Businesses that are big on financial controls stand the best chance of combating digital fraud, according to a guide released by security expert Eftsure.
But this would not be an easy task, according to chief executive Mark Chazan, since cyber criminals were becoming increasingly sophisticated with technology and did not “fight fair”.
“Scammers only need to be successful once, whether that’s getting an employee to click on a malicious link or impersonating a trusted contact,” he said.
“Conversely, organisations need to be successful at stopping these attempts every time – or else they could face serious financial, legal and reputational damage.”
Mr Chazan, whose firm oversees the security of $180 billion worth of payments annually, said the best form of defence would be adopting strong, updated controls through a “multifaceted approach”.
“One part of that approach should be strengthening internal controls and ensuring that digital fraud prevention is built into finance processes,” he said.
Eftsure’s recently released guide How to write financial controls for effective fraud prevention outlines best practices for developing and implementing financial controls.
Businesses needed to do more than have controls in place – they should stay on the offensive by using strong, updated controls to keep digital fraud at bay, the guide said.
Controls should be aimed at safeguarding financial assets, ensuring data integrity and preventing unauthorised transactions. They could be either preventative, detective, or corrective.
An example of a preventative control would be segregating duties and responsibilities between multiple employees, as it created a system of checks and balances to reduce the risk of fraudulent activities.
Detective controls included data analytics and audits to evaluate a business’s controls and risk management strategies, while corrective controls included incident reporting, disciplinary measures, and software patches to identify and address issues.
The guide said a key decision for businesses was whether to use manual controls or automation.
While automated controls could save time and minimise human error, not all controls would be suitable. Humans would be better equipped to oversee corrective controls, such as the implementation of new policies, which often required contextual reasoning.
Other controls, such as pre-approving actions and transactions, could feature a mix of automation and manual work.
“Automation can help enforce and streamline approval workflows, even though a human employee is ultimately making the decisions,” the guide said.
“The key to having eﬀective financial controls is to integrate various components and implement a combination of manual and automated controls that align with the organisation’s requirements.”
Controls, once determined, should be communicated to employees so that implementation would be collaborative and not a unilateral process. It warned that if controls were ignored or inadequate, organisations might face financial losses, reputational damage, and legal ramifications.
“High-profile attacks like those on Optus, Medibank, Latitude Financial and Coles illustrate that cyber criminals are constantly looking for ways to squeeze ill-gotten money out of organisations,” the guide said.
According to the ACCC, businesses lost over $23 million due to cyber attacks in 2022, a 73 per cent increase from 2021.
“By staying proactive and responsive to changes, organisations can adapt their controls to evolving risks and strengthen their overall control framework,” the guide said.