Cyber crime

Prioritise The Quick Wins When Investing in Security

photo of niek dekker
Niek Dekker
5 Min

When it comes to prioritising your payment security investments, it pays to start by focusing on quick wins that address the threats your organisation is most likely to face.

In this blog, we will explore the key issues a modern CFO needs to consider when it comes to uplifting their organisation’s payment security posture, and how to prioritise those investments that provide rapid, measurable security improvements.

Align your payment security strategy with your business goals

Payments security must be a top priority for all finance executives.

We live in an interconnected world, in which digital payments are an integral part of doing business. However, there are significant risks that can arise from neglecting to implement best-practice security measures around your payments. Not only is there the risk of losing significant amounts of money, you may also face legal repercussions, business disruption and long-term harm to your organisation’s reputation.

The risk is particularly acute around electronic funds transfers, or EFT, payments.

When processing an EFT payment, Australian banks do not have the ability to match the Account Name with either the BSB or Account Number. This inability to match the data is a significant verification gap that opens the way for cyber-criminals to infiltrate IT systems, manipulate payment data and defraud your organisation.

And unlike a credit card transaction, which may be reversible, once you process an incorrect EFT payment, it’s almost impossible to retrieve the funds.

That’s why it is critical to prioritise the right security investments to help ensure you’re always processing EFT payments to the correct recipient and the correct bank account.

Top 8 repercussions of fraudulent EFT payments
1 Substantial legal costs when attempting to identify, track down and take action against cyber-criminals to recover lost funds
2 Cost of engaging outside experts to analyse how the fraud was conducted.
3 Onerous compliance requirements, including reporting data breaches to impacted third parties and regulators.
4 Potential legal action from legitimate suppliers who did not receive payment that was owed to them.
5 Business disruption as systems may need to be shut down for protracted periods whilst the cyber incident is investigated.
6 Decrease in output as employees and resources are dedicated to addressing the ramifications of the fraud.
7 Reputational damage can harm relations with suppliers, impact market share and decrease overall value of the business if it is broadly perceived to be insecure.
8 Fraudulent payments can undermine shareholder confidence in the management team, resulting in executives being replaced.

Adopting a risk based approach

When assessing approaches to uplift the security around your EFT payments, it increasingly makes sense to adopt a risk based approach that analyses:

  1. The most significant threats.
  2. The likelihood your organisation will face such threats.
  3. The severity of the impact such threats are likely to have on your organisation.

 

A risk based approach makes common sense. After all, every organisation has limited resources. You need to prioritise your initiatives in ways that provide the best return on investment in terms of security uplift.

By following a risk based approach, you avoid the trap of trying to do too much with too little. You avoid spreading your security investments too thinly, which can result in inadequate spending on preventing the most critical threats and leaving your organisation exposed on multiple fronts.

According to McKinsey and Co., a risk approach helps protect your organisation’s assets at less expense and in ways that improve productivity.

How to calculate risk

Many risk analysts calculate risk using the following formula:

The impact of a potential incident x The probability of that incident occurring

When it comes to assessing EFT payment risks, some potential incidents may have a high impact, but very low probability of occurring. For example, your bank could suffer a devastating denial of service attack, taking it offline for an extended period. This would have a high impact on your organisation’s ability to process EFT payments, but the probability of this happening is likely to be quite low – and in any event, there’s nothing you could do to prevent it.

By contrast, the probability of facing a Business Email Compromise (BEC) attack is likely to be quite high, given that the Australian Cyber Security Centre (ACSC) reported over 4,600 BEC incidents in the 2020-2021 financial year. It therefore makes sense to focus your risk mitigation investments in defending against a BEC attack.

It is also important to consider the cost of preventing an incident against the potential costs of experiencing that incident.

As outlined above, there are many potential repercussions and costs associated with experiencing an EFT fraud event. At a minimum, the ACSC reports the average cost of a successful BEC attack to now stand at $50,600. This figure just represents the direct cost and doesn’t include all the associated costs, such as legal expenses, business disruption and reputational damage.

Taking into consideration all these associated costs, it becomes clear that the cost of mitigating the risk of EFT payment fraud is likely to be significantly less than the cost of the fraud itself. It therefore makes sense to prioritise your security spending around mitigating EFT payment fraud.

Time is of the essence

Given the magnitude of the many security threats currently facing Australian organisations, it makes sense to focus on those initiatives that provide quick wins.

We know that few attack-vectors are as prevalent in Australia as BEC. It therefore makes sense to address this threat as a top priority, especially as most organisations remain vulnerable due to an over-reliance on manual controls that are susceptible to being circumvented by sophisticated fraudsters.

Through to adoption of technical solutions that mitigate the risk of fraud, organisations can quickly uplift the resiliency of payment security, whilst reducing the over-reliance on manual controls.

For CFOs and finance executives, investing in technical payment security initiatives also makes sense as it is a domain they understand well and will be able to see first-hand the tangible benefits such investments provide.

How can Eftsure help?

When it comes to implementing technologies that strengthen your resilience around EFT payments, Eftsure is uniquely placed to deliver the security uplift you need.

Our solution addresses the verification gap that exists in the Australian banking system by verifying EFT payments in real-time against our database comprising over 2.5 million organisations, including over 80% of actively trading Australian companies. When processing an EFT payment, you gain confidence that other organisations have successfully used the same banking information to pay the same supplier.

This significantly reduces your exposure to a range of both internal and external fraud events, drives greater efficiencies in your accounting processes and makes you less reliant on vulnerable manual security controls.

Book in for a no-obligation demo today and see the full range of benefits Eftsure can deliver your organisation today.

Related articles

The new security standard for business payments

End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.