EP 31: Protecting your accounts payable function from cyberattack
Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.
Sign Up Now!
About this episode
July 9, 2019
Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, JD and CyberSecurity Practice Lead at Newman DuWors LLP, talk with guest Debra Richarson about how finance professionals should protect their company from common financial cyber fraud.
Speaker 1: Welcome to the Cyber Risk Management podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Foil, CEO of Cyber Risk Opportunities and Jake Bernstein cybersecurity council at the law firm of Newman Dewars. Visit them at cyberriskopportunities.com and newmanlaw.com.
Jake: So Kip, what are we going to talk about today?
Kip: Jake, today, we've got a special guest, and we're going to talk about how accounts payable teams need to protect what's called the vendor master file from things like fraud, cyber attacks, business email compromise. And I'm just so excited because we've got a guest to help us figure this out.
Jake: Great. So who's our guest?
Kip: Her name is Debra Richardson, and she helps accounts payable teams protect their companies against the kind of fraud that I just mentioned. She's a consultant trainer and a public speaker. Debra, welcome to our podcast.
Debra: Thanks Kip. And thanks Jake. I'm very glad to be here.
Kip: We're happy to have you on the show. Debra, my understanding is that the vendor master file, which I've never had any experience with, by the way, I should be clear about that, but it contains information about a company's suppliers and that file and the information that's in there. That's used to make payments when suppliers submit invoices, and it's also used when purchase orders are issued. Did I get all that right?
Debra: You did. And it's usually located in accounts payable although in some cases the purchasing or procurement team may maintain the vendor master file, but it's correct. You were correct. The information such as the vendor legal name, the ordering and remit address and order to issue that purchase order or post the invoice as well as the banking or remit address that will be used for payment. It also includes the vendors tax ID so that the tax filings and distribution for 1099s or 1042s can be done annually and then also done or filed with the IRS. And then that information is also considered personal identifiable information for the vendor. I call it vendor sensitive data and employees need to protect it the same way that they need to protect their own personal information from cyber criminals, trying to steal the vendors' identities.
Kip: Oh, that's excellent information.
Jake: Yeah. I have not, I have never heard of the vendor master file before, so that's really good to know. So the fraud angle is going to include things like supplier addresses being replaced with fake ones, fake vendor creation, exploitation of a lack of segregation of duties. And if I recall there was an article in the news, not too long ago, about Facebook being scammed out of I think of millions of dollars basically.
Kip: It was like a hundred million between Facebook and Google.
Debra: Yeah. Yeah, it was 123 million dollars. And fortunately for Facebook and Google, they actually got most of that back, but that's not normally the case with other companies. You don't always recover those funds that were fraudulently sent to these cyber criminals. And they do want to be set up as a vendor in your vendor master file and then they can submit fraudulent invoices for payment. More frequently, they try to get a real vendor's data to be updated such as the remit address, so they can reroute a paper check payment. That does happen. Or more frequently is the banking details. They try to get that updated to their banking details, so they can reroute that ACH or wire payments. And these are all considered payment fraud. And when you're talking about the segregation of duties, unfortunately in addition to the external fraud and threats, there's also that internal threat, which is called occupational fraud. And we've all heard of the fraud triangle, right, the need, the opportunity and also the rationalization. So we need to prevent both external fraud from cyber criminals and internal fraud from unethical employees.
Kip: This is such a timely topic for us to be addressing because, well, and we're going to talk about this a little bit later in the podcast about how rampant business email compromises are and other forms of external fraud. But I think Debra you're right to put a spotlight on the fact that even if you were somehow able to disconnect your company's computers from the internet, thereby stopping or significantly decreasing external risks you still have an internal issue that's going on. Debra, this is like I said, this is fascinating. How did you learn all this, Debra?
Debra: So it's so funny. Like most people that come to accounts payable, I actually started off, I mean, it was a wild path to it. I started off with an English degree of all things from the University of Michigan in Ann Arbor. And since I didn't want to teach, and I didn't want fries with that, I took a job with a small business and I happened to just take over the bookkeeping duties and I absolutely loved it. And so then I had to go back to school and take all the business classes that I didn't take. And I got into an MBA program, finished that. I graduated, spent 15 years in GL and financial reporting with about six years of AR sprinkled in. And then I took a controller's position which introduced me to accounts payable. And I was given an opportunity to build an AP team.
And I ended up landing at a Fortune 15 company with over at that time, 200 accounts payable team members. And so all of the functions of AP were split, and I had vendor maintenance, and I absolutely loved it. I had a 140,000 plus active vendors across seven ERPs, domestic and international. And so I had a lot of vendors to protect and many employees to train to protect them. And since I was over the vendor master file that had this sensitive data in it, the tax ID, the banking details, I was volun-told, but I loved it. I was volun-told that I would work with the information security team to implement techniques, internal controls, and best practices to protect the vendor master file.
And I just absolutely loved it. I just thrived in that position. And then one of the last projects I did was to implement a vendor self-registration portal, which implements, or which includes a lot of the internal controls and authentication and best practices that can be used to protect your vendor master file. And so once I did that, I figured I wanted to go out, and I wanted to help other companies do the same thing because there's still a very small percentage of companies that have these vendor self-registration portals. So it's important that they implement these authentication techniques, internal controls and best practices to protect their current process from cyber criminals.
Kip: Oh my gosh. You've been involved in a massive amount of experience in your area. And I can only imagine the scale that you described operating at, the kinds of things that you would need to do in order to be successful. I mean, at that scale, you can't just sort of browse through all of your vendors, right? You just can't sit there and check them all out. All your active vendors with you have over 140,000 active vendors. I mean, that's just an amazing scale to be operating at. So you clearly know what you're doing. You mentioned an acronym, and I just want to make sure everybody listening knows the acronym. You said you were working across seven different ERPs. What's an ERP?
Debra: Yes, it's an accounting system or enterprise resource planning system. And that's where all your modules, your procurement module, your purchase order, I'm sorry, your accounts payable module, your finance module, all that's in the same system. And so we had, or I've worked with some of the larger ones such as SAP, PeopleSoft, and then I've worked with a lot of smaller accounting systems such as Intact, NetSuite, QuickBooks. So whatever your size of your company and your accounting system that you work with, I've worked with quite a few of them and all of these internal controls, authentication techniques, and best practices can be implemented no matter which accounting system or ERP you use.
Kip: Oh, that's great to know. So your approach is really scalable. So even if you're using a large enterprise planning package or what probably looks to you like a really super cute QuickBooks implementation, right, just little cute, fuzzy QuickBooks, trying to keep somebody going. So it works. That's great. So I want to take a few moments and talk about business email compromise. Oh, before we do that, I wanted to ask you something. You had mentioned that you worked with the information security team. Was there a triggering event that caused your team to begin working with the information security team? Because I don't know that's typical.
Debra: Yeah, it wasn't. I think it wasn't at our company, but I think the fact that they were starting to see issues or events happen at other companies the same way that we hear about it today. It was starting just recently a few years ago. And so that's when we determined or it was determined that we would implement these practices.
Kip: Okay. Yeah. All right. That makes sense. So business email compromise. We've talked about that before in our show and the amount of business email compromise that's going on right now is just running rampant. I got a couple of statistics here. So last year the FBI announced that they were aware of almost 79,000 separate business email compromised incidents that had been reported to them just between October 2013 and May 2018. So didn't quite cover a five year span of period, but it did cover over 12 billion dollars of fraud. And I like to remind myself that's just what was reported. The actual numbers are probably quite a bit higher.
Jake: Right, Kip. So now just to make sure we're on the same page before we get into this connection between the business email compromise and the vendor master file, a business email compromise is a social engineering attack where the bad guy poses as someone higher up in the company and sends an email that's basically posing as that higher up person and requests that money be transferred somewhere outside the company. That's a nutshell version of a business email compromise.
Kip: Right. Now-
Jake: Debra, let's go ahead and explain the connection between the business email compromise and the vendor master file.
Kip: Yeah. That's like the good stuff here.
Debra: Sure. So business email compromise. It's really a social engineering tactic that relies on emotional triggers to get the accounts payable help desk employees, right, who are trained to help to put their guard down and process before they can actually think through what they just did. So you've got an invoice coming in or email coming in and from a CEO, and they say they need an urgent bill paid. CEO must be important. Right. It's urgent. Right. You want to look good in front of your boss's boss's boss's boss. So-
Kip: Yeah. Getting an email from a CEO is like getting a fresh cup of coffee, right? It's a jolt.
Debra: Right. You're getting noticed. You're getting... They know who you are. You're important now. Right? So that email provides wire details, and the accounts payable employee either updates the banking information in the vendor master file, or they create a vendor and the wire is paid. And so this is where phishing awareness training is great, and it absolutely needs to be done, but it needs to be combined with authentication techniques, internal controls, and best practices to ensure that even if that employee does not catch that they've been phished or that this is a business email compromise email that the email or the wire request, whatever they're asking for, will not be processed.
And remember we are all human. There will be days where your employees will not be a hundred percent. No one can be a hundred percent, a hundred percent of the time, so implement these authentication techniques, internal controls, and best practices, so even if it does slip by your team, it will not be processed. And Kip, it's just like what you say in your book, fire doesn't innovate. One of the internal controls you can put in place is just have two people approve the wire transfer. So if one person doesn't catch it, the next one will. That is an internal control. And there are other internal controls, authentication techniques, and best practices that can be done as well.
Kip: Yeah, that's great. Thanks for the plug on my book, Debra.
Debra: I loved it.
Kip: That makes me feel great. I don't know if I said it in the book. I don't think I did, but I wonder, Debra, if anybody, when you were working with the information security team, we have a little saying that describes the kind of layered controls that you're talking about here. We call it a belt and suspenders approach. Have you heard that before?
Debra: No, I haven't heard that term. We didn't use that when I was working with that team.
Kip: Oh, okay. So that's a really good one, and so the whole idea is like, we don't want our pants to fall down, so we're so paranoid about it. We're going to wear a belt and we're going to put on our suspenders, but just in case we have failure in one, we're going to be saved by the other.
Debra: I love it though.
Jake: Would also call that defense in depth when we are talking in a more technical fashion.
Kip: Yeah. Absolutely. Defense in depth. Also, I think another apt term that comes from the information security field would be diversity of defense, right? So you don't want the same type of controls all layered together because if you can compromise one and the other ones are highly similar, then you might be able to break through all of them, but if you are diversifying different types of controls and then layering them up, that provides really great protection. And Debra, I would imagine that in a very large company, right, you've got plenty of people that you can enlist to provide these dual controls, two person rules, that sort of thing. But if you're a medium sized or a smaller company, it's really going to be a challenge to bring more people into the situation. How do you scale some of these controls down? What have you seen? What do you do?
Debra: So it's really not so much as the number of people that are in your accounts payable team or that are processing the vendors or the invoices. And so it does play a factor in segregation of duties. So there are reports and things that you can put in place to mitigate those risks. But as far as the authentication techniques, combined with your phishing awareness training, the authentication techniques, internal controls, and best practices, you can put that in place with a one person accounts payable department or a 200 person accounts payable department. It's about making sure that your employees are following the process so that it will work. So it can work in large and small companies and reports and other mitigating or compensating controls can be put into place if you have a segregation of duties issues where you are open to occupational fraud.
Kip: And you said something a moment ago that I thought was very important for our listeners to recognize which is you talked about supervision, right, about management, making sure that people are doing the right things because you could automate some of these controls. And they become very, very reliable when they're automated, but some of these controls need to be performed manually and so good supervision, good management. And really that's my assertion across the board is that cyber risk isn't really technology problem so much is it's a business problem, a managerial problem. And I think you've put your finger on something, a manager or supervisor that's inattentive can really be a liability.
Debra: That's correct. And again, these processes that you can implement to protect your company can be implemented whether you have a one person department or a 200 person department, but it does require that management get involved and stay involved and is engaged with the team because you have to make sure and monitor that your team is performing these authentication techniques and following through with the internal controls and best practices in order for it to work.
Kip: Okay. So could you give us, Debra, could you kind of give us, I guess what I might call a survey of some of these controls and just kind of help us get our arms around some of the specific techniques that we should be considering?
Debra: Sure. So one of the big things around authentication techniques, and this is you get a request via email. Let's say you do get a business email compromise email from a cyber criminal. Well, the first thing you want to do and that's included in your phishing awareness training, which hopefully everyone is doing is you scan that email. You check the email domain. You make sure that on its appearance, that it is from a, or not from a fraudulent source. But then once you do that, you go through and you implement some authentication techniques. And again, that's to confirm that the source of the data you received is not fraudulent. And in that, I mean you validate or authenticate the person that sends the email and you send that back and you require that they confirm certain information that only the vendor or only someone from the vendor's company would know.
And that's something it can be.... And I do suggest two different criteria to authenticate. And that can be the tax ID. That can be an invoice number. That can be a PO amount. I do suggest you don't have them all from the same function. So you don't ask for an invoice number, an invoice date, because if someone, if a cyber criminal gets a hold of an invoice, they have that information, but require different information from different areas. So require an element from invoicing, an element from purchasing and an element from the vendor file. And so you would ask for something like the tax ID and the invoice number, and if they can't do that, and for the most part, if you push back and ask, the phisher will, or the cyber criminal will just go away. And so that's one of the things that you can do, but in order for that to work, you need to also make sure that your team is not giving out that information.
So let's say if someone calls in and if a cyber criminal calls in, or if they send an email, you're not giving them the invoice number or the tax ID or the bank account number, things that you use to authenticate. You got to make sure that you're not giving it out, and you need to make sure that information is not accessible by other people in the company so that they can't call them and then call back to AP or email back to AP and provide that information in order to fraudulently authenticate themselves.
Kip: crosstalk So now it's... Go ahead, Jake.
Jake: I was going to ask, have you ever considered a kind of rotating secret word of the week as the I guess second factor?
Jake: As the authenticator?
Debra: So we haven't tried that, but we did try a pin, and a pin works fine if it is at like automated. So if it's in a vendor self-registration portal, but it's a little harder because that pin cannot always be located and you may have a legitimate vendor who needs help right away to get their payment out. And so the authentication is something that everyone in the whoever answers the phone, whoever gets that email, it's something that they can all do at that time without having to rely on an external or having to rely on something that rotates. So it's a little bit easier to do it with authentication techniques, with data that your accounts payable team or someone in your vendor maintenance team has access to right away.
Jake: Got it.
Kip: Because this sounds a lot like me trying to call my bank and have a conversation with them about my account, right, because they're always saying, "Well, Mr. Boyle, can I confirm your address? Okay, Mr. Boyle, can I confirm this? And can I confirm that?" And they're going to ask me a series of questions, which I've got to answer correctly before they'll authenticate me as a legitimate caller. This sounds conceptually very similar.
Debra: It's exactly that. It's exactly that. And except it's with the information that's in the accounts payable department. And so, and to make that easier, to your point with the pin, to make that easier, I suggest having like a matrix and giving that only to your accounts payable team or your vendor maintenance team and give them some choices that they can ask, so they're not always asking the same questions, the same elements. So give that to them and let them go. And they can do that 24/7, 365.
Kip: Okay. So Debra, let's talk about another related topic though, which is, and I just keep, my mind keeps getting kind of swimming here when I think about 140,000 active vendors, right, was what you were dealing with. And if it was me, one of the questions I'd have all the time is how do I know that every one of those vendors is real? How do you do that?
Debra: So one of the best ways that you could do it. So the first thing is you need to train your team. And with that volume of vendors, I had an 18 person team and we had about 2,000 requests coming in per month that needed to be processed. And it was either adding new vendors or changing existing vendors. And actually it was about half and half between adds and changes. And so what you need to do is you always need to validate that information. So when those vendors are coming in, you do validations to confirm that the vendors, those are real vendors and that the data that they're submitting is real and you actually do the same thing with changes as well. So a great, one of the great things that you can do is there is now a service out there where you can validate the bank account name against the bank account number. And so that way you can validate that that bank account number that you're about to enter in your vendor master file or update in your vendor master file for a specific vendor, really belongs to that vendor. And so-
Kip: So that's like a third party service that you subscribe to? Is that how you do that?
Debra: It's a third party service and the penetration of that, meaning the banks that are participating and where you can check against their accounts it's growing. And the last time I checked, it was about a 65% penetration across the US and is only available for US vendors. But that does go a long way along with other validations to make sure that the information that you're putting into the vendor master file is real. And then once you get that information in your vendor master file, doesn't stop there. You always have to make sure that you're maintaining that. So on a monthly basis, you go in. You inactivate vendors that you haven't done business with over a certain amount of months. And let's say that's 15 or 18 months, that's typical. And that way there's less vendors available for fraudulent cyber criminals or fraudsters to get to.
And in addition to that, so you're inactivating your vendors. So you have a lower volume. And then in addition to that, you are that continuing to validate those vendors against those sources. So you do an IRS 10 check where you're checking the legal name against the tax ID. You're doing an OFAC check to make sure that these vendors now have not been added to the naughty list or the OFAC or other watch list. So you're doing all these things once your existing vendors have been validated, they're in your vendor master file, but you're consistently re-validating those vendors, inactivating those vendors to make sure that if something slipped through the cracks or if the vendor changed and now became someone that you needed to, that you see as a risk that you catch that, and you're doing that on a recurring basis. So your accounts payable and more specifically vendor maintenance within accounts payable is an ongoing position or ongoing function that needs to continuously be monitored so that you can ensure that you have real vendors in your vendor master file.
Kip: Okay. So you want to have good hygiene, right? You want a nice clean file.
Kip: Can any of that stuff be automated? What did you do? Because it sounds like it could be a lot of manual effort to do that.
Debra: Yeah. So one of the best things that you can do is to implement a vendor, self-registration portal. And what that does is it's got the built in authentication because the vendor has to authenticate themselves before they come into the portal. And that's great. And then the vendors are entering their own data. So now you have less of that vendor sensitive data being submitted by internal employees. And so you don't have the exposure of that vendor-sensitive data to people that don't need it or internal team members that don't need it. And so they're coming in, they're putting in their own data and depending on the vendor self-registration portal, they have those validations to make sure that they're real vendors, they have those validations inherent in their program. And then once that vendor is validated, you can choose to have your team review it and approve it.
And in some cases that information then can be automatically updated in the ERP. So it can be a touchless process, which great, but vendor self-registration portals, the functions and the features that are included vary between the different products or third party products that are out there. So whatever you don't have in your portal, you can augment by implementing these manual processes as well. So there are some vendor portals that have great functions, great features, and there are some that are missing and that's fine too. You just need to augment them with the validations and the processes that are not included by your team, but it's still an increase in automation. And it still decreases some of the manual work that your team will need to do.
Jake: And Debra, would you say that though the automation is great, it doesn't really replace the need to be vigilant because obviously any additional portal would be new potential access point or it expands your attack surface, so to speak. So while I'm a big fan of automation myself, just people should be aware that you really need to maintain vigilance whenever you start to automate things.
Debra: And I would agree with that as well. No matter what process you're using from manual to a vendor self-registration portal that can be touchless, you still have to have reporting that management needs to review, and there still needs be internal controls that are put into place. So that even when using that vendor self-registration portal, you're still making sure you're compliant with your business processes and making sure that the third party provider for that matter is compliant as well.
Jake: Yeah, no, that makes perfect sense to me. So Debra, thanks for being our guest today. Where can people learn more about you and what you do and everything that you've said today?
Debra: Sure. So they can come on over to my website at www.D-E-B-R-A-R Richardson. So it's Debrarrichardson.com and they can find my weekly blog and podcasts and it's free content as well as information on training and protecting the vendor master file from fraud. They can also find me on Facebook at putting the AP in happy or Twitter and Instagram at AP in happy.
Kip: Oh, that's a great brand you have, by the way, putting the AP in happy.
Debra: Yeah. I love it.
Kip: Well, Debra, thanks for joining us today. And that wraps up our episode of the cyber risk management podcast. So today we talked about how to protect the vendor master file from fraud, particularly from cyber attack, business email compromise with our guest Debra Richardson. We'll see you next time.
Jake: See you next time.
Debra: And thanks. I loved being here today.
Speaker 1: Thanks for joining us today on the Cyber Risk Management podcast. Remember that cyber risk management is a team sport and should incorporate management, your legal department, HR, and IT for full effectiveness. Management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk business strategy program. Find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.
Cyber Risk Opportunities
Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).
K&L Gates LLC
Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.