Can You Really Drive Employee Secure Behavior?

Managing a team can be very rewarding.  There are compliance tasks that come with the position that depend on human behavior from adherence to a dress code (or not), to adherence to operational and security processes that have been put into place to protect the company.  While it may not be a security threat to wear jeans to work on a non-jeans day, not following processes to identify, report and not process phishing emails is. 

In a previous blog post “Is Your Accounts Payable Team Still Taking Live Phone Calls From Vendors?”  I recommend adding authentication for both external vendor calls and employee phone calls and providing those help desk team members with an authentication reference to assist them in that task.  To ensure employees continue to follow the process I recommend a recurring audit be put into place to monitor that the process is being followed.  This strategy to put a process in place, then audit/monitor that it is being done common in business but is normally not done for 100% of transactions or done after the fact.  With fraudulent payments at stake, after the fact is too late, so more must be done to ensure the employee is always following the processes put into place. 

Driving Employee Secure Behavior

In the podcast guest Perry Carpenter, author of soon to be released book “Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors”,  goes into detail about human behavior including how three things need to be present to drive secure behavior:  motivation, ability and prompt.  How can these three be applied to Accounts Payable to prevent fraudulent payments resulting from unauthenticated, phishing emails? 

1.      Motivation – Every manager is accountable for providing positive or negative consequences for following processes and policies in place.  This is no different.  Explain why phishing training combined with implementing authentication techniques, internal controls and best practices are necessary. 

2.      Ability – Train the team to how review, spot and report Phishing Emails.  In addition,  arm the team with an authentication reference, a script for calls and standardized responses to emails.  The easier it is to comply; the less motivation needed. It has the added benefit of ensuring that all team members are communicating the same message.

3.      Prompt – Ask the employees to do it.  How? For the implementation of authentication techniques, internal controls and best practices – make them a part of the required process to make payments or make updates to the vendor master file.  For example, is the CEO requesting a wire via email?  (Yeah, CEO’s quit doing that) Add a control to require a second review or a separate email or call to the CEO (no matter what the email says) and require that documentation as part of the approval process.  Is a vendor requesting an update to their banking?  Require the old banking or the last three deposit dates and amounts to verify they are the vendor and attach the response (or form if you included the requirement on your own banking form) to the vendor record. 

Click the podcast above to hear more on human behavior and how you can use it to drive secure behavior in employees.  Hear why guest Perry Carpenter says, “You get the culture that you ignore” and when he thinks changing the prompt may be required.  Fair warning, it’s not all about the employee, culture and management are key as well. 

Blog 28 Body Graphic.jpg

Protect the Vendor Master File from Fraud.  Keep it Clean. 

#stayhappy #Vendorsetup #vendormasterfile #accountspayable #phishing #perrycarpenter #customerservice

Debra R. Richardson,

MBA, APM, APPM, CPRS

Debra is an accounts payable speaker, consultant, and trainer with over 20 years of experience in AP, AR, general ledger, and financial reporting for Fortune 500 companies including Verizon, General Motors and Aramark.

For the past eight years, Debra has focused on Global Vendor Maintenance, and implemented a vendor self-registration portal for 140k+ global vendors across five Accounting Systems/ERPs. In her consultancy, she focuses on internal controls and authentication to prevent fraud in the vendor master file.