Two common, insidious cyber-related crimes — employee fraud and fake email requests for wire transfers — can bleed your SMB’s bottom line over months or years. Learn the five internal cybersecurity controls that accounting experts recommend to prevent these and other losses.
“Internal controls” is the term accounting professionals use for actions that create a reliable, legally compliant financial reporting and financial management process. Many internal controls can also be considered “cybersecurity controls,” and that’s what we’re focusing on in this post.
Before we dive into how internal cybersecurity controls can protect SMBs, let’s take a look at the two cybercrimes particularly brutal for small to medium-sized businesses (especially those responsible for safeguarding their clients’ money and/or sensitive financial data).
Business Email Compromise: The Current King of the Cybercrime Hill
In 2018, the most costly cybercrime reported to the FBI was business email compromise (BEC), which typically involves fake emails asking company employees to wire transfer funds to a fraudster’s account.
Victims reported nearly $1.3 billion in BEC losses in 2018. That’s more than a dozen times higher than losses reported for the next highest cybercrime category (confidence/romance scams).
Years ago, BEC attacks were mainly emails that appeared to be from CEOs and CFOs, telling employees to wire them money.
Heck, many small firms could foil these attacks just by calling out to the CEO across the room: “Hey, are you really emailing me from Bermuda, asking me to wire you $200,000?”
But today, cyber thieves also imitate emails from your clients, vendors, attorneys — anyone you might normally transfer funds to without double-checking the account information.
Employee Fraud Hurts Small Businesses Most Often and Hardest
Too often, one employee can control the electronic flow of money through an SMB. The Association of Certified Fraud Examiners (ACFE) says this is why the median fraud loss per incident at small organizations, $200,000, was nearly double that of large organizations in 2018.
The ACFE also found that a lack of internal controls contributed to 42% of fraud incidents in small organizations, compared with 25% in larger organizations.
The Cybersecurity Internal Controls SMBs Need Most
DiAnna Olsen, president of Owl Bookkeeping and CFO Services in Arden Hills, has been implementing internal controls at SMBs for over 35 years. We asked DiAnna which internal controls SMBs most often lack, and how that can lead to serious, but preventable, losses.
1. Create separation of duties
Recruit and train team members to add an extra layer of protection to key financial transactions.
The concept is simple: No one person should be in charge of an entire financial transaction process.
For example, can any individual in your company do all of these things:
- Authorize a purchase
- Place the order
- Pay the vendor
- Record the purchase
- Reconcile the bank account
- Distribute the monthly bank statement that shows the purchase
If so, that person can probably steal from your company — for a long time — without getting caught. And there are many other variations on this sequence that give one person too much authority to game the system.
SMBs often don’t have separation of duties for two reasons, says DiAnna: they don’t have the expertise to spot these vulnerabilities; and they don’t think they have enough people available to separate the duties.
Later, we’ll cover how to bring the right expertise into play.
As for not having enough people? DiAnna helps companies recruit and train managers to double-check and sign-off on certain financial tasks, such as purchasing.
“They don’t have to do anything that requires accounting expertise,” she says. “But with two or three people involved, it would be really hard for someone to, for example, write out a company check and use it for their own gain.”
2. Restrict access to online financial accounts
Use “view-only” access to financial accounts for accounting employees or contractors.
“Entrepreneurs are too quick to give up control of their checking and credit cards to their bookkeeper or an outside accountant,” DiAnna says. It’s a recipe for fraudulent purchases and wire transfers.
When Owl Bookkeeping and CFO Services assigns accounting pros to clients, they often ask for “view-only” access to bank and credit card accounts.
The Owl Bookkeeping people can see all of the clients’ account information, which they need for standard bookkeeping such as reconciling. But they can’t use the account to make purchases, initiate wire transfers, move money between accounts, etc. — those actions would require at least one other person.
Check with your bank about view-only accounts. If yours doesn’t offer them, consider switching to a financial institution that does.
3. Document processes and procedures
Documentation helps you get new employees and/or contractors up to speed faster.
Once you’ve put in the work to create a separation of duties, document how each process and procedure is supposed to be done. Make sure everyone involved signs off on that document.
In general, consider documenting procedures for these processes:
- Accounts receivable (billing) and accounts payable (purchases)
- Financial statement reconciliation and reporting
4. Maintain an approved vendor list
Protect your firm from fake vendor scams by adding one extra step to the vendor payment process: the “CEO portal” approval.
As we mentioned at the top, cyber thieves are posing as vendors to trick companies into fraudulent wire transfers. This can also be an inside job: Employees create and pay fake vendors so the money winds up in an account the employees or their accomplices control.
For some clients, DiAnna recommends adding a step to the vendor payment process.
The company issues an approved vendor list each week or month. If the company cuts a check to a vendor that’s not on the list, the bank alerts the CEO or CFO, who must confirm that the bank can release the funds.
Some financial institutions do this via a “CEO portal” account.
Creating a secure, approved vendor list is yet another exercise in the separation of duties. No one person should have the authority to:
- Add a new vendor to payment system
- Verify that the vendor is legitimate
- Disburse payments to the vendor
- Alter financial reports
5. Provide ongoing oversight
If your business doesn’t have a CPA on staff with internal control program experience, get outside help for proper oversight.
Ongoing and active oversight of your internal controls program accomplishes two critical things:
- Your employees know someone will be checking regularly to see that they’re following your internal controls. This keeps employees vigilant in protecting against outside threats, and discourages them from attempting fraud themselves.
- As your business operations and your staff change — and as cybercrime evolves — you can update controls accordingly.
It’s a mistake to assign oversight to someone whose main experience is bookkeeping. DiAnna says implementing, adjusting, and teaching internal controls is “CFO- and controller-level stuff.”
Some SMBs who outsource a full-time bookkeeper from Owl Bookkeeping also bring in a CFO- or controller-level CPA quarterly for internal control oversight. “Clients can use these higher-level experts as much or as little as they need,” DiAnna says.
She says that in addition to high-level accounting expertise, she recommends collaborating with IT security and support firms that specialize in SMB cybersecurity.
Balancing Security, Affordability, and the Need for Speed
Protecting the critical data and the money that your company controls is a balancing act. Two balancing acts, actually.
First, you must balance the risk of potentially catastrophic cybercrimes against your costs to prevent them, e.g. cybersecurity software, hardware, support and training, plus internal cybersecurity controls implementation and oversight.
Second, you must balance the time it takes you and your staff to follow internal controls and other cybersecurity practices against your perceived need to sometimes get things done a little more quickly and conveniently.
Basically, it comes down to long-term vs. short-term thinking. Don’t gamble that your firm will simply be lucky — cybersecurity and internal controls give you the best chance to take good care of your customers and thrive over the long haul.