It seems we hear about a significant data breach every week in the news, followed by calls for companies to beef up their cyber security. Of course, to do this properly needs the investment of money, time, and resources, but you can get a head start by making these five simple changes to your procedures and training your employees to follow them. This will cost you nothing, but it might just save your reputation.
01 Verifying bank account changes
If you are setting up a new vendor for payment, or changing an existing vendor’s bank details, do not assume the bank details on the invoice or other documentation are correct. To verify their details, call your contact using a known phone number, or look up their phone number on the web. Never use the phone number on the attachment or email, as this is exactly what the scammer wants you to do.
02 Set a business process for payments
For new vendors or a change in bank details, you must set a policy and process to minimise your exposure. For example, you may decide that you will pay any amount of $200 or less without question, whereas for any amount greater than $200, you will pay the first $200 then follow up with a phone call several days later to confirm the vendor has received the payment. If they have, then you can proceed to transfer the balance.
03 Set terms and conditions with your clients
What do you do if your client has paid your invoice to a maliciously altered bank account?
Maybe they or you have had a cyber incident, and someone has altered the bank account details sent to your client. They have trustingly paid the invoice based on the bank details on the invoice. Have they paid, or is the amount still outstanding? To reduce the need for legal intervention, have a condition in your agreement that the client must verify any new or changed bank details before making a payment. If you would like an example condition Martarna uses, contact Peter Stulcbauer at Martarna.
04 Zero trust, always verify
No matter which email or phone call you receive, never trust the sender or the caller. Even if it is someone in a higher position than yourself in the organisation. Politely, reply that you will need to verify the request and call them back. For example, the business owner calls and asks you urgently to make a monetary transfer. Politely take down their details, and that you will review and call them back. When calling back, do not call the phone number provided by the caller, instead, use the number known to you for the caller. If not known, then research for the correct number.
No matter who contacts you with a financial request, even if it is someone more senior than you, or an important client, politely advise them you need to verify the request and will get back in touch. Never respond to an email requesting you to transfer money, instead call the sender to verify their identity and request. Always call the person back using a number you already know (not the number they called you from or that was included in their email) or if you don’t know it, search for their number.
For this to work, management must be on board, avoid making urgent requests for the transfer of funds and accept that employees must take the time to verify requests.
05 Multi-factor authentication & Strong passwords
Commonly referred to as two-factor authentication or 2FA, you should activate it on any services that offer this additional level of security. Research has found that 2FA reduces the likelihood of being compromised by 90%.
Passwords must be long, strong, and unique for every account you access. The best way to manage these passwords is to use a password manager. Then you only need to remember the password to the password manager, and the password manager will help you with all the others. Use a business class password manager not one designed for personal use. A business class password manager offers many tools to help the organisation to better manage the security of their credentials and their employees.