27 May Security Risks of Remote Accounts Payable
It was middle March when everything changed. In a matter of days, organizations went from wondering how serious this virus was going to get to facing stay-at-home orders.
Overnight, working remotely became “a thing.” Essential industries were allowed to keep operating, but everyone else had to stay home. In 2020, fortunately, many could stay home and still work.
Working remotely has been less easy for accounts payable. Even companies with a high degree of automation still have some paper coming in. Others are less automated. And checks, according to a 2019 AFP study, still account for more that 40 percent of supplier payments.
AP departments have scrambled to figure out how to manage it. Some work remotely while someone has had to deal with the incoming paper invoices and outgoing checks. Meanwhile as most workers have been operating from bedrooms, living rooms, home offices and basements, IT has been having nightmares. Security is a huge challenge. With computers now outside of firewalls and private networks, the vulnerabilities have increased exponentially.
Accounts payable has focused on its mission, as have workers operating remotely in other departments. With all the disruption, getting the core mission accomplished has taken the energy and attention. But given that AP handles sensitive information all the time, many AP managers have recognized they face new risks. Whether they or IT have had time to adequately address it is another matter.
Borrowing an illustration from Robert Kang, an adjunct professor of cyber-risk management at Loyola Law School, cited in Billboard.com, imagine a castle, protected by moat and wall. While everyone is inside, there’s security. But suppose most everyone moves outside the wall beyond the moat, to individual outposts and cottages. But those are connected by tunnels to the inside of the castle. Suddenly the opportunities to breach security are everywhere.
Malicious parties are working overtime, seizing on the disruption.
Staffs must be diligent in following company policy and good computing practices to protect company, supplier, employee and personal information. We’ve heard most of the ideas before:
- Use good password practice—change you passwords; do not use the same password for multiple logins and accounts; and do not share passwords.
- Update all work logins as per instruction from IT. Do it.
- Whenever possible, employ multi-factor authentication (MFA). Most people are accustomed to MFA as consumers, as when in addition to a password, a code received via email or text must also be entered to access a personal account. It is time to apply MFA to access company networks, systems and databases as well.
- Update the security password on your home wireless router, especially if you never changed it from the original default! This may be especially critical for those working in denser urban areas but should be done by everyone. Some recommend updating the wireless router password every quarter.
- Be alert. Look out for email scams, avoid links and downloads that come from unknown sources. Look closely at email addresses to ensure they’re legitimate.
- Beware pretexting—emails that appear to be from company managers or executives, asking for certain actions to be taken or information supplied. If you’ve never gotten an email from the CFO asking you to rush a payment before, check it out by calling the CFO before following through on the request!
AP must safeguard sensitive information, including financial information, personal information, proprietary business documents and organization secrets.
Ideally, remote staff are able to work from home on company computers rather than personal computers. And ideally companies have a virtual private network (VPN) through which remote staff access company files and systems. (Note, however, that installing a company VPN on employees personal computers is not recommended, according to Security Professional Morey Haber, writing in Forbes in January 2020. Because personal computers typically lack many of the protections that are part of company computers, VPN installation is highly risky. It provides that tunnel from an “outpost” in behind the castle walls.)
Employees should not use public, unsecured networks. Oh, and they should turn off their computer every night. Less time online is less time subject to breach attempts, and it also can clear some attacks before they fully embed.
Of course all these things should have been done from the start, and if your IT team or just your smart selves have done so, good for you. But if the scramble to achieve the core mission has prevented thoughts of anything else until now, better late than never.
For secure, affordable and easy-to-implement help with vendor inquiries or onboarding, contact us to see how InvoiceInfo and VendorInfo can help.