How do you collect your vendors’ W-9 information? What about bank information for ACH payments? Here is an instruction that one organization includes on its ACH Enrollment Form on which the vendor is asked for their bank account information. It’s common: “Please email the completed form along with a copy of a VOIDED CHECK to: … ”
What’s wrong with that picture? Email.
Email is not a safe means of transmitting sensitive information, such as W-9s or bank account numbers. Why? Email is not secure. It was never meant to be. It is a technology that is, in technology terms, ancient, having been developed in the early 1980s. Its protocols were designed when there was hardly anyone on the internet, and there was a high degree of trust among the few people that were. Despite its antiquity, email is a power app, heavily used for communication and as a convenient method to send attached documents.
The problem is that email simply was not originally designed with either privacy or security in mind. It is analogous to mailing a postcard—anyone can see what’s on it. And while there are efforts to make it more secure, the way email works is not conducive to high security and encryption, so while possible such security dispenses with convenience. But both the internet and email are ubiquitous and there are armies of ne’er-do-wells seeking to exploit others through it.
What does that have to do with collecting W-9s or enrolling your vendors in ACH? Liability. Suppose they follow your instructions to email sensitive information to you. That information is vulnerable. Email can be compromised on the networks it crosses, on upon arrival on your server or an AP specialist’s unguarded computer.
The email process involves information passing from a vendor’s computer to their email provider, then to network connections between their email provider and your email provider to your computers. Even if your staff follows careful practices to avoid forwarding mistakes, there is the chance that your email server could be hacked. And many servers store messages as plain text. So, if an administrative password is stolen or there is a security flaw, an attacker can access all the emails and attachments on the server—files that may go back years.
There are attempts at new, secure messaging services that might replace email, but as Geoff Duncan of Digital Trends notes, email’s ubiquity and usefulness ensures it will continue to be used for a long time. But, Duncan says, “For the foreseeable future, Internet users cannot expect email to be secure from prying eyes or interception. Period.”
So where does that leave an accounts payable department needing to gather sensitive data from vendors? Organizations are at risk when they rely on email to transfer sensitive information. Better to find another way.
There is regular mail, of course (but you are back to manual or semi-manual processing). Traditional fax (yes fax!) is said to be more secure than email, but if faxes comes into a multipurpose fax/printer that is connected to your internal network, it is vulnerable to hacking.
A good option for collecting sensitive vendor data apart from email and its vulnerable email servers is to use Web forms within a vendor portal. Good vendor portals address various security issues including use of VPNs, encryption and more. Your IT department will know what questions to ask.