Processes

Don’t Neglect Physical Security Controls

Niek Dekker
5 Min

In a world of cloud-computing and web applications, we often assume that any compromise of supplier data will occur following a digital-attack. But, is the anonymous hacker, sitting in the dark with a hoodie over his head, really the most likely source of fraud?

All too often, data breaches and fraud occur because of lax physical security.

Getting your physical security right is a critical internal control that every CFO and Accounts Payable manager needs to focus on.

In this blog, we will focus on some of the key considerations for ensuring your Accounts Payable function has appropriate physical security in place to mitigate the risk of supplier data manipulation and fraud.

Physical Security of Accounts Payable Offices

The first line of defence for any Accounts Payable department is the physical perimeter around your premises.

It is critical to ensure that unauthorised individuals do not have access to your office areas, particularly at times when they are unattended. As a CFO or Accounts Payable manager, you have oversight of a department that is the custodian of highly sensitive information, including supplier banking data. Any breach that results in a compromise of this information could result in serious fraud, with long-term financial and reputational consequences for your organisation.

That’s why ensuring the security of your department’s physical perimeter is critical. You need to know precisely who is accessing your premises at all times.

As a rule, Accounts Payable offices should only be accessed by staff members. Access for any other visitors, including contractors, should be restricted unless they receive permission by an authorised manager.

Ensuring only approved individuals have physical access to your Accounts Payable offices may seem straight forward, yet many organisations fail in this simple control. In many cases, all it takes is to ensure only those possessing a key or swiper card can gain entry. More risk-averse departments may also require some form of biometric access. Whatever control you select, make sure you have a system in place for keeping track of who is granted access, and a mechanism for cancelling access privileges whenever an employee leaves your department.

Physical Security of Accounts Payable Equipment

Once you have secured access to your physical premises, you also need to consider access to equipment.

Often, the greatest risk comes from unauthorised access to computers, laptops and mobile devices. Simple steps, like ensuring computer screens are not visible to passers-by, can help ensure sensitive information remains confidential.

Accounts Payable staff should receive ongoing awareness training in what they can do to secure the devices they work on. For example, staff should always lock monitors every time they step away from the device, even momentarily. Laptops and mobile devices should either be locked to a desk with a locking cable, or securely stored in drawers or filing cabinets when not in use.

Additionally, you also need to restrict unauthorised physical access to servers, which should be locked away in a dedicated server room. Even the cables that connect your IT infrastructure need to be secured. Criminals have been known to tamper with cables to access sensitive data.

Physical Security of Off-Premises Equipment

It’s one thing to secure your Accounts Payable equipment whilst it’s in the office. However, with so many staff working remotely, you also need policies in place to secure your equipment whilst it’s off-premises.

Accounts Payable staff need awareness in the risks that may inadvertently arise whilst using company equipment at home. If other members of their households use their laptops or mobile devices, they may unknowingly gain access to sensitive corporate data. Even with no malicious intent, they may run software or connect to insecure networks that compromises the device. That’s why work equipment should never be used by anyone other than the authorised Accounts Payable employee.

With many staff also working in public spaces, such as coffee shops, extra caution must be taken. Not only are there concerns about the security of public Wi-Fi networks, but leaving laptops or mobile devices unattended, even for a moment, may give a thief an opportunity to steal the device, gaining access to your sensitive data.

Implementing a Clear Desk and Clear Screen Policy

Ensuring unauthorised individuals cannot physically access confidential supplier data must be a key priority for all CFOs and Accounts Payable managers.

That’s why it’s essential to implement a Clear Desk and Clear Screen policy.

By ensuring all members of your Accounts Payable team follow these steps, you will help mitigate your organisation’s risk of malicious actors gaining access to confidential supplier data.

 

  1. Ensure computers/devices are NEVER unlocked whilst unattended, even momentarily.
  2. The screen lock should automatically activate following three minutes of inactivity on the computer/device.
  3. All computers/devices must be password protected for reactivation.
  4. All Accounts Payable staff must shut down their computers/devices at the end of the working day.
  5. All paper documents and electronic storage devices (such as USB sticks) must be stored in locked filing cabinets or drawers when not in use.
  6. Keys for accessing filing cabinets or drawers containing paper documents and electronic storage devices must not be left unattended.
  7. At the end of each day, all Accounts Payable staff will ensure that no paper documents or electronic storage devices are left on desks.
  8. All supplier data must be collected from printers immediately after printing.
  9. Electronic files containing supplier data will always be stored on the organisation’s servers, with access via shared folders, rather than stored on individual computers/devices.
  10. Ensure unauthorised individuals, including visitors to the premises, do not have visibility over computer/device screens.
  11. Physical access to server rooms and Accounts Payable office areas shall remain restricted to unauthorised individuals, particularly during out-of-office-hours periods when these spaces are not in use.
  12. Mobile devices, such as laptops, tablets and mobile phones, that have access to corporate emails or files containing supplier data, must never be left unattended. Such devices must be physically locked to a desk using a locking cable, or stored away in a locked filing cabinet or drawer whenever unattended.
  13. Password security is critical. Passwords must not be written down anywhere that can be accessed by any third parties.

Ensuring all members of your Accounts Payable team follow this Clear Desk and Clear Screen policy will help prevent unauthorised physical access of confidential supplier data, thereby mitigating your organisation’s risk of data manipulation and fraud.

Of course, in a digital world, physical controls are just one component in preventing attempts to manipulate supplier data. For a comprehensive technology solution to secure your supplier payments, contact eftsure: get.eftsure.com.au

Related articles

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.