How confident are you that your business is safe from fraudsters? Before you answer, consider the pace at which cybercrime-related payment fraud is growing; then think about the fact that your company is equally under threat from internal fraud. Ryan Mer has the answer to both.
Ryan Mer has been fascinated by entrepreneurship since he can remember. ‘Even at school, I was intrigued by the mechanics of building a business; what it takes to be successful,’ he recalls.
It’s not surprising, then, that he embarked on his first venture as soon as he completed his articles. ‘My father, who has a legal background and is a senior and accomplished businessman, encouraged me to become a CA because he believed I should have a professional degree to fall back on before I jumped into business, and looking at the successful entrepreneurs and business icons at the time – Brian Joffe, Donald Gordon, Stephen Koseff – I was struck by the fact that they were all CAs,’ Ryan says.
So, too, was his partner in his first company, Brett Chait. The two had met during high school, cemented their friendship while completing their articles, and went on to do a secondment in Los Angeles. The experience was a formative one for Ryan, who was ‘blown away’ by the ‘anything is possible’ mentality that characterises American business.
More than this, he and Brett were exposed to a different, highly efficient way of doing things. ‘We were both passionate about technology, and we loved brainstorming ideas around how to bring it into business,’ Ryan says. Some of those conversations centred on manual audit procedures, which were time-consuming and cumbersome.
Moving away from manual
Realising that this process had already been automated in the United States, Ryan was consumed by the possibilities that might be realised if he introduced similar systems in South Africa – and so, as soon as he returned from his secondment, he invited Brett to join him in a business that would do just this. Initially reticent, it didn’t take long for Brett to share his enthusiasm – and so Confirmation was born.
Ryan and Brett may have been newcomers to the business world, but their instincts were spot on: the appetite for Confirmation’s services was tremendous. So, too, was its impact, with Confirmation’s extensive client base ranging from South Africa’s Big Four banks to small independent audit firms. ‘The company changed how South Africa’s audit firms and banks conduct their confirmation process, improving turnaround times, efficiency and security,’ Ryan says.
Its success led to Confirmation’s buyout by a listed company but, convinced that they could grow further as entrepreneurs, Ryan and Brett decided to exit the organisation.
It wasn’t long before they identified their next business opportunity: eftsure, a software-as-a-service platform that provides businesses with protection against payment fraud by offering a range of services, from digitised onboarding to automatic verification of key information, vendor/master data management, and payment protection.
Ryan explains that the duo’s interest was, once again, sparked by the understanding of how many businesses remain stunted because of their continued use of manual processes. A service that would correct the inefficiencies and inaccuracies that resulted should have been warmly welcomed by the business community, but Ryan says that this was not the case – at least at first. ‘We first became involved with eftsure in 2018, seven years after we started Confirmation. The solution had been developed by a South African CA living in Australia, and after we spent some time adapting it to suit local market conditions, we were ready to launch in 2019. The business community was less ready, though: lockdown was just around the corner, and with it came a new, more cautious attitude in the face of uncertainty. More and more businesses went into protective mode – which meant that few were ready to invest in new processes.’
Not that Ryan and Brett were deterred. ‘We realised that it takes time for people to educate themselves and understand something new. We decided to focus on our product so that when the market was ready, we’d be able to present the best possible version.’ Their confidence was founded in their certainty that eftsure was a necessity for companies – and they were right. The business has enjoyed solid growth since last year; timing that coincides with the increase in cybercrime and fraud. ‘There isn’t a business we’ve spoken to that hasn’t been touched by payment fraud. People have finally become aware that they need to take action,’ Ryan says.
The automation of processes is the very best place to start, he maintains. ‘When you rely on human decision making, there are always gaps – and people inevitably take advantage of these; even the employees who have held trusted positions for many years.’ In fact, it is often those trusted employees who pose the biggest threat in terms of internal fraud, as they have an in-depth knowledge of the company’s processes and systems.
Support from the CFO
Ryan says that while support for the digitalisation process must come ‘from the top’, it is the CFO who plays the most critical role in its successful implementation and adaptation. ‘While you may not think that cybersecurity falls under your remit, the opposite is in fact true. CFOs are no longer simply number crunchers – their role has changed as the world of business has evolved, and as the custodians of a company’s monetary assets and financial data, it is your responsibility to safeguard its financial health from threats. As the CFO, it’s your job to drive the business forward and enable it, and this requires a business-minded, future-oriented approach – which includes digitisation.’
Ryan says that it is incumbent on CFOs to educate themselves about the risks and vulnerabilities present in their organisations and to identify the information that most requires protection. They also need to grow their understanding of how this information is most likely to come under attack. ‘It is the CFO’s duty to take ownership of this,’ he insists.
That said, the responsibility does not end with the financial team. It is important to educate all staff, too, so that they also have an understanding of cybercrime and how it is likely to affect the organisation. Ryan recommends thorough and ongoing training to educate employees about risk, so that they are able to recognise red flags (including questionable emails and attachments, mails from CFOs demanding urgent payment and documents from unknown sources) and build a culture of awareness.
‘It’s vital that we recognise that cybercriminals aren’t teenagers wearing hoodies, working in their mothers’ garages but often sophisticated and organised criminal syndicates,’ Ryan says. ‘And that’s why a robust automated system is necessary – it’s one of the most effective forms of checks and balances.’
Ryan suggests entrenching a culture of zero tolerance for fraud, and bolstering this by implementing a strong network of controls. Insist on verifying all information, and make sure that you have in place a strong system to manage master data. Check all outgoing payments to ensure they are not compromised, and implement a layered system of controls that leave no area of the business exposed and vulnerable to attack.
Ryan and Brett are extremely excited about eftsure’s potential to aid businesses in reducing their vulnerability. ‘We want to bed down this part of the business, and when it is in place, we can perhaps consider bringing adjacencies on board.’This would make sense from an entrepreneurial perspective, he says, as it is always best to build on a business that already has a steady base rather than starting from scratch. ‘One of the things I’ve come to realise through my entrepreneurial journey is that focus is essential when you’re building a business – while having a vision for the future is important, you shouldn’t be thinking about what comes next at the expense of what’s happening right now. We want to make sure that eftsure does what it does really well before growing it further – although the potential certainly exists to do this.’
The red flags that may signal your business is under threat
Ryan advises that aside from external threats, there are a number of telltale signs that may indicate potential internal fraud.
‘Look out for employees who are particularly resistant to change, especially giving up their present post or accepting digitisation. They may also be aggressive when questioned about their controls and processes. A staff member guilty of fraud may ask for, or have access to, information that they don’t need and may appear to be living beyond their means.’