How to leverage security in your Sage software
by Ruth Stockdale, LAI Director of PSG
Beyond the human touch
Security — we touch on this topic so often it seems it should be a settled issue for everyone. But a recent anecdote leads me to remind everyone again.
A company received a request to change vendor ACH payment information. The request came via e-mail from a legitimate sender with ACH codes for a valid bank account. However, the vendor’s system had been compromised using phishing or social engineering techniques and the request was not initiated by them.
How did they know it was a scam? The company determined this before sending payments to the fraudulent account because of their human intervention policy. Company procedures specified that any vendor change information had to be confirmed with a phone call to a senior contact at the vendor.
Add/check these security steps
How does this relate to your Sage software? No program can substitute for the person in this story—the person who followed the procedure. But your software can control security and increase the likelihood that only the right person has access to critical changes. Your software can also alert you to changes that have been made.
1. Verify your security setup
Make sure there are limitations on who has permissions to make setup changes regarding things like vendor information. You can increase the likelihood that your own staff follows appropriate procedures.
2. Look for permission “creep”
As roles and personnel change, it is possible for someone to inadvertently inherit permissions that are not appropriate for them.
3. Consider the vulnerable points
Any setup function should be controlled and monitored, the most likely ones involving AP and AR.
4. Create alerts and/or exception reports
These can let you know when specific data records have been changed, or system log entries show changes made.
The specific permission and report options will vary based on whether you are using Sage 100 CON or Sage 300 CRE. Of course, you should also check with your IT group about additional protections against other risks.
Let us know if we can help! It’s No Big Deal.