Protect Your Business from Fraud & Cyber Criminals
Fraud costs businesses on average 5% of revenue each year according to the Report to Nations 2014 report, by the Association of Certified Fraud Examiners (ACFE). Other statistics in the report indicate that the median loss is $145,000 with 22% of cases costing more than $1 million; the Oil and Gas industry has the third highest median loss at $450,000 per case; and the time required to uncover a fraud is around 18 month’s accord to the report.
Here are some tips to help your company protect your business from the very real threat of cyber security breaches.
Make Cyber Security Priority #1
Small to medium sized businesses are increasingly targets of cyber criminals. While the rewards are not as big as a major retailer such as Target, the defenses in small or medium-sized organizations are non-existent or easily defeated. As larger enterprises develop more robust defense and response mechanisms the crooks are going after the easier targets.
As a minimum safeguard, invest in a firewall, as well as anti-virus, malware and spyware detection software. Backing-up is also a must and will make it a lot easier for you to continue working in the event of a cyber-attack. Some additional measures include conducting off-site backups, investing in virtual servers, performing an outside review of your security and building and testing a disaster recovery plan.
Protect Banking and Credit Card Transactions
This is a common area for fraud in many businesses. Fraud risks with respect to banking and credit card transactions include: an employee making unauthorized charges on a company credit card (or bank account) to theft by cyber criminals of credit card and bank data. Start by creating levels of authority for each transaction area and limiting access to account data.
Anytime a single employee is given the ability to initiate, record, and reconcile a transaction there is an amplified fraud risk. Do not store full credit card numbers on-line. If you accept credit cards in your business make sure you are PCI compliant. The best defenses in this area include: Positive Pay with your bank, setting alerts on your accounts to report abnormal activity, telling your bank to reject incoming ACH debits to certain accounts, using a separate account for payment, using dual controls with your banks treasury management system, locking up blank check stock, and performing a monthly reconciliation of credit card and bank accounts. Lastly, do not co-mingle personal and business accounts as this increases your risk and could make income tax compliance more difficult.
Perform Employee Background Checks
One bad hiring decision can kill a business. On average, bad hiring decisions cost employers 30% of the annual salary, according to the U.S. Department of Labor. Preventing fraud starts with making the right hiring decision. Pre-employment background checks are a good business practice for any employer, especially for those employees who will be handling cash, high-value merchandise, or have access to sensitive customer or financial data. At a former employer we stated to all prospect employees that we drug test applicants, randomly test employees, 100% test after all accidents. As a result, we received an automatic discount on workers’ compensation insurance. All employees in finance, accounting or tax functions had regular credit checks performed and bad credit could be grounds for termination. While this may sound extreme, most business owners do not want someone managing the finances of the business if the individual can’t manage their own financial affairs. Be sure to check to make sure your practices is within state and local regulations.
IT General Controls and Related Policy is a Good Foundation
Another easy step you can take to protect your IT systems is to make sure your IT general controls are complete. A few points include ensuring you use:
- A robust password policy. Make sure you and your employees change them regularly (at least every 90 to 120 days is good rule)
- Separate tests from production systems (programmers sometimes do go bad)
- Secure servers protected from theft, fire, flood, and power outage with redundant data connectivity. This greatly improves business continuity.
Training is a Great Investment
Associates are both the biggest asset and point of risk for fraud. Good training will make them your first and best line of defense. More fraud has been detected via employee tips than by any internal audit department has ever done. Credit a safe and secure means for communication of tips in your company. Regular training sessions on basic security threats and prevention measures are helpful at “on-boarding” of new hires and all staff. Acceptable use policies are the foundation for good cyber usage to reduce risk. As well, it is important to have specific training on proper use of social media sites, complete with information such as what is considered confidential company information (e.g. financial and customer data). Establishing a tip line is the best investment in reporting fraud after your employees are educated.
For ideas on what to include in your training, check out my blog series on setting up a corporate training program.
Insurance against Fraud and Cyber-Crime Fills a Risk Gap
Fraud and cybercrime happens; and while coverage for damage is helpful, more importantly many insurance programs not only protect you against loss that you may incur from crime or fraud, but also assist in developing a response plan and tools. Bank and Credit card companies provide proactive resources for cyber security and fraud protection.
Our team is experienced with assisting clients review these potential gaps in infrastructure, ERP configuration and related internal controls and reporting. So feel free to reach out should you have any questions.
– Software Delivered as Promised. No Surprises.