Misdirection, Fraud and Cybercrime: Typo-Squatting Takes Advantage of Your Mistakes
We have all done it. Typed the wrong address into our browser and ended up on one of those weird splash pages that have ads for just about everything. Most of the time, we immediately realize our mistake and re-enter the address correctly. But what if the page looked exactly like the page that we intended to go to. Well that is actually what is going on. Web pages are being copied and emulated by cybercriminals in what is known as “Typo-Squatting”. When a person lands on a corrupt page inadvertently by typing in the wrong address and the page looks just like the one for the site that they wanted to visit and begins to interact with it by “logging in” or accessing content a couple of very malicious things can begin to happen. First off malware can be downloaded as the visitor clicks and accesses what they think is real content and once downloaded the malware can inject a virus to the person’s computer that will capture sensitive personal data like credit cards numbers, social security numbers, and yes, even specific targets such as tax return information and files. The second thing that might occur is when the person attempts to login to the rogue site, perhaps thinking it is their bank or credit card site, or another ecommerce site. Once this logon information is captured they can access the real site and either steal just the information, or affect a transfer of funds and drain any money in a bank account or max out a credit card in no time.
To protect yourself online from “Typo-Squatter” scams you should always do the following:
- If it is your bank or other financial services site confirm that it actually is the site you intend to go to by reviewing what actually appears in the address bar and confirming that the certificate for the site is valid. When in doubt close the browser session, clear the browser cache and cookies, and then re-launch a browsing session in a fresh window and re-enter the correct site address.
- Never allow your browser to store user IDs and passwords to financial sites ever!
- If you feel you need to bookmark sites for your financial life so you remember all of your bill paying and financial services sites do not use the browser bookmark manager. Keep a spreadsheet with the address cut and pasted into the sheet (be sure that they are the actual real addresses) and then save the sheet with some boring, uninteresting file name that give no hint as to the contents and then password protect the sheet as well. DO NOT list the IDs and Passwords for each site on the worksheet. This way you can always access your financial life sites with clean URLS and reduces the risk they may be captured by malware and reduces the risk that you may be mis-directed to a rogue emulated site through a “Typo-Squatter."
May 21, 2013 8:02am PST Wrally Dutkiewicz MBA CFE
Small firm RIA Compliance is more than a daily to do list
It is a challenge for small independent Registered Investment Advisors (RIA) to manage its governance, risk, and compliance (GRC) program effectively and still deliver a high quality advisory service to its clients. All too often, the Compliance Officer of the RIA is a revenue producing principal who needs to balance his or her attention between managing clients and their invested assets, and also overseeing the RIA’s GRC program. Over time the RIA compliance activities may devolve into a mere daily “to do list” for the Compliance Officer and, unfortunately, larger and more dire risks to the RIA may go overlooked because the Compliance Officer’s attention was diverted. An effective RIA GRC program goes well beyond simple checklists and “to do” lists, and in the case of a small firm RIA where there is minimal separation (if at all) between revenue producing activities of supervising principals, the need for close oversight of advisor and client activities is even greater. A small firm RIA can clearly benefit from engaging an RMaaS (Risk Management as a Service) provider to provide GRC support and provide a sober second look at the RIA’s ongoing business operations and provide ongoing support as the RIA’s “virtual” Compliance Officer in the following areas:
- Client Account Monitoring
- Email Surveillance
- Firm-Wide Risk Management
- Information Security
- Technology & Systems Management
- Internal Audit
- Regulatory Compliance & Reporting
April 28, 2013 8:02am PST Wrally Dutkiewicz MBA CFE
Java Based Exploits Continue to Plague Users
Everything runs on Java. It is unavoidable. Well except when you disable it for all the plugins on your browser and rendering it as a productive tool just a cut above wallpaper as a result? The problem is not that Java in itself is bad. It is not. It is just the fact that there are millions of users using old versions of the most popular browsers that have not been kept current with all security updates, upgrades and patches. Too many are guilty of clicking "NO" to the Java update or browser update because it may delay us getting onto the internet, or if you have my type of computer update/patch luck which routinely occurs at 4pm on Fridays, people just don't take the time to keep things current. It is just a short few minutes of prevention to keep your system current rather than hours of downtime once your system has been compromised.
April 12, 2013 6:02am PST Wrally Dutkiewicz MBA CFE
Don't Let Your Mobile Device Compromise Your Cloud Security
Here is the scenario....you are in a rush, harried, you need to access a client's account record quickly and you access the information that was cleverly stored in a cloud environment through your mobile device. Great! You get the information back to your client quickly and they think you are the best thing ever! Fantastic! Over the course of a month you may do this countless of times. One question though........how often do you clear your mobile device's cache memory and file download folders? Never? That is a problem. Mobile devices store partial and even complete files that the user has recently viewed. It is such a simple thing, but can have huge consequences should any of the client's information gets loose into the public eye. Be sure to clear your device's cache and recently viewed folders daily to ensure you aren't inadvertently defeating your own cloud security measures.
April 8, 2013 7:02am PST Wrally Dutkiewicz MBA CFE
Yontoo takes a bite out of Apple's Mac OSX
Of all the Max OSX Trojans that are out there, Yontoo has to be one of the most annoying of them. The Yontoo Trojan harkens back to the early days of the internet in the way it generates annoying ads that it inserts in the pages that the user visits. It is relatively benign, for now, except for the fact that Yontoo inserts a broswer plugin into Chrome, Safari, and Firefox that tracks and stores a user's browsing habits. Yontoo then inserts ads into pages that user visits.
For help removing the Yonto Trojan follow the following link to Apple's Support Discussion board:
April 3, 2013 7:37am PST Wrally Dutkiewicz MBA CFE
Don’t Let “Bring Your Own Device” become
“Bring Your Own Demise”
It can be such a simple thing. A client emails you with questions about the work you are going to do for them and attached to the email is your company’s new client intake form that has their personal information and even a credit card number to pay your initial fee. You are sitting in your favorite coffee shop connected to its WIFI and you notice the email, read it, then open the attachment which is downloaded and saved to your phone. Routine. Typical. In fact you may have read and opened and saved the same type of company forms a many times over the last six months and without even thinking about it your phone has become a storehouse of your clients’ personal information. So what would happen if you lost that phone? Would you be able to wipe the information off the phone remotely? How about that coffee shop WIFI….. Could your phone have been hacked while you were in the coffee shop without you even knowing it?
Recent reports have indicated that one type of phone is no better than the other when comes to security. Both iPhones and Android devices have both physical and logical vulnerabilities that have allowed the theft of personal information from the devices. It is critical then that if the device is to be used for business that some necessary precautions need to be taken to ensure that the device can be made secure. The following are some ways that you can protect your phone from prying eyes and safeguard the information that is accessed by the device:
- Use your device’s password protected screen lock utility.
- Install a Network Access Control tool on the device. This utility controls who can use the device, what the device can access, where the device can be used and restrict the information that is allowed to be stored on the device.
- Install an encrypted file manager tool that adds an additional layer of security when you are accessing files that are stored in a cloud environment and also creates a secure space on your device to store downloaded files.
- Create a secure browser for your business that will only allow registered mobile devices to access. Through the use of a secure browser you can control the way your business information can be accessed and helps avoid the issues that using a generic, unsecured browser creates.
March 27, 2013 7:35am PST Wrally Dutkiewicz MBA CFE
Protect Your Business from Phishing:
Internet use has become a crucial business necessity to access online applications, interact with customers and business partners and marketing activities. The ease of access and high functionality that makes the internet a useful business tool can also open the door to your business to outsiders that wish to gain access to your business information and applications. Through Phishing Scams the theft of information is accomplished through the use of misdirection to fool users into voluntarily giving their personal and business information. It is important to ensure that your business has a well formulated policy on appropriate internet use in the workplace and that ongoing training and resources are provided to employees. To help protect your business and your employees from falling victim to a Phishing scam, one critical step is to ensure that the web browser that is being used is set up with the appropriate security and privacy settings and that that employees know only to access sites that display verified security certificates. Other browser specific settings and measures can be found by visiting the following browser specific resources:
March 20, 2013 7:28am PST Wrally Dutkiewicz MBA CFE
2013 HIPAA/HITECH Act Omnibus Rule:
What a Small Health Care Provider Needs to Know
The new 2013 HIPAA/HITECH Act Omnibus rules poses some significant issues, challenges and penalties on all health care providers, but small providers will be disproportionately impacted because of its sweeping scope and new requirements for the management of Electronic Personal Health Information (EPHI) which will stretch the limited resources of small providers and potentially put them at the risk of being in regulatory noncompliance. The new provisions of the HIPAA Omnibus Rule take affect March 26, 2013 and all covered entities, including business partners, vendors, and associates must be compliant by September 23, 2013.
The portion of the Omnibus Rule that marks a significant change in violation enforcement was the removal of the requirement for the Department of Health and Human Services (HHS) to first employ an informal remedy for HIPAA violations. The HHS will now be required to review and investigate all complaints alleging violations and move directly to punitive regulatory and civil sanctions that will range from $100 to $50,000 per occurrence with $1.5 million as the calendar year maximum for identical violations. The Rule also broadened its scope of covered entities to include vendors and other business partners that support provider operations. This means that not only the provider can be found culpable if an EPHI security breach occurs, but its business partners can also be subject to Omnibus Rule sanctions as well.
Key provisions of the Rule that small providers should pay attention to include:
- Must have suitable safeguards in place to mitigate the risks of an EPHI breach occuring such as performing a vulnerability and risk assessment, employee training on HIPAA compliance, and the appointment of an information security officer or other designated individual responsible for overseeing HIPAA compliance within the organization and its business partners;
- Ensure all systems are HIPAA compliant including the new definitions relating to electronic media storage;
- Institute appropriate response procedures to be compliant with the new "Breach Notification" requirements of the rule.
March 18, 2013 8:27am PST Wrally Dutkiewicz MBA CFE
Small Businesses Suffer the Most When Victims of Fraud
Fraud can occur in any business and of any size, but the impact that fraud has on a small business is much greater than that of a larger business. Small businesses have limited financial and operational resources to begin with and when a fraud has been committed against a small business its impact can create a significant interruption or even lead to the cessation of the business altogether. It is even more important then, for a small business to have a written internal controls plan as part of its overall risk management plan that will mitigate the risk of fraud. The following are key elements to include within an internal controls plan:
- Employee Supervision – ensure that a supervisory system is in place to monitor employee business activities and communications.
- Clearly Defined Employee Duties – ensure employee workflow tasks are clearly outlined with procedures and appropriate separation of duties exist to reduce the internal risk of an employee being having too much control over financial transactions, accounting, and records management
- Perform Due Diligence Reviews on outside business partners and suppliers and monitor accounts payable transactions
- Audit information systems to ensure appropriate security measures are in place
- Have periodic business risk and financial operations audits conducted by an outsider to provide a sober second look at the business
March 15, 2013 6:47am PST Wrally Dutkiewicz MBA CFE
Using Pirated Software Poses Significant Risks to Small Business
Small businesses are very susceptible to falling victim the malicious effects of using pirated software because they often use low cost software resellers and information technology consultants or buy directly from online sellers. Some of these discount resellers and online distributors sell pirated software that often are primarily used to deliver malicious applications and viruses which all too often target a business’s financial applications and banking information. Pirated software can also lead to significant business interruption as well because information that is stored in applications may be lost should the application crash or more importantly may not be updated to reflect new security patches and upgrades as recommended by the original publisher because the pirated version would be unable to install the update/upgrade package. There are several things that a business can do to ensure that the software applications they are purchasing are secure and are not pirated material:
- Only make software purchases from approved and reputable vendors;
- Ensure that all software licenses and certifications are consistent with the publisher’s information and match the product that was purchased;
- Have a policy in place that prohibits employees from downloading and installing software without approval;
- Consider subscribing to virtual software application services from reputable Software-as-a-Service (SaaS) providers as an alternative to locally installed software applications and receive the benefits of up-to-date security and software upgrades without having to manage locally installed versions.
March 13, 2013 7:48am PST Wrally Dutkiewicz MBA CFE
Not Reporting Data Breaches Can Cause a Small Business to Run Afoul with the Law
It is all too common that small business owners believe that because of their size that they are immune from being targeted by cyber-criminals, and should they suffer a data breach, that it would be so small that it would not have to be reported and customers would not have to be informed. The truth of the matter is that under laws in forty-six states data breaches are required to be reported and customers have to be informed and failure to follow the laws governing data breaches can lead to significant fines reaching into the tens of thousands of dollars. Furthermore, failure to inform customers that their information had been lost can expose a business to significant civil litigation and punitive damages on top the regulatory fines. In a recent study it was shown that of small businesses that had suffered a date breach that only a third had informed their customers. Clearly this exposes a small business to significant risk.
March 11, 2013 7:40am PST Wrally Dutkiewicz MBA CFE
Ensure Due Diligence Process is in Place
when Extending Credit
A comprehensive risk management plan for business incorporates measures that mitigate the financial risk of extending credit to customers to purchase goods and services. It is extremely important for a business when extending credit that a strict process is in place to ensure that employees are trained on which customers would qualify for credit and how the process will be managed and monitored. The most basic form of extending credit to a customer involves extended payment terms such as thirty, sixty, and ninety days and there are many industries where extending payment terms are the norm. In other instances a business may offer goods and services on a monthly installment plan in order to attract a wider customer base that otherwise would not be able to make the purchase in cash or within a couple of months. In both instances there is tremendous risk to the business if there is an absence of tight internal controls. The following are key components to managing the risk of extending credit:
- Qualify customers and verify information provided;
- Ensure employees are trained to follow credit procedures and train them to recognize red flags especially customers that are unusually curious about the internal procedures for securing credit;
- Have a system in place to monitor outstanding credit and follow up quickly on late paying accounts;
- Place limits on new customers and build experience with their buying habits before extending credit for longer terms or installment plans;
- Periodically audit credit approval and processing procedures to ensure that employees are following them and that there are no supervisory gaps in the process;
- Limit the amount of credit to be extended on an annual, quarterly and monthly basis;
- Be aware of the rules and regulations that may affect your business when extending credit and seek professional advice to ensure your business is compliant.
March 6, 2013 6:40am PST Wrally Dutkiewicz MBA CFE
Securing Your Business Identity
Much in the same way that an individual’s personal identity can be stolen and used to secure credit and steal money from bank accounts, a business identity can be likewise hijacked by criminals secure credit, steal goods and services, an even emulate the business online and dupe customers into providing personal and credit information. Often, when a business identity is hijacked, it goes undetected for some time and can impact the reputation of the business, lead to disgruntled customers, the loss of vendor support and credit facilities, and lead to severe financial impairment of the business.
Key things that a business can do to protect its identity are:
- Have a credit report run for the business on a quarterly basis as part of routine financial reviews;
- Have a business name search conducted periodically to be aware of closely similar names and how they are presented to the public;
- Have search alert set up for your business name should that may provide a warning that some entity may be presenting itself as your business online. Search for your business name including other web address extensions such as .co and .net;
- Conduct a periodic origination IP host address audit for visitors to your website to identify potential phishing and business emulating schemes. Key IP addresses to note are from odd countries of origin that are not consistent with whom you do business especially if you target audience is local or strictly domestic;
- Train employees handling accounts payable to verify vendor information on invoices and ensure that accurate reconciliations are done to match goods and services requests with incoming invoices, and that the invoices themselves are legitimate. When in doubt ensure employees are verifying amounts and payment instructions with representatives of the vendor.
March 4, 2013 7:28am PST Wrally Dutkiewicz MBA CFE
Securing Business Operations through Periodic Audits
The worst risk that a business faces is the one that goes undetected for a prolonged period of time. Even with the presence of a secure information system, robust financial reporting system, and having a professional management team, there are times when a business may fall victim to a rogue employee or professional service provider such as an accountant or lawyer, that chooses to abuse the trust that the firm as place in them, and intentionally designs a practice to defeat the firm’s internal controls to either mask an error, cover up an embezzlement, or hide the trail of a vendor kick-back scheme. It is the unfortunate fact that most asset misappropriations and embezzlements go on for some time before they are detected. Firms can benefit by having a business risk assessment performed by an outside RMaaS provider in the following ways:
- An inventory of critical information assets is established;
- A workflow process map is created that encompasses manual and application based activities;
- Areas of risk are identified;
- Potential of early detection of asset misappropriation or embezzlements.
February 27, 2013 7:01am PST Wrally Dutkiewicz MBA CFE
Closing the Loop within Information Security
Information security applications provide businesses with critical information about threats to their data including real time monitoring and at risk critical application access reporting. The information that is provided to the business is only as good as the response the business has when an event occurs, and all too often there is not a clear path or procedure in place that employees can follow and manage the response. This is when having a comprehensive information security policy in place can provide the firm not only with the appropriate tools to manage information security events, but also manage the information security resource proactively to ward off many events before they even occur. An RMaaS provider can provide a business with a holistic view of a business and will work with a business to create its own unique operational risk management strategy that will include a comprehensive information security policy. Key elements of an effective information security policy include:
- procedures for employees to follow when an event occurs;
- an inventory of critical data and the usage, access, and management policies relating to it;
- provisions for periodic holistic audits of information assets;
- periodic capability due diligence reviews of vendor/partners to ensure capabilities and their information security policies and infrastructure are consistent with the firm’s.
February 25, 2013 @ 6:52am PST Wrally Dutkiewicz MBA CFE
Manual Business Processes Can Create Risk
Every business has them, those everyday routine manual business process tasks that get done because they have always been done for time immemorial and lie below the radar of any process automation thought. Unfortunately many of these low key activities can have a negative cumulative effect and expose the business to significant risks if the information that is used in the process gets lost or is stolen. There is also the risk that for one reason or another, due to increased business volume employees may not have the time to keep current and effectively execute the manual processes or may get behind on completing them, which may result in the risk of some other higher critical task not being completed thoroughly, or based on incomplete information. This potential “upward domino” effect can even impact the best information system because incomplete input data may creep into the critical systems data set and cause a negative ripple effect on reporting and monitoring functions. An RMaaS provider can help a business avoid the risk associated with manual processes by conducting a thorough business activity study and mapping out all potential areas of risk. Once identified those risks can be matched to automated solutions that may already reside within the firm’s technology infrastructure or appropriate vendor sourced solutions can be sought out to mitigate the risks. The net result to the firm is increased process activity efficiency, and when a firm becomes more efficient and less time and money is spent on completing non-revenue producing activities, this translates into higher net revenue to the firm which is always a good thing.
February 22, 2013 @ 6:57am PST Wrally Dutkiewicz MBA CFE
Email Security – Be Careful What You Open
With the current round of Zero-Day attacks that exploit a weakness in Adobe Reader and Acrobat, two popular document formats that of most frequently sent as email attachments, it is important for businesses to ensure that appropriate information security measures and policies are in place to mitigate the risk of viruses and malware being inadvertently downloaded. The impact that viruses and malware have on a business can be quite extensive including the loss of critical customer identity information, intellectual property, and simply the downtime that may occur should the control of the infected computer or network is hijacked. Knowing about and keeping abreast of new threats and methods by which viruses and malware are being delivered is an essential part of an effective email security policy.
February 18, 2013 @ 8:48am PST Wrally Dutkiewicz MBA CFE
Managing Risk through Well Informed Employees
There should be no secret about the internal policies that your firm has implemented to guard against asset misappropriation, fraud, and information theft. Keeping your employees informed of the policies through periodic training and requiring new employees to sign an acknowledgment of the policies upon their hiring can go a long way to guard against any internal threat because of the visibility of the internal controls program and your firm’s willingness to vigorously enforce sanctions should the policies be violated. Moreover, by keeping employees informed about issues relating to fraud, asset misappropriate, and information theft, and providing a way for them to come forward and report concerns can become a powerful risk management tool for any firm.
According to the Association of Certified Fraud Examiners (ACFE), most frauds are discovered by insider tips, which means that there is a tremendous benefit to fostering an open culture where employees see themselves along with the firm as victims of illegal acts committed by other employees, or by customers and vendors, and that it is their duty to report any suspicious activity. By enlisting employees into the firm’s risk management activities early detection can mitigate the full extent of potential losses resulting from the illegal acts. Key elements that employees should be informed about are:
- Internal Controls & Information Security Policy;
- Recognizing “Red Flags” relating to asset misappropriation, fraud, and information theft;
- Methods by which suspicious activity can be reported.
February 11, 2013 @ 8:37am PST Wrally Dutkiewicz MBA CFE
Is Your Smartphone Secure?
It is a practical reality today that the smartphone has become an indispensable business tool. On a daily basis people conduct an extraordinary amount of business on smartphones and well beyond the simple phone call. New product presentations are honed and rehearsed, documents are exchanged for collaboration, customer information is downloaded for meetings, and financial information and metrics are exchanged via email. The smartphone has indeed become a boon to productivity. It also can be the weakest link in a firm’s information security platform.
Recent studies by the National Cyber Security Alliance (NCSA), the Department of Homeland Security (DHS), and the Federal Communications Commission (FCC) indicate that only 1 in 20 smartphones have a third party antivirus application installed and fewer than 50% have enabled password protection for the device, while 20% of smartphone owners in the US have been the victim of a mobile cybercrime. Given the amount of business that is being conducted on smartphones it is an essential part of a firm’s information security risk management program to ensure that smartphones that are being used for business have been properly secured with passwords and have active antivirus and other information security applications installed and running.
February 6, 2013 @ 7:05am PST Wrally Dutkiewicz MBA CFE
Managing the Risk of Identity Theft
Collecting information from an SMB can be as easy as “dumpster diving” where criminals routinely scour paper recycling bins and trash bins for copies of business forms, invoice envelops, and discarded partial photocopies that may have credit card and invoicing information on it. Gaining access to electronic records may involve the outright theft of laptops and USB drives while left unattended in public spaces, or the deliberate break and entering to a business and stealing desktop computers and external hard drives. Beyond the “no-tech” theft of physical equipment and materials containing personal identity information, cyber criminals have found that information can be stolen from SMBs through phony emails emulating customers, vendors, and financial institutions, phishing scams, business website emulation, and by directly hacking into a vulnerable ecommerce website.
February 4, 2013 @ 7:49am PST Wrally Dutkiewicz MBA CFE
Using a Hybrid Cloud to Meet Business Needs and Fulfill GRC Requirements
There are times when a single cloud solution will not meet the business needs of an organization due to the sensitivity of the data and applications and governance, risk, and compliance (GRC) requirements. In these instances deploying a hybrid cloud solution can provide the efficiency that is desired in managing data and applications but also meet the challenges of protecting sensitive information. There are many non-critical applications that a firm can virtualize such as desktops (DaaS) and specific non-critical software applications (SaaS) that can be managed more effectively by deploying to a cloud. There are some business spaces that will find it challenging to determine how to manage critical information and applications that would not be suitable for cloud deployments such as medical industry firms and insurance companies that must be HIPAA compliant, and financial services firms that must meet SEC Rules 17a-3 and 17a-4 regarding electronic file storage and Regulation S-P relating to consumer privacy. The best solution for these types of firms most likely would be a hybrid cloud which would enable them to manage and meet the GRC mandated information storage requirements, yet allow them to derive the benefits and efficiency of managing non-critical information and applications in a cloud environment. It will be critical though to ensure that an extensive data inventory is performed to match specific regulatory and compliance that is non-cloudable is identified and that a system of check-back and monitoring is in place to ensure that the deployed solution remains compliant going forward.
February 1, 2013 @ 7:36am PST Wrally Dutkiewicz MBA CFE
Fortifying and Securing Your Business Information
Small and Medium Sized businesses are facing increasing challenges in protecting business information from hackers who are using ever more sophisticated methods to steal sensitive information from organizations. The traditional approach has been to ensure that business information was protected with a strong firewall and other anti-intrusion utilities with the thought that information can be secured by stopping hackers at the front door. The reality is that the methods that are being used by hackers today require a more sophisticated and layered response to combat the threat.
A layered information security strategy will incorporate several elements including maintaining a strong firewall as a first defense, but then structure the way information is managed behind the firewall in a layered and compartmentalized fashion. One way that data compartmentalization can be implemented is through the use of Digital Rights Management (DRM) where specific pieces of information have user rights encoded along with them that restricts access to non-authorized users even if the file is acquired by them. Also information can have imbedded rights that when copied to an unauthorized device, it is encrypted in such a way that the information can only be accessed using a specific key file. Keep in mind though, that much planning in advance must be done when implementing a layered information security policy because of the inherent protection that compartmentalization and use of DRM has by restricting user rights, it is critical to create a business process and work-flow map and data inventory to ensure that the appropriate users are matched with the correct access rights without impeding business activity.
January 28, 2013 @ 7:45am PST Wrally Dutkiewicz MBA CFE
Creating a BYOD and Data Portability Policy
The ability of your employees to easily access work information and collaborate with each other through mobile devices can be a real boon for your business but can also present some serious information security issues as well. The first issue that any firm needs to deal with if it is going to allow data to be portable is to outline what types of information will be allowed to be portable and what types of communication are acceptable to include specific types of information in emails, text messages, and during virtual meetings. By specifically outlining what information cannot be stored in a portable way or cannot be communicated in any way, the risk of suffering a breach of sensitive information can be partially mitigated.
If your firm is to allow certain types of information to be portable and will allow employees to communicate and interact with information on mobile devices there are two ways that you can create a workable platform for your firm. The first way is to allow your employees to communicate and interact with information using their own BYOD (“Bring-Your-Own-Device”) which in effect allows them to use their own personal mobile devices to interact with your firm’s information and to communicate with other employees. BYOD is a challenging approach because there is the risk that your employee is using the same device for personal use and possibly interacting with data in an unsecure way while interacting with your firm’s sensitive information. Ensuring that your firm has a strong information security policy that is strictly enforced and a robust access platform that provides layered security and a monitoring system will mitigate the risk.
The second way involves your firm actually providing your employees with a mobile device. When a firm might have a very strict requirement to protect sensitive information but also has a real business need to allow employees to interact with information on mobile devices your firm can provide employees with the mobile device under a CYOD (Choose-Your-Own-Device) platform. This type of platform and security policy does allow the firm to control both the device and information that the devices are allowed to interact with. There is a downside with CYOD in that your employees most likely will have to then have two mobile devices, their personal device and their employer provided device, and for some employees this can be seen as cumbersome. On the surface CYOD does appear to offer the most secure option but in practice your employees may still attempt to just use their personal device in some way so it is critical to ensure that the platform prohibits any access to or export of company information to an unauthorized device. There will still be the challenge that employees may still use their personal device to communicate with each other about business outside your firm’s platform using personal texts and email which means that your firm should have a very strict and enforced policy should it be found that sensitive information has been communicated.
January 25, 2013 @ 7:25am PST Wrally Dutkiewicz MBA CFE
Information Security Goes Beyond Having Anti-Virus Applications
Effectively protecting your business goes well beyond having anti-virus applications running on your business systems. The pervasiveness of the threat that viruses can have on a business and the high likelihood that a data breach will occur coupled with the ensuing down time that will follow can have a tremendous impact on a business both financially and in the form of the loss of confidence with customers. Every business needs to have a dynamic information security strategy that goes beyond the threats that viruses present, but also considers how information is managed and secured across all business activities. A layered information security strategy incorporates the following elements:
- It must be a written policy and communicated to all employees;
- Creates and inventory of information and identifies what information is allowed to be portable and who has legitimate access to it;
- Designates who is responsible for information security within the company and outlines specific duties to ensure the policy is monitored and enforced;
- Creates and inventory of business systems and workflow processes defines the procedure for the periodic audit of those workflow processes and information systems to ensure they are still consistent with the information security policy.
January 23, 2013 @ 7:39am PST Wrally Dutkiewicz MBA CFE
Managing the Risk of Money Laundering in a Transaction Based Business
Money laundering can be disastrous for a small or medium sized business because not only does the business lose the revenue from the illicit transactions, but can suffer irreparable damage to its business name once news gets out that it was used as a money laundering agent. It is vital that the internal controls and ERP system, and specifically the accounting system, are able to identify suspicious transactions and that employees are trained to recognize red flags. Some types of businesses are more susceptible than others for criminals to target and use to convert illicit cash into clean money. Businesses that deal in high volume and high priced merchandise are favorites, but also businesses that have a liberal return policy for merchandise. To understand how a business may unknowingly participate in a money laundering scheme having some idea on how money laundering activities are conducted is important. There are three elements to a money laundering scheme:
- Placement – dirty money is placed with a business through the cash purchase of goods and has the appearance of being a legitimate transaction;
- Layering – Soon after the purchase of goods is made the items are then returned for a refund check. A refund check is preferable because it has the immediate appearance of legitimacy because it is drawn on the business’ account when deposited into a bank account controlled by the criminal. It is then quickly transferred to several other accounts at other banks;
- Integration - The funds resting in bank accounts are then used to make legitimate purchases of financial investments, real estate and luxury goods.
The ERP system and internal controls policies should be able to catch the following money laundering red flags:
- High incidence of returns;
- Unusually high value cash purchases;
- Alternate payee instructions for refunds;
- Alternate address for sending refund checks;
- Compare address iterations (ie “123 Any Street, Apt 23” versus “#23 – 123 Any Street”
January 21, 2013 @ 6:25am PST Wrally Dutkiewicz MBA CFE
SMB Governance and Cloud Deployment
Moving ERP and other applications into a cloud environment has many benefits for an SMB mostly in the manner in which it is able to leverage its IT and other non-revenue producing activity dollars by accessing platforms (PaaS) and applications (SaaS) in an efficient and optimal way without continuing to dedicate considerable internal resources to manage them. There is however a trade-off that is made with cloud deployments in the form of additional governance, risk and compliance (GRC) requirements that the business will have to address. SMBs have to update internal control policies and procedures to reflect the new issues that accompany a cloud deployment. The key control policy areas that need to be addressed are:
- Identification and inventory of data and applications that are suitable to be deployed to the cloud;
- Information Security when data is in transit between the company and the cloud provider;
- Information Security when data is “at rest” with the cloud provider;
- Replication, redundancy and restore procedures;
- Access issues and contingency policies should the cloud provider suffer an outage.
January 16, 2013 @ 7:41am PST Wrally Dutkiewicz MBA CFE
Each Business is unique….just like a fingerprint.
The very thing that differentiates one business from another is the very thing that makes each business unique and competitive. Much time is spent in developing ways to differentiate a business from that of its competitors, whether the focus is on quality, service, features and benefits, or cost. The manner in which a business is managed, its culture, and the methods by which it provides its products and services all contribute to the uniqueness of the business. All the processes found within a business, its information system, accounting procedures, marketing programs, and the manner in which it engages its clients all serve to form the “fingerprint” of a business.
If a business were to have a nerve center it would surely be its information system. It is the conduit by which all information about the activities that the business is engaged in is exchanged, recorded, and analyzed. Due to its vital position within the firm, it requires the most attention to secure and ensure that its integrity is maintained. However, a single “every solution fits all” approach to information security is not appropriate as each business demands its own unique solution to reflect the inherent “fingerprint” of its business activities. Developing a robust information security policy that reflects the unique requirements of each business is the first step in creating an organization wide information management platform. The key element to developing an information security policy is having a complete inventory of an organization’s information assets. This inventory map is the data “fingerprint” that is to be used as the criteria when evaluating Managed Security Service Providers (MSSP) and cloud providers. It is critical to perform thorough capability due diligence evaluations of MSSP and cloud providers to ensure that an organization has a clear understanding of:
- Where the line of information security responsibility lies between the organization, the MSSP, and cloud provider;
- What information and applications are suitable to be hosted in a cloud environment given the business and security requirements needed;
- What the full liability would be and with whom would it rest should an information breach occur.
January 14, 2013 @ 7:23am PST Wrally Dutkiewicz MBA CFE
Is there puffery in your payables?
In business we engage in partnerships all the time, especially with the vendors that we count on to supply the goods and services that allow us to deliver on our promises to our customers. It is a relationship built on trust that the goods and services provided will be of high quality and provided at a price that is agreeable to us and in a range that is not out of the norm for our business space. In return we continue to trust in the vendor and pay them according to their terms and with this exchange both of the businesses continue to grow and prosper.
However, trust can only be earned by experience and knowledge. Knowing that the goods and services are of high quality and knowing that the price that they are delivered are indeed within the acceptable range for our business space. The only way that you can have solid confidence and trust in your vendors is by actually verifying that they are delivering on what they promised you. There are a number of things that you can do to manage the risk of paying overstated invoices or invoices for poor quality goods and services:
- Ensure that you have an information system in place that can perform periodic reports to provide a vendor payable trend over an extended period of time and analyze any rising payable amounts to provide clear explanations for the increases ;
- Ensure that physical returns or service terminations are tracked in a data file including the reasons for them as they can be indicators of poor quality components, or poor vendor service;
- Keep up to date industry vendor information and periodically check the price that you are receiving and ensure your business intelligence system is updated with the data;
- Perform a periodic audit on accounts payable to vendors and match against the actual record of goods and services received.
January 11, 2013 @ 7:06am PST Wrally Dutkiewicz MBA CFE
And the secret word is?
I was in a store recently making a purchase and the clerk made an error and had to void the transaction. Instead of calling for a manager, all the clerk did was look down to the card taped to the counter and entered the password into the terminal. Hopefully this store has many other check and balances to make sure appropriate access and use is exercised by its employees, but it reminded me of just how often I come across this in businesses. All too often employees share passwords with each other just out of convenience to get information without bothering the other person or to cover for someone that is on holidays and away from the office. Many times I have seen passwords taped to computer towers, the underside of keyboards, under the desk calendar, and my favorite was the scrolling screen saver with the password streaming across the screen. It is done all too frequently and there is no easier way to defeat the most expensive, most secure, encrypted information system than with the use of a valid ID and password. A firm can protect its information assets by having a strict policy against sharing IDs and passwords and communicating it to employees and then enforcing it through system of monitoring and supervision.
January 9, 2013 @7:02am PST by Wrally Dutkiewicz MBA CFE
If you don’t ask, they won’t tell
It is an unfortunate consequence in business that organizations often fall prey to fraud. Whether it is perpetrated through the efforts of an unsavory customer, a corrupt vendor, or a rogue employee, all can damage a firm both financially and through the loss of reputation as well. The losses incurred by organizations can become quite significant because it is often the case that frauds go undetected for quite some time, leaving the organization in the precarious situation not only having to investigate the fraud, inform customers that may have been impacted, but in some cases, may face civil and regulatory sanctions.
To combat fraud organizations not only have to have a well formulated anti-fraud program that includes monitoring, surveillance, and proactive audit, but that program needs to be communicated throughout the organization to engage employees in the program. According to the Association of Certified Fraud Examiners “2012 Report to the Nations on Occupational Fraud & Abuse” frauds are most likely to be detected by a tip versus any other proactive risk management method. Engaging employees by asking for their input and assistance and by making them aware of red flags that could be signs that a fraud is occurring, and by empowering them to communicate suspected fraudulent activities through the use of a “Tip Hotline” employees can be an important component to an organization's anti-fraud risk management activity.
January 7, 2013 @7:30am PST by Wrally Dutkiewicz MBA CFE
Just because we "can"......."should we" ?
In this fluid business age where information is exchanged rapidly and a business can take a turn down the wrong avenue in a heartbeat it is time that we all collectively re-think how risk is defined and actively mitigated for our organizations. Risk management used to be the "sober second thought" to business activities and there was a time when sufficient opportunity was available to make necessary risk based adjustments to business models as metrics dictated. However, we have seen a trend over the last decade that traditional risk measures have become too inadequate, too static, and far too often are backward looking and truly do not provide organization leadership with the necessary risk-based information to make timely business decisions.
The solution is to introduce risk measures, information security, surveillance, and compliance early in the business product and service development life cycle so that from its inception they are part of the data points within the business model. This way risk management and compliance do not form a drag on business, but become an integral part of the decision to move forward with a new business activity, or continue with an existing one. For a change the "should we" will be at the forefront and included in a meaningful "can we" or that "yes we can" decision that forms risk adjusted business decision making.
January 4, 2012 @ 7:21am PST by Wrally Dutkiewicz MBA CFE
Gain Business through internal controls
Businesses rely on one an another to source components, provide services, and sub-contract work to complete customer projects and orders. This is especially true for SMBs which rely on coordinating outsourced work to compete with larger firms in the same business space. All it takes is one link in the partner business chain to have lax or insufficient internal controls or ill-defined information security policy to leave the whole chain exposed to cyber threats, asset misappropriation and fraud.
It is critical to know how your business partner handles sensitive information, what their internal controls are, and what their information security policy is. Asking for this information should be part of your due diligence and business planning with your partners. By incorporating an information security policy requirement into your business partnerships you can gain the confidence of customers by displaying how their information will be used end to end and what your own business security and continuity plans are that will ensure you can deliver what you have promised to your customer.
January 3, 2013 @ 7:14am PST Wrally Dutkiewicz MBA CFE
Don't forget to put the proof in the pudding!
When companies create a new business process or engage in a new business activity there is such a focus on the end result which is generate revenue that a key element is often left out of the build. It is often the consequence that product development, marketing and IT have all coordinated to launch a new product or service and then the compliance department or risk management department learns the full details of the new initiative and begins to draft written supervisory procedures (WSPs) and risk management policies from the outside in. This is the main reason compliance is often viewed unfavorably because it is often position outside the new business process development cycle.
If businesses would integrate risk and compliance into the information technology build process, new product development, or sales activity process, risk management can conrtribute as an integral and valuable component to the business decision making process. This in essence would be putting the "proof" in the "pudding" as it were.
January 2, 2013 @ 7:35am PST Wrally Dutkiewicz MBA CFE