Part of our series on Security for Medium Businesses.
Note: while understanding is not wholly predicated on formal accreditation, Simple Salt would be remiss in failing to inform you that recommendations here should not be construed as legal advice and should not be used as a replacement for a lawyer advising you on the specifics of your situation. tl;dr: IANAL.
Last week, we described how clear up-front expectations can eliminate expensive arguments, and how security issues can be expensive. However, the best contract in the world is useless if your staff lets or even instructs your partners to use another way.
Standard messaging in partner-facing communications goes a long way to ensure that your staff is not violating the terms you added to the contract to protect you.
All messages about payment should contain a short reminder about the right ways you pay or expect to be paid. This includes invoices, POs, overdue bill reminders, and receipts.
You may consider two templated messages, one for customers and another for vendors. If possible, include links to your required methods, such as where to make payments or change payment details. If you support different styles of payment, describe the right way to do each on a single webpage, and link to that page from the template.
A template like this is easiest to include in automated messages and customer service chat, but can be easily added in emails through signatures available to your staff or automatically by your email system based on rules.
If you share secrets, remind your partners about the correct channels. For example, because email is poorly protected and is hard to defend in an audit, your contract may identify your client portal as the only acceptable way to transfer secrets to you. Still, clients may be tempted to email important secrets instead of using your portal. Automatic reminders to use the portal when they include attachments may be an easy way to help them protect their data.
Ideally, the template should include a link to the correct place.
In general, passwords or other login secrets should never be known to anyone other than their owner. If your partners interact with you by logging into your systems, you may consider standard reminders to never share that information and only use it for logins. You can also highlight that they are liable for any action taken within their account.
Some companies add legal disclaimers meant to limit liability if secrets are shared to the wrong people. This is not effective. In our experience, adding these terms to emails does not influence recipient behavior and has no practical security benefit. Feel free to skip these; you get better protection by only handling secrets in a dedicated platform with strong access control.
Should contain a single, easy way for all partners to reach you if they suspect something fishy. This could be an online form or a standard mailbox. The most important part is consistency: whatever method you choose to advertise should be the same everywhere. Consistency reduces the odds that a scammer will trick someone with phony contact details that they secretly control. If those contact details are all the same except the one stood up by the scammer, people will be more likely to use the real one.
Training & testing
Often staff are focused on practical and short-term goals like closing deals and customer service; they do not consider the risk of fraud and theft that you care about. It is tempting for them to “just take care of” a high-risk request like a payment detail change instead of directing them to the appropriate avenue. If this becomes common, it eliminates the benefit of consistent contracts and messaging.
This is usually addressed through training, but you can get good results by testing your staff. You can often pay a contractor or even convince a close partner to try to circumvent one of your processes and see how your company representative responds.
Warning: If you decide to test them, recognize that such an event may be stressful for the person handling it. They are balancing competing priorities: following the procedure and making your customers happy. Handled poorly, this kind of internal testing can dramatically hurt morale and trust on your teams. Your biggest security weakness and strongest asset is your people – they are the ones who will either notice a scam or fall for it. Give them the training and backing to confidently make decisions. Inconsistent expectations can undermine that confidence and reduce their effectiveness. You can improve your chances by:
Make the result about the effectiveness of your training, not their individual intelligence, judgement, or job performance.
Advertise the test to relevant teams after it happens. Regardless of results, the fact that you tested shows that you care about these processes and are willing to spend some time and money to ensure your teams do them right.
With a little effort toward standard contracts and messaging, you can reduce the risk of getting blamed for your partners’ security failures. For almost any company, matching contracts and messaging to tight operational processes can further improve your resistance to fraud.
If you need help with security in your processes, contracts, or messaging, give us a ring.