It’s no secret that as the problem of payment fraud continues to get worse, organizations need to take fast — yet thoughtful — action to protect themselves from financial loss and reputational damage.
But how bad has payment fraud gotten exactly and what are the trends regarding the specific issues and solutions? Strategic Treasurer’s fourth annual “Treasury Fraud & Controls Survey Report” details exactly that.
An in-depth analysis of 100 questions asked of 275 corporate payments professionals, the report provides a necessary perspective for organizations on the issue of fraud and payment security. As companies deal with their own unique payment fraud issues, it’s easy for them to lose sight of the context of the industry-wide situation, and that’s a dangerous place to be when you’re trying to protect payments.
The ultimate challenge in the payments industry today is this: The nature of fraud is always changing. It’s an elusive threat that wears many faces as fraudsters prove themselves to be infinitely adaptable in their craft. Because of this, it’s critical for organizations to understand the scope and severity of the fraud situation they face, as well as how they stack up against their peers in terms of preparedness.
This report provides valuable insights on a wide variety of critical issues. A few stand out as holding particular importance, however, so here they are, along with guidance on how organizations can effectively evolve their fraud strategy.
The vast majority of organizations are spending about the same on treasury fraud prevention
While it’s encouraging that fraud spend levels aren’t going down, these statistics can provide a false sense of security because the plain reality is that static spending levels are simply not sufficient to provide adequate defense against the threats the industry is seeing today.
If you think about the costs of things — insurance coverage, groceries, clothes etc. — it’s easy to recognize that those items get more expensive every year. Fraud protection is no exception. It’s simply not reasonable to budget the same amount this year and expect the same level of defense, because fraud threats are growing in both in scope and severity. Fraudsters are getting more creative in their attack strategies every day so continuing to spend the same to defend your organization ultimately equates to moving backwards in terms pf preparedness.
That’s the dangerous miscalculation most organizations end up making – that “keeping up” with current threats is an appropriate level of defense. It isn’t. To really win the fight against fraud, companies need to do much more than keep up. They have to get ahead and be faster, more creative and more determined than the thieves they’re trying to thwart.
Another issue related to security spend that’s often overlooked is how security budgets are ultimately spent. It’s an issue that has a tremendous impact on the efficacy of an organization’s security strategy and yet most businesses assume that any money spent should be considered well spent. That’s another falsity. It’s entirely possible to waste a whole annual security budget on efforts that are little more than placebos that give the impression of security without providing any real protection.
Segregation of duties ranks highest in importance among all the layers of security
There’s no question that segregation of duties is a critical piece of any comprehensive security plan, reducing the risk of internal fraud threats significantly. But other initiatives, such as encryption, firewalls, principle of least privilege etc., are important elements as well, combining to create a powerhouse of security that protects organizations from all angles.
Organizations tend to put too much faith in a single source of protection. They need to get out of the mindset of thinking that there are certain elements of security that are more important than others because the reality is, a comprehensive fraud strategy isn’t an either/or situation. True security relies on a variety of different parts all working together in order to be effective.
A true multi-level security approach is the most secure because it protects organizations by reinforcing progressive layers of security, with each unique component adding to the next as an additional layer of security that is, in effect, greater than the sum of its parts.
Home security is a great example of this. Having walls and a door offer one level of protection against potential threats. Locks provide a second level of protection. While most homeowners stop there and are generally fine with their security, their defenses could hardly be considered robust. Install a series of security cameras and an alarm and you’ve reduced your risk even further. In medieval times you could even install a moat filled with alligators and finally rest easy knowing that you’ve really done everything you could to lock down your environment.
Security training practices are in need of enhancement
Humans are the weakest link in the entire chain of security, which is why effective, regular training has the single biggest influence in the success of a fraud protection strategy.
BEC is the perfect example of how the vulnerability of the human element can impact an organization’s risk level. Ranked by organizations as the biggest threat they encounter, with 79% reporting to have been affected, BEC relies on inherent human fallibility to be successful.
Organizations can eliminate this weak point in their strategy by making sure to conduct frequent, comprehensive trainings. It’s not enough to educate staff in the aftermath of a fraud event or when they’ve been hired. Employees need to be prepared for the rapid evolution of the fraud threats they might encounter. As such, they should be trained annually (at the very least), with an agenda that covers elements such as how to identify suspicious activity, what good security hygiene practices entail and how to respond to an attack. Tests should also be given top gauge employees’ comfort-level and proficiency with the topic, with training schedules adjusted accordingly based on results.
Taking all of this into consideration, organizations are faced with an incredibly difficult challenge concerning fraud, and have a number of notable hurdles to overcome. Educating senior leadership on the importance of staying ahead of fraud threats can be a roadblock. Getting the appropriate levels of budget to address fraud issues is an uphill battle at best. Gathering the right expertise to manage the fraud threat is often a missing piece of the puzzle.
Thankfully, there’s no need to tackle any of this alone. Here are three pieces of advice for organizations looking to evolve their fraud strategy:
- Seek out the right guidance
To start, reach out to your payment technology vendors for guidance and assistance on developing new methodologies for handling fraud. Because of their depth and breadth of experience with both payments and technology, these vendors are uniquely qualified to help you understand the risks you face and educate you about security best practices that should be implemented.
- Know where you stand
You should also conduct a security assessment of your organizations as soon as possible to identify any weak points in your security strategy (payment technology vendors may be able to help with this as well). In order to get to where you need to be, you first need to understand where you are. A security assessment is the first step in that process.
- Focus on Total Cost of Ownership
Don’t think about the initial cost of any security system you implement — total cost of ownership is really the best measure of a solutions value. While it’s true that budgets are finite, it just doesn’t make sense to choose technology that’s half the price to purchase yet costs twice as much in the long run in terms of additional staff, inefficiencies and even possible system failures.
Fraud isn’t a new issue for organizations. Old-fashioned paper checks have been a major source of fraud since their inception and before that there’s no doubt that fraudsters had tricky ways of duping people out of the goods they used to barter with as well. It’s just an unfortunate reality that has to be dealt with as a part of doing business.
But fraud doesn’t have to be the sole focus of your business. Understand where you are today in terms of security and forge partnerships with the specialists who understand your risks and can help protect you against them. Then you can get back to the activities that grow and optimize your business.