Sydney hospital loses $2 million in alleged BEC fraud
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
Gone are the days when privacy considerations were solely the purview of legal or compliance departments. These days, privacy is a core business priority. Your board, clients, employees, commercial partners and other stakeholders, all expect comprehensive safeguards to protect Personally Identifiable Information (PII). That’s why it’s no exaggeration to say that nowadays privacy is everybody’s business.
It’s a message that’s starting to resonate with CFOs too. Financially motivated data breaches are occurring with alarming frequency. As a CFO, you have a critical role to play in ensuring your organisation maintains appropriately stringent privacy protections to reduce the risk that confidential financial records are compromised.
Consulting firm, Protiviti, recently surveyed more than 1,000 finance leaders, including CFOs, vice presidents of finance, and a broad range of finance directors and managers as part of their 2020 Global Finance Trends Survey. Representing a broad cross-section of public and privately held companies, respondents were asked to identify their top finance priorities for the year ahead.
‘Security and Privacy of Data’ ranked the highest, with 81% of Australian respondents listing it as among their major priorities.
Concerns about privacy have escalated among CFOs since COVID-19 reshaped the way many organisations operate, with many staff transitioning to Work from Home (WFH) arrangements. This is to be expected given that PII may be more prone to compromise in circumstances where accounting department staff may be accessing the company network using their own devices, or via home Wi-Fi routers that are not sufficiently secure. Furthermore, in the home context, many staff may become lax with regards to following company policies and procedures around handling, storing or transmitting data.
Following the introduction of WFH arrangements, 86% of CFO respondents expressed that their concerns around privacy have escalated, from a moderate extent up to a significant extent.
There are a range of considerations for CFOs when it comes to privacy. Given that finance and accounting departments are entrusted with large volumes of valuable data, they are top order targets for any financially motivated threat actor.
As an example, your Vendor Master File not only contains valuable information about all your suppliers. It also contains their banking details. On their own, banking details may not be particularly valuable for a fraudster. However, bank account information is useful data for any scammer seeking to engage in identity theft.
Typically, PII concerns itself with personal data that can be used to identify an individual. This may lead some CFOs to consider that supplier banking information is not covered by the Australian Privacy Act’s 13 Privacy Principles. However, this would be a mistake.
Consider the following:
Your Vendor Master File contains hundreds of entries for suppliers you have paid for many different types of products or services over the years. Some of those suppliers may have business names that identify the individual owner of the business. This is often the case with sole traders or smaller companies, e.g., John Citizen owns a company named John Citizen Pty Ltd.
Alternatively, many companies are owned by Family Trusts. If your supplier has invoices being paid directly into an account that is held by their Family Trust, this too can be used to identify the owner of the business.
That’s why many CFOs now treat all data in their environment in alignment with the stringent requirements mandated by the Australian Privacy Principles, irrespective of whether that data directly relates to an individual or an organisation.
The 13 Australian Privacy Principles (APPs) are the cornerstone of the privacy protection framework in the Australian Privacy Act.
The Act covers Australian Government agencies, as well as organisations with annual revenues in excess of $3 million. It also covers some additional organisations, irrespective of their revenue, such as those in the health sector, credit reporting bodies, or those contracted to provide services to the Australian Government.
The APPs govern standards, rights and obligations around:
Under Chapter 10 of the APPs, an organisation has an obligation to take reasonable steps to ensure that the personal information it collects is accurate, up-to-date and complete.
That’s easier said than done for any CFO managing a Vendor Master File containing hundreds of supplier entries. With supplier details, including banking information, regularly changing, it can be an administrative nightmare ensuring the data is always accurate, up-to-date and complete.
eftsure can help your organisation achieve, demonstrate and maintain compliance with the APPs, particularly as they pertain to your Chapter 10 obligations.
Chapter 10 specifies that there are two distinct points in the information handling cycle when you need to ensure the quality of your data:
eftsure helps you at both of these stages.
When you first collect new supplier data, we cross-check it against our database of nearly 2 million Australian organisations. This helps verify that the supplier’s information is correct. In any circumstances where the data is found to be incomplete or inaccurate, we take further verification steps.
At the time when the supplier data is being used in order to process an EFT payment, the eftsure platform undertakes a further verification in real-time to ensure the data remains accurate and has not been nefariously manipulated in any way.
We understand that maintaining compliance with the APP requires ongoing vigilance. Our secure vendor onboarding and management capabilities help you navigate the challenge of maintaining data hygiene when handling large numbers of suppliers.
Contact eftsure for further information about our platform and how it can help your organisation achieve, demonstrate and maintain compliance with the Australian Privacy Act.
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.