With cybercrime on the rise, it’s critical to know what finance leaders are (and aren’t) doing to protect their organisations from digital fraud and scams. Eftsure’s new cybercrime report uncovers some vital answers, including a disconnect between the security concerns and security practices of finance leaders.
Eftsure partnered with BrandHook to survey more than 500 chief financial officers (CFOs), accounts payable managers and other finance professionals across Australia and New Zealand. The final report, The State of Cyber Fraud Defence, is packed with vital insights into cybercrime sentiments and strategies.
For starters, an overwhelming majority (90%) of respondents told us they believe cybercrime is increasing globally, a figure that’s even higher for CFOs (98%). Despite this awareness of cyber threats, we also found that large portions are skipping key anti-fraud processes and solutions.
To better understand what finance leaders’ approaches to cybercrime – and how to strengthen those approaches – let’s look at three of the biggest takeaways from the report.
A whopping 90% of finance professionals think cybercrime is increasing globally, a figure that’s even higher for CFOs (98%). And 82% say they’re worried about cyber attacks like the one that hit Latitude Financial.
These concerns soften somewhat but are still pronounced once finance leaders are asked about risks to their own organisations and functions. More than half (60%) say they’re concerned about fraud going undetected in their business, while 10% say they’re aware of one or more fraud events occurring in their organisation within the past three years. Nearly half (47%) of respondents say their payment security concerns are more pronounced this year than last year.
Despite those concerns, 60% say they’re confident in their financial controls and their ability to thwart cyber fraud attempts. However, 40% aren’t segregating duties, a critical anti-fraud control in which responsibilities and approval authority are diffused across multiple employees. Meanwhile, only 46% say they use verbal verifications (also called call-back controls) before processing payments.
Small businesses are perhaps even more vulnerable, with most relying solely on manual approvals before releasing funds. Nearly one in five say their small business isn’t using any anti-fraud controls at all.
When asked about digital fraud responsibilities inside and outside their organisation, there was no clear consensus among finance professionals.
One in four say they don’t know who is chiefly responsible for digital fraud prevention in their organisation, the most common response to the question. While CFOs were more likely to see digital fraud prevention as their responsibility, others were unclear about whether the responsibilities were shared and which roles shared them.
There isn’t just ambiguity around internal roles, though. Of those who say they experienced fraud, there is no clear single authority for reporting incidents. A large minority of respondents say they’re unsure where fraud incidents were reported, but most say that incidents were reported to their bank.
This lack of clarity could mean that official numbers of fraud and cybercrime are underreported. According to the Australian Competition and Consumer Commission (ACCC), Australian businesses lost $224 million in 2022 to business email compromise (BEC) attacks. But this figure only includes losses reported to Scamwatch, ReportCyber and the AFCX.
It’s also worth noting that, according to a report by the Australian Securities and Investments Commission (ASIC), banks only provide scam loss reimbursements in about 11% of cases.
Lastly, at least some of this ambiguity might stem from a lack of a clear cybercrime strategy. Less than half of respondents (47%) say their organisation uses an anti-fraud strategy developed with IT or security specialists.
Finance professionals are using a variety of anti-fraud strategies but fewer than half are using dedicated technology solutions – only 17% say they’re using B2B payment security software and 30% report using financial control software. While many are using some form of financial automation, it doesn’t look like large numbers are using automation to standardise or enforce key control procedures or payment security checks.
So why aren’t many organisations using these solutions as part of a larger cybercrime strategy? The most common answer was that existing controls are “sufficient” to forego a dedicated technology solution, even though the same data uncovered potential vulnerabilities in organisations’ anti-fraud procedures.
However, encouragingly, over half say they’re planning to make larger investments in anti-fraud controls and 68% are planning to upgrade their controls within the next three years.
“Especially since AI-enabled scams are gaining steam among cybercriminals, it’s a critical time for CFOs to take clearer ownership of digital fraud prevention,” says Mark Chazan, Eftsure’s Chief Executive Officer, stressing that finance leaders should be reassessing their processes, people and technology.
“It’s encouraging that finance professionals are planning to invest in anti-fraud solutions and controls in the near future, but these losses often happen when you least expect them. And a single incident can be very damaging, both financially and reputationally.
“To protect their finances right now – and ensure that future investments pay off – leaders will need to bring accounting and cybersecurity approaches closer together under a unified cyber-crime strategy. This includes more frequent staff training, regularly pressure-testing your controls, embedding the right technology and cultivating a broader security culture.”
Everything you need to know about the ClubsNSW data breach and how to protect yourself, your loved ones and your business.
All the news, tactics and scams for finance leaders to know about in April 2024.
How can you minimise insider threats without compromising culture? Find out 5 ways to do exactly that.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.
