Risk is involved any time money changes hands. Accounts payable (AP) departments are constantly under attack from bad actors trying to trick them into sending money to fraudulent bank accounts. However, tight internal controls, ongoing training, and payment automation can all help reduce the risk.

Payment automation enhances AP and finance security. It’s expensive and time-consuming for companies to match the level of security and controls that a specialist firm can provide. Bad actors prey on vulnerable companies who do not have time to maintain rigorous risk mitigation programs.

Payment automation companies adopt well-established information security standards to invest in the development and maintenance of training programs, procedures, and automation tools. These programs and procedures are assessed by third-party audit firms to establish risk mitigation controls and regularly test their efficacy.

Reduce Likelihood, Minimize Impact

Vulnerability management aims to reduce the likelihood of a weakness being exploited. A variety of vulnerability discovery methods and tools are used to generate a consolidated, risk-ranked, and actionable remediation backlog. The risks of the vulnerabilities can be compared with the business opportunities backlog to determine the assignment and procurement of resources when considering whether to remediate vulnerabilities or enable revenue capability.

Threat hunting is actively monitoring for anomalies. Bad actors are frequently masterminding new ways to scam people out of money, so keeping up with them is crucial. It can be challenging to detect anomalies and accurately depict your organization’s threat landscape. An inventory of hunts must provide sufficient coverage across all potential attack vectors. Threat hunting algorithms must also adapt to new exploitation methods.

When a threat is detected, quick and effective incident response is critical to minimize the effect and prevent lateral movement. The following steps can help minimize the impact of a threat:

  1. Report the occurrence of the threat to a centralized incident response team. Hunt algorithms are ideally configured to send real-time notifications of anomalies indicating potential compromise. Employees are trained to identify anomalies and how to report them to an incident response team.
  2. Reported anomalies are triaged by an incident response manager and routed to the appropriate responder.
  3. An incident responder will determine root cause, identify containment procedures, and either identify a solution to prevent future exploits or report details to the vulnerability backlog.
  4. Centralized incident response enables a knowledgebase of automation playbooks to be leveraged when addressing future incidents.

Orchestrate, Don’t Operate

Software-as-a-Service (SaaS) has revolutionized how companies solve many common business problems. Gone are the days of large, up-front capital investments to fund server rooms, software packages, and expansive IT administration teams. With the advent of SaaS, problems and processes of specific domains are compartmentalized into specialized, complete solutions. Companies can compose and orchestrate any number of SaaS plans to automate operational aspects of the business, including payments. That allows them to stay focused on their core competency.

Security is typically a significant component of an SaaS plan. Providers are often incentivized to invest in security and compliance as a matter of differentiation from competitors and resilience to perpetual cyberattacks. Cybersecurity events are pervasively publicized. One mishap resulting in a breach of sensitive data can result in significant reputational damage, a loss of customers, and a loss of revenue.

If you’re making your own ACH bank payments, running a card program, or writing checks, you’re likely not using all the tools you have at your disposal to prevent fraud and mitigate risk. You can add tools, build up your security department, train your employees to watch for potential threats, or orchestrate payment automation to enabling you to stay focused on your mission.

ABOUT THE AUTHOR

Jeremiah Bennett

Jeremiah Bennett is the director of information security at Nvoicepay, a FLEETCOR company. He has worked on a variety of secure payment solutions including ACH, check, virtual payment card, and international payments. Additionally, Bennett has worked with third-party auditors to obtain compliance attestation reports for PCI, SOC 1, SOC 2, and SOX.

A Roadmap from Business Continuity to Operational Resilience
Business continuity (BC) and disaster recovery (DR) services are among the most critical services in financial institutions. Of course, these...
READ MORE >
Incorporating Software Security Considerations into Natural Disaster Recovery Strategies
All organizations, including governments, are software organizations nowadays. Software is infrastructure – it powers nearly every organization around the globe....
READ MORE >
Sustainability Is the Missing Key to Risk Management
Subscribe to the Business Resilience DECODED podcast – from DRJ and Asfalis Advisors – on your favorite podcast app. New...
READ MORE >
Colonial Pipeline Attack Puts Spotlight on Third Party Management and Operational Resilience
When the cyber-attack on the Colonial Pipeline hit the news, it was another sterling example that preparedness and backup plans...
READ MORE >