Payment Security Webinar Series: Taking Responsibility and Taking Inventory

Announcer  00:26

Okay, well welcome everyone to today’s webinar titled, Taking Responsibility and Taking Inventory, the first in a series of webinars on payment security. This is Brian from Strategic Treasurer. And we’re pleased you could join us as we examine treasurers’ general responsibilities for payment security, as well as their particular responsibility to inventory all payment flows. But before I introduce today’s speaker, I have just a few quick announcements. Zoom offers several different ways for us to interact today. If you would like to post comments or questions viewable by all attendees, please use the chat icon in the toolbar. If you would like to ask your question to just the presenter, please use the q&a icon in the toolbar. You can ask your questions at any time during the presentation, and we’ll try to get to as many as we can. But if we don’t get to your question, someone from our team will gladly follow up with you. There will also be a few polling questions throughout today’s webinar, where you’ll be able to select your response from a list of multiple choices, you will need to click the submit button on the polling questions to have your response recorded. And last, please ensure that your resume display name includes both your first and last name, so we’ll know to whom we should send the credits. Our speaker for today is Craig Jeffery, Founder and Managing Partner of Strategic Treasurer. Welcome, Craig. And I’ll now turn the presentation over to you.

Craig Jeffery  02:00

Thanks so much, Brian. Welcome, everyone. Good day. Glad you could join us for this express webinar. It’s it’s 30 minutes of high paced information. So thanks for joining us wherever you are in the world. But let’s go over our topics for today. Today’s agenda, we have a limited list of items, we’re going to spend a little bit of time on the fraud situation, what are criminals using to compromise your systems, your data to steal money from your organization? So we’re gonna look at that the criminal playbook and some of the fraud trends that are existing, not everything’s gloomy. Some things are very, very dark, some things are bad, some things seem to be moderating a little bit. So it is, it is bleak. I won’t, I won’t. I won’t minimize that, then we’ll look at Treasury’s responsibility. We think of the treasurer as the superintendent of payments, and certainly as superintendent of payments to the superintendent of payments security. And as we’ll discuss superintendents doesn’t mean, you do everything, just like a superintendent of schools doesn’t drive the bus, teach every class or serve the meals, but they have responsibility to make sure that a function activity is carried on properly. That’ll be the second part, then we’ll move to this concept of taking inventory. What do we need to consider when we think about the inventory of where our exposures are involved. So if we look at every payment process, from start to finish, all the way from setting up a vendor to how the files and information has custody to delivering execution, all the way to reconciliation. So we’ll give you some guidance as to what companies should do to keep track of this and to manage this effectively. Now look at some practical implications about moving forward. What do you do? Have you look at this and do with just a few key takeaways at the end? So let’s let’s jump into our first part about the criminal playbook. We have some illustrations that show types of fraud across these different domains or four different levels. So what criminals like to do, they’d love to take the money directly, if they can steal money, they gain access to your system, they can send money and control when money is sent out of your organization to accounts that they control. That’s what they’re going to do this system level fraud or system or y axis is the optimal win for them. They don’t have to fool you or convince you they can do it at the time in the method of a manner that they deem fit. And this is becoming a bigger issue and will be a bigger issue over the next couple of years. That I think I want everyone to pay closer attention to the second category your efforts use to get them into to send money. You may hear these as CEO fraud, business email compromised, spoofing, fraud, social engineering. This is a way to trick the human element to trick your staff, or to trick you into sending money. And they are, they’ve gotten so much better at this over time. It’s really surprising how much fraud still occurs there, despite the fact that we haven’t seen it go on for over a decade. From the early days, you probably remember getting emails about this Nigerian prince or somebody who had died, or was about to die, and they’re gonna send you money, do you have an account strong enough to receive it, it was written very poorly, like they typed it with their elbows, and it wasn’t convincing at all, that’s definitely no longer the case. They use the same language, they may even have access to some of the emails. And they use that to convince companies to send money. The third way is stealing corporate data and selling it. So this is accessing data. You’ve seen this in the news, data breaches occur, whether it’s card information, personally identifiable information or corporate information. This is what occurs. And this occurs by itself. But it also occurs in conjunction with ransomware, where they’ll steal some data, and they’ll lock up your other data. And if you don’t, if you don’t pay them, they will start dumping that information on the web and embarrassing your company further. So the other the last one here is locking up your data for ransom. This is using the encryption tools that help protect our data. They use the same type of algorithms, but if someone locks up all your data, you can’t access it. That can be a problem. And they’ve gotten much better at also encrypting or making it so your backups are also locked up or unusable. So we think about the criminal playbook. These are some of the core methods of stealing from you stealing directly fooling you into sending money, taking data, or locking it up and ransoming that data. So that brings us to our first poll question. We don’t have many poll questions. This is select all that apply. So in the last 12 months, our organization has experienced the following fraud attempts or losses. And check all the ones that you’ve seen seen here. So its attempts or losses. This is obviously good information to see just to who’s on and what what have you been experiencing what’s what’s going on with the organization. After you select all of those that apply, click Submit. And then that information will be compiled, we the the word type in the chat box today is going to be Express. And I’ll go easy if we have 50 people type the word Express or express webinar, we will go ahead and send out the results of these poll questions to everyone. And we’ve always been able to get enough to type it in there. But I see a good group of people typing the word Express I haven’t seen one person, person type the word P.O.L. So it’s Express. We’re getting some in the q&a box, some indirect messages, but we see them coming through it’s it’s really good. This is helpful for Brian to be able to count to 50 and let us know if all those things have come through. Alright, so let’s look and see what has been the experience with fraud for today’s audience group. So quite a few answers. Number one, business email compromise. Yeah, this is this is really been an issue over multiple years. And given the fact how much training and awareness we have on that it just shows their, their ability to do it. I’ll call it a good job. Social engineering, which is, you know, in many ways very similar to business email compromise. In some ways, it’s exactly the same. But it’s just the broader thing of phone, email or text that comes in at number two at 41%. check fraud and forgery. While still still attempts at a 40%. The scanning through anything else ransomware seems to Bill diminished here at 14%. Vendor fraud a happy happy way of yanking funds out of organization, and one in nine companies saw internal or employee fraud. So pretty interesting. I know some people are typing their answers in the in the chat box. If something wasn’t working, so sorry if something wasn’t working there in the poll. diversion, lots of lots of good items here. One in six little bit, maybe maybe one in six between one six and one and seven no known attempts or losses. I guess the only thing I say to that is every company has had attempts for social engineering, email compromised with the trying to send it just you may not have seen it that it’s been blocked. When we look at the backend screening for all of those types of items, there’s dozens per day that come in, and we’re not a very large company. So hopefully your IT group is also blocking those before they get to to your desk, but it’s relentless, and it’s automated. Well, let’s continue what’s happened to ransomware? Over the years, most of these fraud things are like, it’s good to be scared, right? We always say how bad fraud is, continues and grows, it doesn’t let up. And that’s true, because it’s more automated. And they’re sophisticated. They have large payouts, they can afford to keep investing in business as it were. But one of the things it’s interesting, too, when you look at the number of ransomware complaints, the FBI dropped down significantly to the into 2022, from 2021. And this, we believe, was largely due to some of the enforcement, the legal and all police are all criminal investigations, shutting down one of the largest ransomware groups in the world, that made a huge impact. That didn’t necessarily mean that everyone was doing a better job at preventing it. But when you lock down the biggest company are the criminal organization that did this, that has had a significant impact. But ransomware payouts, as you see that continue to go up over the years, you can go back to when they first started, they were around 10,000, they quickly grew to 80, 90, 100,000. They’ve continued to extend and grow. So significant, significant progress on the enforcement or law enforcement side, not as much enforcement on the business side, but certainly some progress. And so it’s we just don’t want people to be complacent but a it’s it’s gone down because they just took out a big buyer. There are others they’re working on, they’re going to continue to use this in their criminal playbook. But what’s Treasury’s responsibility treasurer is the superintendent of payments, that means they’re responsible for payments in this in this way, on every payment, transits of bank banking relationship, Treasury is the owner of cash. They’re the owner, the relationships and access to capital. And so they’re the superintendent payments, they certainly have to support, what IP does what payroll does, and make that work. And so the subsidiary function is the superintendent of payments security, they don’t have to install the firewall, or update the patches to the system, or run all the payments, but they need to be Superintendent of payments, security, making sure that every process is inventory, it’s protected, it’s looked at, and the different parties are pulled together, it’s certainly involves Information Technology, Information Security, the chief information security officer would be a key part of that. But there’s banking structures, banking services, there’s internal services that need to be done. So when we look at Treasury responsible for relationship management, financial risk management, liquidity risk management, and liquidity management, as well as superintendent of payments, those are some of the core responsibilities of treasury that you’re quite familiar with. And so what does it include, and there’s just an image in the bottom that might be multiple API areas, including a are a role, different admin systems, and so forth. So this is the areas of concern. Now let’s look at our next poll question. It’s a double stacked poll question, we’ve got multiple choice in both of these questions. Two, and three, which are labeled one and two, in this particular window are showing up and we have, what security controls are in place that you have, and go ahead and select all of those. And then down below, for those who have employee training. So if you have employee training on security, go ahead and select the content that’s included if if something if you don’t have security training, but not applicable on them. So we’re looking for things beyond just regular desktop hygiene, so. So while that’s coming up, Brian informs me that we need another little another 12 Express typed into the chat box to ensure that you’re interested in getting the data. So you just see another squalicum will be will be all good from from different new people, and everyone gets it. This is your commitment to community. And Brian, when that’s ready, we’ll pop that up.  I guess it’s a pretty involved set of questions here. Okay, some really good stuff that thanks, everybody for taking the bold questions, I find it interesting. They get this immediate feedback. And it looks like maybe at least 50 people are interested too, I should have said 100. But I was trying to be nice thinking I would just be gone in a second, but I see how it is. So with this is this is really interesting. So account and payment validation, two thirds, use that type of control, everything else below the 50%. Mark, I will be interested to see how this changes over time, like in Europe, that’s becoming more standard with banks, right that there’s Account Validation activity. Really interesting. So 42%, for fraud response plan, great general employee with training. And testing is 42%. Payment specific training, if you look at number two, and number three, there is we have 36%. With payments specific employee training, this is good news, because most of the training as you know, 64%, right does not have it’s not have the testing or real, real specific on payments. But if you look at the third option, we got a few more payments specific training without the testing. And so therefore, we’re looking at this is definitely improvement over time and a payment assessments within the past year 30%. This is this really makes me happy and pleased. But think of that as well. 70% of companies have not done a payment assessment on inventory in the past year. And we’re looking at a group here who’s really quite tight on security interested in. Yeah, for those with employee training, phishing. Yep, that’s a big it thing is this email compromised 61%. So to over the 50%, Mark, vendor fraud, payment diversion, how to respond how to maintain a safe and controlled workspace ransomware specifically and securing payments less than one in five. So there’s certainly room to there’s certainly room to build on more specific training on securing payments and some of these other payment methods. Really good. Really good information. Thanks for responding to this poll question. We’ll push it off to the side. I think Brian’s typing responses for some some people weren’t getting the second button or the submit button to work. But we’ll will continue. Thanks for participating that way. So this idea of taking inventory. If you don’t know you have something, how do you protect it? And that seems pretty obvious. And if I asked each of you say do you have a full inventory of all your payment processes? You can answer that in a formal or an informal way. If it’s informal, it’s like yeah, I know what they are. I’m familiar with it. We’re treasury. We’re AP, we’re IT security. And you think of a AP goes this way. arrow goes this way. I guess one of the things I’ll say about this idea of why is it valuable to take an inventory of all of the payment processes is when we do these assessments for companies, we usually find more than 50% more payment flows, and they expect it to more than 100% more and more than double. And these are organizations that are pretty diligent with tracking their payments. So I say that just by way of background, that there’s a lot of payment flows, that once companies get over a certain size they’ve done acquisitions, there’s a lot that are forgotten or not thought about. both formally and informally formally means they’re listed there’s an inventory. So what are some of the thinking points here every bank account represents a point of cost and a point of exposure. Every account can have funds removed from them every account has to be controlled with banking services, the account level transaction. Second, every payment flow is also a point of exposure and appoint a boss. So the account and the flow. Basically everywhere there’s payments from start to finish, there’s a point of exposure. Criminals, criminals may be lazy. To a point they’ll do enough work to steal phones, and they’ll exploit the weakest link. The Weakest Link has largely been the human element for compromising people in social engineering. But they’ll continue to hunt and seek and use tools to automate their processes and compromise any area they can access. It might be where files are placed on your system. The other maxim is I can’t protect, but I don’t know exists. So if you don’t have a full inventory, how are you, the superintendent of payments or the superintendent of payment security if you don’t have a full inventory? So do you have a full inventory payment flows? Is it does it take into account the beginning part of the process where AES or vendors or banks are set up? Does it include all of the handoffs and activities and controls and validation, from start to finish all the way to the bank to the clearing to the reconciliate, through to reconciliation? Is it documented? So there’s institutional knowledge and documented not just in a SAR box control, Sarbanes Oxley control process with the preventative and Detective controls identified? But identified for where, where you’re at minimum standards, you’re above it, above minimum standards, you’re at world class standards? Where you’re below? And if there’s a compensating control for that? Where is that activity very, very important to look at that, and to have an inventory. And as I mentioned earlier, you know, assessments we find, it’s oftentimes you find 50 to 100%, more payment flows, and companies previously thought they had, you spoke to a company last week, and they said, we had some problems, we were told there was essentially, I think, three payment flows. They said, we’ve already found 16, we’d like you to go up look at it. So it’s that’s what, that’s what organizations end up finding very commonly. So something to think about. So what are the areas of attention that we need to put our minds to our thoughts and work to you, we look at the first step inventory, all payment flows, find out what system it originates from, I was passing through the bank, what payment types can even fill inventory might be from your head to start out with. But you can also look at bank statements to see what payments are coming out of them, track them back the original system, account analysis statements are good one to look at. And if you talk to every area that issues payments, ask them about their payment flows, they use card here, they use a low value transfer, they use high value transfer, they use third party, make sure you have a full list and look at all the sources where you can find them. Internal Audit may have that they may not use whatever tools exist, everything from the bank to reports you have to talk into those areas. Second is assess the payment flow, we think about assessing the payment flow. You start at the beginning, you go to the end. And look at each area. That’s a great way to do that. Whether you do that with yourself, or you have an internal audit help you if you use a consulting firm, to help go through that. You look at the payment system. How are a US vendor setup? What is the access? Like? How are those managed? How is that reported? When you think about the payment instructions, when there’s a payment instructional file that’s made? How is that generated? Where is that written to? Who has access to that? Or what IDs have access to that? Where is it stored? Is it encrypted? Is it hashed? How has it moved? If someone gains access to that directory, how is that access? Recorded? Is it something you have to go look for? Is it something that’s triggered and says someone has access to this directory where we store payment information, great things to look at. And you can go through the whole process of stepping through the controls validation steps, whether it’s done on a manual basis, or whether it’s more automated. But looking at where the payment file goes, where does it go? Is it on your network? Is that downloaded to the local directory to the desktop? Is that then sent with your file transfer system? Managed File Transfer system is loaded into a bank portal by user. Is that file edited as part of the process? Because there’s some problem with it, someone’s editing a file and dumping it into the bank portal. And this is not an issue of your employees that are involved in this are dishonest. That’s not really the question at all. It’s if someone gained access to any of those credentials, could they one person working well alter items and have those those transactions send money to the accounts that those were changed that they have, which they have access to work to get those funds over the country? And then finally in the reconciliation process, reconciliation process we have to think about what’s the timing our automated reconciliation On, how long will it take to detect a problem? Now we’re trying to do preventative controls so that nothing escapes or goes out of the gun. But there’s also an aspect of, if something leaves your company, that does not necessarily mean that all is lost, the faster you can attack something, the quicker you can shut down the exposure point. And the more rapidly the more likely are rather, to be able to freeze those funds before they’ve left the banking system or like the EU or the US or whatever country banking system you’re in, and they’ve sent it to a location that you can’t pull those funds to speed matters. So fast automated reconciliation can help in that. And then finally, you know, almost finding the third payments and context of banking structure, when you’re looking at how do you locate items and you see them see flows of payments, go through your banking structure. What are the limits there? What are the approval elements that exist? Does it require two people three people? Are there limits are the limits placed on groups? It so standardizing what those limits are and using the controls and the services the banks offer, is one of the most helpful things for your protection environment. banks offer these services at the account level or the transaction level or both. These are not giant moneymakers. For the banks, we’re not even really big moneymakers for the banks, but they help protect their customers. So listen to your bankers, when they bring up the different set of security controls and services that they offer. Those tend to be very much commercially reasonable procedures, it would not be appropriate to avoid using those, especially if you think Well, so long as I reconcile the banks on the hook for every single problem. This is not this is not commercially reasonable. It’s not a standard good corporate conduct. Your banks are telling this to you for your good. And it’s much easier to have a discussion about those payments services, then how you can’t have the bank can pull back money that you basically allowed to be sent somewhere. That was unauthorized. So definitely listen to them. Other people saw it. Humans have been compromised most heavily in payment processes. So there’s a there’s an educational component there to make sure that the level of understanding goes up training content should be not just general fraud, and not just payment, security issues and attacks, though it should include those. But it should include how payment processes work and in issues because that will give them more guidance as to what is happening. Where that can be compromised. There should be trained testing, training, frequency and training testing have grown dramatically in the banking side, the corporate side, they’re not caught up to where the bankers are, but most are training. And most are testing at least annually. And more frequently and more kind of continual testing is occurring. And so you know, everyone has responsibility for payments and payments security. So really, just as we as we wrap up, what are the takeaways understand the process, criminals look for the weakest link. Treasury is the superintendent of payments. So own it, own it, get other people involved, you’re not the only one that’s part of it, you have to involve others, if you’re an AP, make sure you’re involved in the treasury, there’s the chief information security officers, everybody needs to be involved in that should be talking about it, and should be fixing it. But Treasury Treasury is the superintendent of payments and needs to take, take the lead on that to make sure they’re protected. And when you think about the standards, your standards for security, for check for low value payments for high value payments, for the payment process for approvals for limits, you need to set those standards. But you also have to realize that those change over time, what’s commercially reasonable what was appropriate five years ago, is probably below standards today. So make sure you’re reviewing those and updating those to stay at or above the minimum. And then finally, take us back to the very beginning is having a full inventory of your payment processes is a vital and crucial start. And when you look at what do we need to do to fix things, and to make things better? Calibrate that list, prioritize it so that you have here’s what we have to do for compensating controls. Here’s what you need to do. Add those more specifically. We have materials. There’s a payment security and fraud prevention ebook, which you can certainly pull up. We thank you for your time today. Brian has a few more items to cover. Again, thanks for your attention. And Brian, back to you.

Announcer  29:51

Thank you, Craig, and thank you everyone for joining us today. The CTP credits, today’s webinar slides, and a recording of today’s webinar will be sent to you within five business days. And be sure to download the payment security and fraud prevention ebook that Craig mentioned by clicking the link in the chat box. Thank you and we hope you have a good rest of the day.