Cybercriminals Aren't Just Attacking Your Software — They're Coming for Your Employees. Level Up Your Company's Cybersecurity With These 4 Steps. The key to maximizing protection and minimizing exposure to these attacks is to combine technology with the human touch.
By Francois Lacas Edited by Maria Bailey
Our biggest sale — Get unlimited access to Entrepreneur.com at an unbeatable price. Use code SAVE50 at checkout.*
Claim Offer*Offer only available to new subscribers
Opinions expressed by Entrepreneur contributors are their own.
Here's a sobering truth: 95% of cyberattacks can be traced to human errors. The more employees you have, the greater your risk of being a cybercrime victim. We all imagine legions of hackers trying to tear through our firewalls, and yes, occasionally, some will make it through. But the much-more-common truth is that unsuspecting employees inadvertently grant those cybercriminals access to corporate systems and data, or they are influenced by these hackers to perform questionable (or even illegal) actions.
Even worse are the willful fraudulent actions of the humans sitting between the keyboard and the chair. Some employees themselves try to cheat the system by changing amounts, bank account details, or other data to benefit their personal financial situation. Then, there are other outside humans up to no good, such as when a supplier or partner sends fake or altered documents to the company, such as vendor invoices with fake bank account details or wrong amounts.
None of these occurrences are an indictment of company leaders, security practices or judgment. They just highlight that technology alone can't stop every cyberattack. The key to maximizing protection and minimizing exposure to these attacks is to combine technology with the human touch.
1. Secure data starts and ends with humans
Many cyberattacks succeed due to simple but preventable human error or improper reaction to a scam. For example, an employee might reveal usernames and passwords after clicking on a link in a phishing email. They might open an email attachment that unknowingly installs ransomware or other equally destructive malware on the corporate network. Or they might simply choose easily guessed passwords. These are just a few examples that can allow cyber thieves to attack.
To minimize human error-related risks, consider implementing the following measures to ensure your business stays well-protected.
- Strengthen employee awareness and training: Arrange periodic training on cybersecurity best practices, recognizing phishing emails, avoiding social engineering attacks, and understanding the importance of secure data handling. In 2022, around 10% of cyberattack attempts were thwarted because employees reported them, but they can only report such attempts if they recognize them.
- Build a culture of security: Make sure everyone in their role is actively protecting company assets by promoting open communication about security issues, recognizing employees who demonstrate sound security practices, and incorporating security into performance evaluations.
- Employ stricter access controls: Access controls limit who can view or change sensitive company data and systems. Applying the "principle of least privilege" access controls and educating employees on the risks of account sharing can limit unauthorized accesses and data leaks.
- Use password managers: Strong passwords are difficult to crack but challenging to remember. Password manager software can create and store difficult-to-guess passwords without users having to "write them down."
- Enable multifactor authentication (MFA): MFA adds an extra layer of security by requiring an additional verification method — such as a fingerprint or a one-time code — just in case a bad actor does snitch an employee's password.
- Implement fraud detection processes for incoming documents: These processes attempt to identify fraudulent documents (like fake invoices) on receipt before they can be processed.
2. Reduce exposure to cyberattacks and fraud with technology and automation
While lack of awareness, training, recognition and processes account for the success of most cyberattacks, you still need technology barriers to try and keep determined hackers out of your systems. Finance and accounting offices are top targets for cyberattacks and fraudsters, so the accounts payable (AP) systems are a prime target if they do get in.
In fact, 74% of companies experience attempted or actual payment fraud. Accounts payable fraud exploits AP systems and the associated data and documents with mischief like:
- Creating fake vendor accounts and fake invoices for them.
- Altering payment amounts, banking details or dates on valid invoices.
- Tampering with checks.
- Making fraudulent expense reimbursement.
Related: What Is Phishing? Here's How to Protect Against Attacks.
3. Keeping the bad guys out
Of course, you'll want your IT department to use technology to thwart unauthorized attempts to access the network and systems in the first place. Besides the venerable firewall, some trusty systems include:
- Intrusion Detection and Prevention System (IDPS) monitors network traffic for malicious activities or policy violations and can automatically take action to block or report these activities.
- Artificial Intelligence (AI) plays a significant role in cybersecurity by using machine learning algorithms to analyze volumes of data, identify patterns, and make predictions about potential threats. It can identify attack vectors and respond to cyber threats quickly and efficiently that humans can't match.
- Data Encryption ensures that only authorized parties with the correct decryption key can access a file's content, protecting sensitive data at rest (stored on devices) and in transit (across networks).
4. Protecting against fraud from the inside
Whether a cybercriminal slips through all those barriers or an unscrupulous employee is bent on committing AP fraud, various types of automation can detect and prevent the cyber attack from succeeding.
- Automated monitoring of employee activities: This can help identify suspicious behavior and potential security risks. The software tracks user activity, analyzes logs for signs of unauthorized access, and regularly audits user access rights. Of course, employees should know they are being monitored and to what extent.
- Automating the payment process end-to-end on a single platform: It takes human error (and human scruples) out of the equation, except when there's an exception. Encrypted receipt/intake of electronic invoices from suppliers, automated matching of invoices to orders, and electronic payments —all without human intervention — are examples of how automation removes the opportunity (and temptation) to commit AP fraud.
- Document-level change detection takes this protection one step further: This automated technology can detect when a sneaky cyberthief with access to the underlying systems makes unauthorized access attempts, modifications, or deletions to sensitive documents, including orders, invoices, and payment authorizations. These tools alert administrators and provide detailed audit trails of document activity, helping detect and prevent AP fraud, whether it comes from outside or inside.
- Detection of unusual data patterns: Alert AP staff to take a further look before allowing the invoice to be processed and paid. Using machine learning and AI, automated systems can compare data with historical data, flagging suspicious changes in bank details, vendor's legal name, and address as well as unusual payment amounts.
Related: How AI and Machine Learning Are Improving Fraud Detection in Fintech
It's almost impossible to protect yourself entirely against cyber theft and AP fraud, especially when most of the vulnerabilities and culpabilities are human. You must focus your security efforts on the perfect balance between state-of-the-art technology and the humans between the keyboard and the chair. Proper and continuous training can reduce the human errors that allow cyberattacks to succeed. And technology and automation can help prevent attacks from reaching people in the first place. But the right combination of the two, though, is the key to defeating would-be fraudsters.