Accounting
Is Risk Management Part of Your Organization’s Payment Solution?
Risk is involved any time money changes hands. Accounts payable departments are constantly under attack from bad actors trying to trick them into sending money to fraudulent bank accounts. However, tight internal controls, ongoing training, and ...
Sep. 28, 2021
Risk is involved any time money changes hands. Accounts payable departments are constantly under attack from bad actors trying to trick them into sending money to fraudulent bank accounts. However, tight internal controls, ongoing training, and payment automation can all help reduce the risk.
Payment automation enhances AP and finance security. It’s expensive and time-consuming for companies to match the level of security and controls that a specialist firm can provide. Bad actors prey on vulnerable companies who don’t have time to maintain rigorous risk mitigation programs.
Payment automation companies such as Nvoicepay adopt well-established information security standards to invest in the development and maintenance of training programs, procedures, and automation tools. These programs and procedures are assessed by third-party audit firms to establish risk mitigation controls and regularly test their efficacy.
Reduce Likelihood; Minimize Impact
Vulnerability management aims to reduce the likelihood of a weakness being exploited. A variety of vulnerability discovery methods and tools are used to generate a consolidated, risk-ranked, and actionable remediation backlog. The risks of the vulnerabilities can be compared with the business opportunities backlog to determine the assignment and procurement of resources when considering whether to remediate vulnerabilities or enable revenue capability.
Threat hunting is actively monitoring for anomalies. Bad actors are frequently masterminding new ways to scam people out of money, so keeping up with them is crucial. It can be challenging to detect anomalies and accurately depict your organization’s threat landscape. An inventory of hunts must provide sufficient coverage across all potential attack vectors. Threat hunting algorithms must also adapt to new exploitation methods.
When a threat is detected, quick and effective incident response is critical to minimize the effect and prevent lateral movement. The following steps can help minimize the impact of a threat:
- Report the occurrence of the threat to a centralized incident response team. Hunt algorithms are ideally configured to send real-time notifications of anomalies indicating potential compromise. Employees are trained to identify anomalies and how to report them to an incident response team.
- Reported anomalies are triaged by an incident response manager and routed to the appropriate responder.
- An incident responder will determine root cause, identify containment procedures, and either identify a solution to prevent future exploits or report details to the vulnerability backlog.
- Centralized incident response enables a knowledgebase of automation playbooks to be leveraged when addressing future incidents.
Orchestrate, Don’t Operate
Software-as-a-Service (SaaS) has revolutionized how companies solve many common business problems. Gone are the days of large, up-front capital investments to fund server rooms, software packages, and expansive IT administration teams. With the advent of SaaS, problems and processes of specific domains are compartmentalized into specialized, complete solutions. Companies can compose and orchestrate any number of SaaS offerings to automate operational aspects of the business, including payments. That allows them to stay focused on their core competency.
Security is typically a significant component of a SaaS offering. SaaS providers are incentivized to invest in security and compliance as a matter differentiation from competitors and resilience to perpetual cyberattacks. Cybersecurity events are pervasively publicized. One mishap resulting in a breach of sensitive data can result in significant reputational damage, a loss of customers, and a loss of revenue.
If you’re making your own ACH bank payments, running a card program, or writing checks, you’re likely not using all the tools you have at your disposal today to prevent fraud and mitigate risk. You can add tools, build up your security department, and train your employees to watch for potential threats. Or, you can automate and orchestrate with a payment automation provider, enabling you to stay focused on your mission.
======
Jeremiah Bennett is the Director of Information Security at Nvoicepay, a FLEETCOR company. He has worked on a variety of secure payment solutions including ACH, check, virtual payment card, and international payments. Additionally, Jeremiah has worked with 3rd-party auditors to obtain compliance attestation reports for PCI, SOC 1, SOC 2, and SOX.