Keeping your company’s accounts payable efficient — and secure
Digitization and automation are making AP systems more flexible and easier to use. Companies need to weigh the security risks to protect their customers, partners and internal organization from cyber crime.
Accounts payable (AP) and accounts receivable (AR) systems are becoming increasingly digitized to create faster, more accurate and reliable transactions and records while also enabling cloud-based and remote workflows. Digitization brings flexibility and convenience to many AP processes — but it also adds complexity, which makes those processes more vulnerable to cyber crime.
As companies of all sizes seek competitive advantage in AP automation, there is a greater need for them to understand the associated cyber security risks and address potential gaps in their defenses. This often means more investment in security controls, but technology is just the start. Employees are also critical to AP security.
“The increase in remote work has only added to the universe of potential AP vulnerabilities.”
No company can eradicate the cyber security risk to AP systems. But effective processes, controls and triggers that automatically alert employees to potential breaches can prevent or mitigate many attempted crimes. Human error and the evolving criminal tactics will continue to present challenges, but the combination of educated employees, strong processes and effective use of automation can provide extensive protection for AP systems and data.
Common threats to AP systems
AP cyber security begins with understanding how criminals exploit system vulnerabilities and which processes pose the most risk. Here are some of the most common areas of concern.
One of the most established cyber crime methods is business email compromise (BEC). It can involve a variety of tactics aimed at manipulating or rerouting invoices.
For example, a cyber criminal might compromise a vendor’s email account, gaining access to invoices, and then change important bank information. The AP department may then unwittingly direct payment to the criminals’ account. Or thieves might gain access to an executive’s email account, mimic that person’s communication style and use their account to submit fake invoices without setting off alerts.
Criminals often take time to study their targets to make their BEC attempts more convincing. Once they have compromised a company email account, they may study how the owner communicates and what topics arise often in their exchanges with vendors or customers. Such tactics, which are known as “social engineering,” can make fake communications seem more normal and unexceptional — and therefore easier for AP personnel to miss.
Linkage points with weak security features
Many of the functions in a company’s purchasing and AP systems might be separate from each other. But to facilitate the transfer of data, at some point they need to be linked to communicate with other systems and provide complete workflows.
For instance, invoicing systems may be connected to accounting software and perhaps to payment processors, and enterprise resource planning (ERP) systems may be linked to treasury platforms. Each node in this digital network provides cyber criminals with opportunity to breach the security perimeter and hack into multiple systems.
The more connected a program is, the more data it will collect from other programs or vendors. Data, particularly personally identifiable information, is another attractive target for cyber crime, since it can be used to create false identities or harvested for use in other criminal activities.
Third parties in a company’s supply chain — or even fourth-parties, which are not directly linked to the AP system — compound threats to connection points. Even if an organization’s AP security is robust, criminals may exploit weaknesses in primary or secondary connections to gain access to the organization through a trusted channel.
AP functionality is becoming more reliant on distributed cloud systems. The security of cloud servers is generally robust, but not infallible. Moreover, companies need to take steps to make sure their AP systems are safely connecting to the cloud, and also make sure employees are not introducing vulnerabilities through improper configuration of cloud controls.
AP personnel, like other critical workers, can perform their tasks from almost anywhere. But many lack safety controls on their remote or personal devices — or even a secure internet connection. In many companies, decision-makers have no clear view of the security protocols in their employees’ homes.
“Securing payments depends on educated employees who embrace their role in overall company defense.”
How to protect the entire AP network
While every organization will have distinct needs based on its system specifics, company culture and work processes, here are some guidelines for maintaining security in these critical functions:
- Make sure the basics are implemented. AP system processes can benefit from multifactor authentication, strong access management tools and data storage procedures.
- Review all processes. Companies should review their protocols for verifying invoices and payment requests, with particular attention given to requested changes to account numbers, even if those requests come from the accounts of established vendors.
- Deploy data analytics. Automated scans can help AP systems detect anomalous payments and set alerts when payment thresholds are crossed. Software with machine-learning capabilities can detect discrepancies over time and flag questionable transactions.
- Protect data outside the security perimeter. As more employees work outside the company firewall, businesses should take extra steps to guard their data. That means making sure employees use safe password practices, such as not sharing passwords, as well as updating work logins and never using public, unsecured networks.
- Continually review tools for detecting unusual activity. Cyber criminals may spend months within one system after breaching it, siphoning off small amounts from AP accounts over time to avoid detection. The more complex a company’s AP system is, the greater the need for investing in strong network monitoring tools and continually reviewing them.
- Manage third-and-fourth party risk. Companies can include quality controls, cyber best practices and compliance standards into their vendor contracts — and can require that key vendors review their cyber security processes regularly.
AP employees also should regularly review and update the vendor management list. Companies also should maintain communication protocols so that vendors can be alerted as soon as a security issue arises.
- Enlist employees. Securing payments depends on educated employees who prioritize cyber security and embrace their role in overall company defense. It is incumbent on relevant AP employees — not just security experts — to understand how a company’s devices, networks, and technology connect and how those linkages could be vulnerable to a security breach.
For that reason, companies should provide formal training to key employees, testing them with sample suspicious emails and making it clear when responses should escalate and how management and partner organizations should be alerted.
In addition, members of the AP team should be included in any discussions about security issues. Whenever possible, it’s also important to keep the controls of AP systems only in the hands of those who need them.