each step of the process—for the employee(s) responsible for inputting each payment, for workers responsible for reviewing what has been entered into the system, and for fi nal approval of each payment. Some online banking products require reviews by multiple individuals before transactions are approved. Though this may be a challenge for businesses with limited staff, it’s critical that they seek training or hire trained employees in order to understand the threats that are out there and the sophistication of those threats.
Understand fi nancial institutions’ fraud
policies. In the event of a breach, it’s imperative for clients to know who’s responsible for recovering the funds. For instance, there may be a time limit or other stipulations for contacting the institution, so it’s critical for clients to know how they are protected in the event of a fraudulent payment claim.
Boost protections within infrastructure.
Systems administrators can tighten security to minimize the risk of a security breach. Web browsers can be programmed to specifi c settings to complement anti-virus software, for example. Teams can set devices to receive regular, automated updates of security patches. Wireless connections can be confi gured using WPA2 (Wi-Fi Protected Access) security along with AES (Advanced Encryption Standard) encryption to offer an additional layer of security.
© 2016 CIT Group Inc. CIT and the CIT logo are registered service marks of CIT Group Inc.
Securing the Business of Payments
Stepping Up Protection Against Cyber Threats
3
For more articles like this, visit:
cit.com/knowledgecenter
Conversations around these steps and other security matters should begin when a company engages with a bank, and continue throughout the relationship, says Laura Mason, Director, Treasury Management. “It’s always part of the initial conversation. When we fi rst meet with clients, we ask them, ‘What are you doing about fraud prevention? Have you experienced any fraud?’ We ask them to take us through their internal controls,” Mason says.
Leave nothing to chance
The pace of cyber threats is showing no signs of easing. As of April 2016, there had already been more than 225 breaches for the year as reported by the Identity Theft Resource Center. That amounted to more than 6.2 million exposed records, according to the group, which combs through Attorney General offi ces and other sources to compile the list.
While fraud protection may require additional investment in some cases, Wintroath says the climate of cyber threats is a powerful motivator. Whereas attitudes about the potential for cyber crime were more skeptical in the past, the possibility of taking a fi nancial hit is driving many companies to assess their capabilities. Banks need to do their part to ensure that payments get processed with minimal disruption and the highest security standards regardless of the size of the client and how they use the account, Wintroath says.
“A bank should be able to provide a high level of fraud prevention regardless of the size of a company or the frequency of its transactions. Whether your business has 100 accounts, 25 accounts, 3 accounts, or 1 account, there is a level of fraud prevention that can be and should be established for every one of those accounts,” Wintroath says.