When it comes to information security, protecting our personal and financial information from fraud is usually one of the highest priorities for businesses and individuals alike.
After all, it’s no coincidence that more than half (54%) of FTSE 350 companies list the risk of cyber-attacks as their number one concern.
What’s more, for organisations that are entrusted with consumers’ personal data, a data breach could mean more than financial losses – it could mean the loss of trust between the business and their client base, trust that can be extremely difficult to regain.
Unfortunately, the truth is that there are many ways for businesses to fall victim to fraud.
Research shows that criminals are increasingly relying upon compromised personal and financial information to carry out their fraudulent activity, and businesses need to be aware of the ever-more sophisticated tricks fraudsters engage in to con their employees into divulging sensitive company information (such as phishing scams, supplier impersonation and data hacking).
Criminals specialising in invoice fraud, for example, will often be more aware of the details of the relationship between customer and company or company and supplier than the employee they are dealing with.
They may know when regular payments are due and for how much, and be able to convincingly talk their way around unsuspecting staff members.
To mitigate the risk of your employees falling foul of fraudulent activity, it’s important to employ a culture of security and training – and to test their knowledge on a regular basis.
Keeping awareness and confidence levels high is the most effective way to safeguard against data security threats and eliminate user errors.
Internal fraud threats
Did you know the biggest threat to your organisation’s data security can often be your own employees? Attacks targeting payment information for example, such as false invoicing or unsecured payment pages, are often specifically designed to exploit knowledge gaps in your employees’ experience and their confidence levels.
Furthermore, although they seem like simple mistakes to make, some of the most common attacks can occur because of things such as weak or reused passwords, phishing emails or texts, and improper internet or email use – such as clicking on unknown links or accessing unauthorised websites.
As well as web-savvy employees and strong password skills, things to look out for when considering how secure your organisation really is include your office space, particularly documents and devices.
If your employees’ desks look cluttered, filing cabinets are left unlocked and company laptops, mobile phones or USBs are left lying around, this points to a much bigger issue than just a messy office.
Bear in mind that once a hacker has physical possession of a sensitive document or device, it’s only a matter of time before they gain access to more.
It’s also important to monitor employee access to data in your organisation. This is because it’s far more secure to grant access to a database of sensitive information on a “need to know” basis rather than to everyone in the company, for example.
Data should also be regularly updated, cleaned and screened so information that’s no longer necessary to keep is not accessible. Additionally, employees should not be emailing themselves copies of files or spreadsheets to work on from home.
Using personal email in this way is one more unnecessary risk and it’s important for all organisations to have a clear remote working policy. Utilising cloud accounting software, for example if they needed to check financials, could help to combat that, allowing your employees to access their work documents on any device – be it a desktop, laptop, tablet or mobile phone – while at home.
Training to stay safe from fraud
Michael Cobb, founder and managing director of Cobweb Applications, notes that an effective training programme “has to make it clear that information security is an integral part of everyone’s job with ownership, responsibility and accountability for risk made obvious in policies and job descriptions”.
In other words, while up-to-date security software is vital, it will be of little use if your employees aren’t properly trained to use it and aren’t empowered to make their own judgment calls.
All too often, staff simply aren’t aware of their central role in maintaining data security and this can only be addressed with training and development opportunities.
It’s equally important for training to be given regularly, so technological and legislative advances are communicated to members of staff, and to keep awareness levels at their highest.
Along with more intensive data protection training, it’s advisable that all employees undertake regular awareness training in everyday internet use. It should cover the likes of phishing attacks, setting a secure password, using email and browsing the internet safely, and how to use social media responsibly.
Finally, if your business accepts card payments, you need to be aware of your responsibilities when it comes to PCI DSS compliance, and make necessary arrangements for your finance staff to be trained up on it.
As always in matters of compliance and fraud, prevention is better than the cure.