ABB is a superbly run global engineering group, yet yesterday they announced that they had uncovered $100 million of “massive criminal activity” at its South Korean subsidiary. Now is the time to reach for the fraud prevention and cybersecurity checklists to save your job.

The basics

Citizens Bank in the USA identified ten common security gaps that companies needed to address to protect themselves when planning for 2013 and which still apply today:

• are you using weak passwords? Hackers have more processing power to crack passwords than ever before, and can relatively quickly test all words in the dictionary to see if the right one comes up. Use instead a more complicated combination of letters, numbers, and symbols that aren't easily searchable.
• do employees keep passwords "hidden" in their top desk drawer? The strongest password in the world won't protect your account if a perpetrator can read it from a slip of paper in your office. Keep passwords behind lock and key, just as you would cash.
• are you training your employees against social engineering? Many fraudsters find it easier to trick a person into revealing account credentials than to hack into a computer. Training your employees to not provide any user name or password information over the phone or email – even if the source seems legitimate and unless and until the source is independently verified – is a vital measure of protection.
• do you lock your computer when you step away from your desk? As we all know, a minute away from our desk can sometimes turn into much longer, as meetings pop up and we get stuck taking care of a crisis. Again, just as you wouldn't leave cash lying around on your desk, always lock your computer as well. Also, software such as Trusteer Rapport provides additional high-tech protection against infiltrators who try to break into your computer electronically.
• how well do you know your vendors and business partners? While you may somewhat confidently share wire instructions with long-time vendors or business partners, it is wise to conduct some due diligence around new vendors or other payees. Using the Positive Pay services for checks and ACH and Payee Positive Pay for check disbursement accounts adds in an extra layer of protection.
• do you conduct surprise audits? The American Bankers Association reports that 60% of all fraud incidents within a business involve employees. Surprise audits are a good way to detect and deter occupational fraud schemes so that funds can't be manipulated ahead of the audit.
• does your company enforce vacation policies? Similarly, making sure that there are periods of time in which employees are away from their desks and have their records available for oversight has been supported by financial regulators like the SEC for years, but all companies can benefit from this policy. A one- or two-week window can provide the additional transparency needed to expose internal fraud.
• are dual approvals required for your payments? Implementing banking processes that require dual approvals for activities such as payments and wire transfers is an easy way to minimize certain fraud risks. Companies can also require additional approvals before a new vendor is added to a payment system, as well as use debit blocks and alerts to reduce the risk of unauthorized payments.
• is there open access to company checkbooks? In 2012, 85% of organizations experienced actual or attempted check fraud, according to the Association for Financial Professionals' latest fraud survey. Having company checkbooks out in the open leaves your bank account information visible and increases the risk of check theft. Always lock up any checkbooks.
• does your company have on-site collections? Outsourcing collections mitigates the risks that emerge when receivables checks are lying around the office.

Constantly changing and improving

A vital fraud prevention practice is to change and improve the procedures and systems frequently enough to keep potential fraudsters off their guard, so they cannot be sure what is coming next.

Other important Checklists 

Great lists of what to do include:

• Get your board to answer these vital questions 
• ’10 steps to Cyber security from UK’s GCHQ’ (UK Government Communications Headquarters) who monitor the Internet and many other networks
• SANS (System Administration, Networking, and Security Institute) ‘Critical Security Controls’ —a short list of controls developed by security experts world-wide based on practices that are known to be effective in reducing cyber risks
• NIST (National Institute of Standards and Technology) Framework for Improving Critical Infrastructure Cybersecurity—combines a variety of cybersecurity standards and best practices together, see
• Shared Assessments—an organization that develops assessment questionnaires for use by its members, see
• ACFE’s Fraud Prevention Checklist, see 
• ’40 questions you should have in your vendor security assessment’ from BITsight which shows how to monitor and manage vendor security, see.

---

CTMfile take: These lists include some the most important tips on how to prevent fraud today. However, for many managers the problem is which are the most important technique or system, and where to start, Which for you is the most important and where would you start?