05 Feb Risky Business: Vendor Data via Email
How do you collect your vendors’ W-9 information? What about bank information for ACH payments?
Here is an instruction that one organization includes on its ACH Enrollment Form on which the vendor is asked for their bank account information: “Please email the completed form along with a copy of a VOIDED CHECK to: … ”
What’s wrong with this picture? Email.
Email is not a safe means of transmitting sensitive information, such as W-9s or bank account information. Why? Email is not secure. It was never meant to be. It’s one tech tool that is—in internet-age terms—ancient, having been developed in the early 1980s! Its protocols were designed when there was hardly anyone on the internet, and there was a high degree of trust among the few people that were. Despite its antiquity, email is a power app, heavily used for communication and as a convenient method to send attached documents.
Email simply was not originally designed with either privacy or security in mind. And while there are efforts to make it more secure, the way it works is not conducive to high security. But of course both the internet and email are ubiquitous and there are armies of ne’er-do-wells seeking to exploit others through it.
What does that have to do with collecting W-9s or enrolling your vendors in ACH? Liability. Suppose they follow your instructions to email sensitive information to you. That information is vulnerable. Email can be compromised on the networks it crosses, on your recipient server or on an AP specialist’s unguarded computer.
The email process involves information passing from a vendor’s computer to their email provider, then to network connections between their email provider and your email provider to your computers. Even if your staff follows careful practices to avoid forwarding mistakes, there is the chance that your email server could be hacked. And many servers store messages as plain text. So if an administrative password is stolen or there is a security flaw, an attacker can access all the emails and attachments on the server—files that may go back years.
There are attempts at new, secure messaging services that might replace email, but as Geoff Duncan of Digital Trends notes, email’s ubiquity and usefulness ensures it will continue to be used for a long time. But, Duncan says, “For the foreseeable future, Internet users cannot expect email to be secure from prying eyes or interception. Period.”
So where does that leave an accounts payable department needing to gather sensitive data from vendors? Organizations are at risk when they rely on email to transfer sensitive information. Better to find another way.
A good option for collecting sensitive vendor data apart from email and its vulnerable email servers is to use Web forms within a secure vendor portal. If you would like to learn how VendorInfo can keep your information safe, protect your organization and streamline vendor onboarding, click here or call (678) 335-5735.