Protect your business from fraud

With yet another devastating cyber attack making headlines recently, managing security is top-of-mind for many business owners – and it’s not just about computer security.

With the Australian Cyber Security Centre reporting that there were 14,804 cyber security incidents affecting Australian businesses between July 2015 and June 2016, the security of all business services and the protection of sensitive information should be paramount for all SME owners in order to reduce the risk of cyber crime and fraudulent activities.

Here we talk to a cyber security and privacy expert about the importance of business security and ways you can keep all your sensitive information secure.

Michael McKinnon, an expert at leading Australian cyber security consulting practice Sense of Security, says while controlling access to business information is key, there’s also the need to classify that data.

“Businesses need to identify and understand what critical information they’re holding – they need to think laterally about how and why that data might appeal to an attacker – and take appropriate measures to treat all data according to the risk that holding it represents,” he says.

“And protecting confidential information doesn’t just mean keeping it private; there’s also the need in business to ensure the data cannot be tampered with by unauthorised parties.

“In terms of practical steps that businesses need to address, managing staff credentials is important as well as having password policies in place that govern how complex passwords need to be and how often they may need to be changed.”

He says awareness is central to avoiding the risk of fraud.

“Businesses need to be aware of any financial processes where obvious fraud can occur such as supplier payment systems, expense claims, payroll, discount vouchers, coupons and refund payments,” he says.

“More complex and less obvious examples can involve modifying stock levels in a database, or writing inventory off as damaged, but then selling it to second-hand buyers.

“Any assets that the business is in possession of that isn’t part of an asset register but that could be cashed-in quickly are at risk.”

Restricting access can reduce risk

Ensuring that only relevant staff members are approved to access company credit cards and accounts, fuels cards for the refuelling of fleet vehicles and internal databases, can reduce the risk of fraudulent activities.

Some fuel cards offer extra security in additional features that can track fuel usage and have a vehicle-specific PIN. They can also offer dedicated customer service for stolen cards.

McKinnon says keeping antivirus software up to date on office and employee computers, laptops and mobile devices should be part of a broader strategy.

“Using antivirus software can be helpful at detecting malicious software and apps, but it forms only one part of what should be a much larger strategy for protection,” he says.

“Keeping all office and employee computers and mobile devices up to date with the latest security updates, and running the latest operating system versions that have been patched against known vulnerabilities is critical.

“In the recent WannaCry ransomware outbreak, for example, the devices mostly affected were Windows 7 computers that had not been updated in the preceding two months. ‘Patch management’ – the process that businesses should be employing to manage how they’re updating their computers – should be treated as a default requirement of every IT department.”

Keep it safe

The Federal Government’s Stay Smart Online initiative offers the following checklist to assist in business security and fraud prevention.

* Create cryptic passwords to ensure the online safety of your business.

* Regularly back up all your business information including accounting files, invoicing and quoting systems, letters and emails, information and resources, and even your website files.

* Stay vigilant and up to date with news on the latest scams and threats.

* Know who has access to your business information and make sure employees have their own logins and passwords. By limiting access on a need-to-know basis, you reduce the risk of an ‘insider’ accidentally or maliciously releasing confidential information.

* Ensure you have anti-virus software that is automatically updated, and don’t trust wi-fi networks you don’t control.

* When it comes to mobile phones, keep them locked when not in use in case of loss or theft. Also try to limit the business information stored on them, including email.