There are a variety of methods of cyber attack that can catch SMEs off guard. According to head of credit, portfolio management at Banjo, Christopher Cam, protecting customer data should always be a top consideration.
“Creating fake invoices to skim money out to different accounts and payroll fraud is increasing. And businesses need to ask themselves, where you have people dealing with customer data – are there enough internal controls to ensure that customer data is not leaked to the dark web?” said Cam.
“They usually have a flavour of urgency to them, saying something like the CEO saying they’re stuck at a conference so they can’t talk, but asking for gift cards to be bought for an upcoming function. The messages will often say the purchaser will be reimbursed for the expense, but it never happens.
“They feel silly going to another colleague or HR to check that it’s legitimate. They just think, ‘Oh, well, it’s just buying gift cards, and the email itself seems very plausible’.”
With cyber attacks becoming increasingly elaborate, Cam outlined five tips for SMEs to help protect company funds and data:
- Find a reputable external auditor: “Appoint external fraud detection and prevention experts to conduct an audit of your business, including regular penetration testing. Not only will an external auditor be able to see if fraud is already happening, but they can also identify where it may be at risk of it occurring,” Cam said.
- Keep financial reports up to date and accurate: “Regularly reviewing accounting records and conducting random internal audits allows you to stay on top of your finances and spot either suspicious transactions, or regular payments being made to accounts where they should not be made,” Cam said.
- Introduce an anti-fraud/ethical conduct policy: “An anti-fraud policy that outlines acceptable and unacceptable behaviour is fundamental to minimising fraud. It establishes clear processes across the business for how payments are disbursed and the procedures for handling reimbursements. This policy will typically include restricted access to financial data, expense reporting and stock/inventory in order [to] make fraud detection – and the person(s) carrying it out – easier to identify,” Cam said.
- Implement strong internal controls: “While it may be common for SMEs to have just one person responsible for handling ‘the books’ and financial reporting, this is also a common formula for fraud. When the same person oversees payments and accounting, skimming or fake invoicing may go unnoticed. Assigning different duties to different employees improves oversight, as well as the likelihood of ‘irregularities’ being caught by another set of eyes,” Cam said.
- Develop an action plan: “Knowing what to do when you spot fraud is critical. It clarifies a ‘chain of command’ for reporting a suspicion of fraudulent activity and it provides a strategy for minimising further losses. If related to a cyber crime attack, an action plan should outline the steps to follow to protect other sensitive data and ensure business continuity. For directors, it should also clarify who to speak to in terms of legal and professional advice,” Cam said.
[Related: CBA cuts scam losses in half]