Guide to Fraud Prevention, Part 3: Procedure

Barricade your business against costly security breaches with cohesive and integrated fraud prevention policies and practices. Without codified procedures, the other three pillars of fraud prevention remain vulnerable. Procedures unite all the parts of an evidence-informed cyber security business strategy: Hardware, Software, Procedure, People.

Creating new procedures can feel like a low priority on your daily to-do list, but cybercrime targeting businesses and their clients is surging. The FBI reports a 10% increase in incidents and a 22% increase in financial losses in 2023 compared to 2022, and that’s only what gets reported.

Small and large businesses are being targeted and defrauded at almost the same alarming rates, according to the 2023 Data Breach Investigations Report. While medium and large businesses have often have more in-house or third-party IT resources, these aren’t a silver bullet for neutralizing fraud threats. 

The third pillar of digital security–procedure–means implementing secure processes for every task, account, and department at every phase of business operations. Let’s break down what that looks like in practice.

‍

Table of Contents

• ‍Risk Analysis and Disaster Planning‍
• Securing your Physical Environment‍
• From Hardship to Habit: Security Routines‍
• Procedures for Permissions

Risk Analysis and Disaster Planning

The insights from the 2024 State of Wire Fraud report are testament to the fact that all businesses are at risk for cyber attacks. Crisis response procedures are designed to significantly minimize the likelihood or impact of a data breach, business email compromise, virus, wire fraud, or other internet crime. Even momentary business downtime can come at an irrevocable cost. 

Start by using this four-part Guide to Fraud Prevention to audit the gaps in your cybersecurity strategy. Determine which kinds of fraud are most likely to target your business. Draft a response plan for each potential crisis that includes:

• An internal communications protocol for quickly notifying the right stakeholders and reinforcing policies for confidentiality and security;
• Clear role assignments;
• Triggers for security measures to isolate the damage, like automatically prompting agency-wide password resets;
• An external communications protocol with pre-crafted messaging to notify and reassure clients as needed;
• A list of experts on call to support with specialized advising, such as attorneys or IT experts to lead data recovery;
• A 24/7 recovery support partner on speed dial to recover any funds or claim insurance.

Supplement the crisis audit and response plan with data back-up procedures. That way, corrupted files can be restored before they’re missed.

Grifters take advantage of the time novices spend diagnosing cyber attacks and planning their crisis responses in the moment. By proactively formalizing a crisis prevention and response procedure well before disaster strikes, you’ll save valuable time, reputation, and revenue. 

Securing your Physical Environment

In an increasingly remote-first business landscape, physical security tends to take a back seat, but every enterprise conducts some business or stores assets in physical spaces, and these are vulnerable to sticky fingers and wandering eyes. The goal of infiltrating physical spaces? It’s the same incentive cybercriminals have for hacking into your business software. If they can steal login credentials or sensitive information, including customer contact information, they can impersonate your business and perpetrate costly wire fraud.

Your business should have locked doors that restrict access to authorized employees, as well as an identification system for your staff and any vendors entering and exiting the premises. Digital keycards and unique door codes are harder to copy and easier to disable virtually, relative to physical keys. Similarly, sensitive printed materials belong in locked files and physical hardware must be secured exclusively for authorized users. Onboarding and offboarding procedures prevent former staff from continuing to access physical spaces after their permissions expire.

Procedures should also prevent employees from displaying sensitive information on their computer screens or desks areas. A sticky note with a password or a file with a client’s social security number are examples of easy targets.

From Hardship to Habit: Security Routines

Introduce procedures that require employees to run regular virus scans and install software updates. You can learn more about those in Part 2 of the Guide to Fraud Prevention: Software. IT providers or departments can still take the lead, but staff will need to accept the prompts to install patches and restart their devices. 

In addition, use procedures to enforce good password hygiene:

• Require staff to create passwords with a minimum level of complexity, even if software don’t require it. These are harder to guess, even by AI-enabled bots relying on rapid machine learning.
• Consider procedures for adhering to a single sign-on software for all login credentials so that staff can be cut off from access to all accounts when they are terminated and so they never need to learn company passwords, only their own.
• Instruct staff to use unique passwords for every account including distinct passwords from the ones they use with personal accounts.
• Introduce procedures for multi-factor authentication.

Training and transparency for these procedures will engage your team in cultivating a culture committed to security on behalf of their clients. Fraud prevention can become second nature over time.

Procedures for Permissions

According to the 2023 Data Breach Investigations Report, abuse of access privileges constitute a significant percentage of all data breaches, and a remarkable 99% of permissions misuse cases involved an internal stakeholder. Prevent privilege misuse by only giving employees the level of access they need to lead their specific work effectively.

“What you don’t know can’t hurt you” applies here. For example, if a staff member doesn’t have permissions to access the full client database, they can’t divulge personal identification information to cybercriminals, unwittingly or intentionally. Similarly, a paralegal probably doesn’t need login credentials to access corporate bank accounts the way an accountant does. If the paralegal falls victim to a phishing scam, the resulting virus or breach will be limited to the digital spaces they have permission to access. Permissions structures also prevent disgruntled employees from retaliating beyond their own spheres of access. 

Codify role-based permissions in your procedures for using enterprise software. For example, if your business maintains a LinkedIn page, give senior staff administrative access, but give junior staff editing permissions. Or if you use a workforce management software like ADP, limit access to staff social security numbers, salaries, health insurance info, and other sensitive details to as few members of the human resources team as possible. Role-based permissions procedures can help limit the scope of a cyber attack.

If you have employees who work remotely, consider implementing a virtual private network (VPN). A VPN gives permission to authorized users to access your secure local network from a remote location, rather from dubious outside networks.

To cap off a sophisticated fraud prevention strategy, connect procedures with people in Part Four of the Guide to Fraud Prevention, or revisit an earlier pillar to reinforce your approach.

1. Hardware
2. Software
3. Procedure
4. People

‍