Keeping your company’s accounts payable efficient — and secure
Digitization and automation are making AP systems more flexible and easier to use. Companies need to weigh the security risks to protect their customers, partners and internal organization from cyber crime.
Accounts payable (AP) and accounts receivable (AR) systems are becoming increasingly digitized to create faster, more accurate and reliable transactions and records while also enabling cloud-based and remote workflows. Digitization brings flexibility and convenience to many AP processes — but it also adds complexity, which makes those processes more vulnerable to cyber crime.
As companies of all sizes seek competitive advantage in AP automation, there is a greater need for them to understand the associated cyber security risks and address potential gaps in their defenses. This often means more investment in security controls, but technology is just the start. Employees are also critical to AP security.
“The increase in remote work has only added to the universe of potential AP vulnerabilities.”
No company can eradicate the cyber security risk to AP systems. But effective processes, controls and triggers that automatically alert employees to potential breaches can prevent or mitigate many attempted crimes. Human error and the evolving criminal tactics will continue to present challenges, but the combination of educated employees, strong processes and effective use of automation can provide extensive protection for AP systems and data.
Common threats to AP systems
AP cyber security begins with understanding how criminals exploit system vulnerabilities and which processes pose the most risk. Here are some of the most common areas of concern.
“Securing payments depends on educated employees who embrace their role in overall company defense.”
How to protect the entire AP network
While every organization will have distinct needs based on its system specifics, company culture and work processes, here are some guidelines for maintaining security in these critical functions:
- Make sure the basics are implemented. AP system processes can benefit from multifactor authentication, strong access management tools and data storage procedures.
- Review all processes. Companies should review their protocols for verifying invoices and payment requests, with particular attention given to requested changes to account numbers, even if those requests come from the accounts of established vendors.
- Deploy data analytics. Automated scans can help AP systems detect anomalous payments and set alerts when payment thresholds are crossed. Software with machine-learning capabilities can detect discrepancies over time and flag questionable transactions.
- Protect data outside the security perimeter. As more employees work outside the company firewall, businesses should take extra steps to guard their data. That means making sure employees use safe password practices, such as not sharing passwords, as well as updating work logins and never using public, unsecured networks.
- Continually review tools for detecting unusual activity. Cyber criminals may spend months within one system after breaching it, siphoning off small amounts from AP accounts over time to avoid detection. The more complex a company’s AP system is, the greater the need for investing in strong network monitoring tools and continually reviewing them.
- Manage third-and-fourth party risk. Companies can include quality controls, cyber best practices and compliance standards into their vendor contracts — and can require that key vendors review their cyber security processes regularly.
AP employees also should regularly review and update the vendor management list. Companies also should maintain communication protocols so that vendors can be alerted as soon as a security issue arises.
- Enlist employees. Securing payments depends on educated employees who prioritize cyber security and embrace their role in overall company defense. It is incumbent on relevant AP employees — not just security experts — to understand how a company’s devices, networks, and technology connect and how those linkages could be vulnerable to a security breach.
For that reason, companies should provide formal training to key employees, testing them with sample suspicious emails and making it clear when responses should escalate and how management and partner organizations should be alerted.
In addition, members of the AP team should be included in any discussions about security issues. Whenever possible, it’s also important to keep the controls of AP systems only in the hands of those who need them.