Prevent and detect insider cyberattacks

In one recent cybercrime scheme, a mortgage company employee accessed his employer’s records without authorization, then used stolen customer lists to start his own mortgage business. The perpetrator hacked the protected records by sending an email containing malware to a coworker.

This particular dishonest worker was caught. But your company may not be so lucky. One of your employees’ cybercrime schemes could end in financial losses or competitive disadvantages due to corporate espionage. 

Best practices

Why would trusted employees steal from the hand that feeds them? They could be working for a competitor or seeking revenge for perceived wrongs. Sometimes coercion by a third party or the need to pay gambling or addiction-related debts comes into play.

Although there are no guarantees that you’ll be able to foil every hacking scheme, your business can minimize the risk of insider theft by implementing several best practices: 

Restrict IT use. Your IT personnel should take proactive measures to restrict or monitor employee use of email accounts, websites, peer-to-peer networking, Instant Messaging protocols and File Transfer Protocol.

Remove access. When employees leave the company, immediately remove them from all access lists and ask them to return their means of access to secure accounts. Provide them with copies of any signed confidentiality agreements as a reminder of their legal responsibilities for maintaining data confidentiality.

Don’t neglect physical assets. Some data thefts occur the old-fashioned way — with employees absconding with materials after hours or while no one is looking. Typically, a crooked employee will print or photocopy documents and remove them from the workplace hidden in a briefcase or bag. Some dishonest employees remove files from cabinets, desks or other storage locations. Controls such as locks, surveillance cameras and restrictions to access can help prevent and deter theft.

Treat workers well. Create a positive work environment and treat employees fairly and with respect. This can encourage loyalty and trust, thereby minimizing potential motives for employee theft.

Wireless risk 

In addition to the previously named threats, your office’s wireless communication networks — including Wi-Fi, Bluetooth and cellular — can increase fraud risk. Fraud perpetrators can, for example, use mobile devices to gain access to sensitive information. One way to deter such activities is to restrict Wi-Fi to employees with special passwords or biometric access.

For more tips on preventing employee-originated cybercrime, or if you suspect a fraud scheme is underway, contact us for help.

© 2020 Covenant CPA

The COVID-19 pandemic and resulting economic impact have hurt many companies, especially small businesses. However, for others, the jarring challenges this year have created opportunities and accelerated changes that were probably going to occur all along.

One particular area of speedy transformation is technology. It’s never been more important for businesses to wield their internal IT effectively, enable customers and vendors to easily interact with those systems, and make the most of artificial intelligence and “big data” to spot trends.

Accomplishing all this is a tall order for even the most energetic business owner or CEO. That’s why many companies end up creating one or more tech-specific executive positions. Assuming you don’t already employ such an individual, should you consider adding an IT exec? Perhaps so.

3 common positions

There are three widely used position titles for technology executives:

1. Chief Information Officer (CIO). This person is typically responsible for managing a company’s internal IT infrastructure and operations. In fact, an easy way to remember the purpose of this position is to replace the word “Information” with “Internal.” A CIO’s job is to oversee the purchase, implementation and proper use of technological systems and products that will maximize the efficiency and productivity of the business.

2. Chief Technology Officer (CTO). In contrast to a CIO, a CTO focuses on external processes — specifically, with customers and vendors. This person usually oversees the development and eventual production of technological products or services that will meet customer needs and increase revenue. The position demands the ability to live on the cutting edge by doing constant research into tech trends while also being highly collaborative with employees and vendors.

3. Chief Digital Officer (CDO). For some companies, the CIO and/or CTO are so busy with their respective job duties that they’re unable to look very far ahead. This is where a CDO typically comes into play. His or her primary objective is to spot new markets, channels or even business models that the company can target, explore and perhaps eventually profit from. So, while a CIO looks internally and a CTO looks externally, a CDO’s gaze is set on a more distant horizon.

Costs vs. benefits

As mentioned, these are three of the most common IT executive positions. Their specific objectives and job duties may vary depending on the business in question. And they are by no means the only examples of such positions. There are many variations, including Chief Marketing Technologist and Chief Information Security Officer.

So, getting back to our original question: is this a good time to add one or more of these execs to your staff? The answer very much depends on the financial strength and projected direction of your company. These positions will call for major expenditures in hiring, payroll and benefits. Our firm can help you weigh the costs vs. benefits.

© 2020 Covenant CPA

The sudden shutdown of the economy in March because of the COVID-19 pandemic forced many businesses to rely more heavily on technology. Some companies fared better than others.

Many businesses that had been taking an informal approach to IT strategy discovered their systems weren’t as robust and scalable as they’d hoped. Some may have lost ground competitively as fires were put out and employees got back up to speed in an altered working environment.

To keep your approach to technology relevant, you’ve got to regularly reassess processes and assets. Doing so is even more important in the new normal. Here are six key questions to ask:

1. What are our users saying? Every successful IT strategy is built on a foundation of plentiful user feedback. Talk with (or survey) your employees about what’s happened over the last few months from a technology perspective. Find out what’s working, what isn’t and why.

2. Do we have information silos? Most companies today use multiple applications. If these solutions can’t “talk” to each other, you may suffer from information silos — when different people and teams keep data to themselves. Shifting to a more remote workforce may have worsened this problem or made it more obvious. If it’s happening, determine how to integrate critical systems.

3. Do we have a digital file-sharing policy? Businesses used to generate tremendous amounts of paperwork. Sharing documents electronically is much more common now but, without a formal approach to file sharing, things can still get lost or various versions of files can cause confusion. Implement (or improve) a digital file-sharing policy to better manage system access, network procedures and version control.

4. Has our technology become outdated? Along with being an incredible tragedy and ongoing problem, the pandemic is accelerating change. Technology that may have been at least passable before the crisis may now be falling far short of optimal functionality. Look closely at whether your business may need to upgrade hardware, software or platforms sooner than you previously anticipated.

5. Do employees need more training? You may have implemented IT changes over the past few months that employees haven’t fully understood or have adjusted to in problematic ways. Consider mandatory training and ongoing refresher sessions to ensure users are taking full advantage of available technology and following proper procedures.

6. Are your security protocols being followed? Changes made to facilitate working during the pandemic may have exposed your systems and data to threats from disgruntled employees, outside hackers and ever-present viruses. Make sure you have a closely followed policy for critical actions such as regularly changing passwords, removing inactive users and installing security updates.

Technology has played a critical role in enabling businesses to stay connected internally, communicate with customers and remain operational during the COVID-19 crisis. Our firm can help you assess your IT strategy in today’s economy and identify cost-effective process changes and budget-conscious asset upgrades.

© 2020 Covenant CPA

Device policies pertaining to smartphones and other technology tools continue to frustrate business owners as they try to balance their needs for security and functionality against employees’ rights to privacy and freedom. At some companies, loose “bring your own device” (BYOD) policies are giving way to stricter “choose your own device” (CYOD) or “corporate-owned, personally enabled” (COPE) policies.

CYOD: Their device, your data

A CYOD policy lets employees buy a device for combined personal and work purposes from an approved list of products. Generally, the employee owns the device with the business retaining ownership of the SIM card and any proprietary data. Many employers pay for the accompanying mobile plan. Sometimes, high-performance devices are made available only to “power users,” while employees with fewer tech-related job requirements must choose from lesser models.

Under a CYOD policy, you can:

  • Ensure device compatibility with your systems,
  • Require security protections on the devices, and
  • Conduct ongoing security monitoring.

It also makes maintenance and support easier for your IT department, because IT staff will know exactly which devices they’ll need to handle.

Some employees may be unhappy with their choice of devices, which can undermine morale and productivity. Then again, many workers appreciate the improved functionality and flexibility of owning a device that connects them to work.

COPE: All yours

If you’re looking for even greater control and security, look into a COPE policy. They’re most common at large companies or those with heavy compliance burdens.

Here, you buy and own the device, which is intended primarily for business purposes. Most policies do allow for limited personal use — such as phone calls and messaging, approved non-work-related apps and some settings customization.

COPE policies are like CYOD policies in that you can configure employees’ devices for maximum security (including blocking certain features or apps and activating remote wipe capabilities). But they go one step further by minimizing personal use and allowing you to retain possession after an employee leaves the company. Another upside: Many employees will view an employer-provided device as a valuable perk.

One downside is you’ll incur higher costs in covering both the purchase price and mobile plans, though you may be able to lessen the hit through volume discounts. In addition, employees may have concerns about their employer-provided devices inevitably containing some of their own information. “Containerization” tools can help alleviate such worries by segregating business and personal data.

A matter of priorities

The right move for your company comes down to priorities. To tighten security and control costs, a CYOD policy may be a reasonable upgrade to an existing BYOD approach. But if you need absolute security, a COPE policy could be necessary.

Bear in mind that you can always customize a policy to best suit your needs. For example, you might apply different requirements to different departments based on the type of work performed and data accessed. Our firm can help you analyze the potential costs of any device policy and make the right choice.

© 2019 Covenant CPA

If you devote all your business’s security resources to fending off hackers and other cybercriminals, you may be unlocking the door, literally, to more basic types of theft. “Creepers” are criminals who gain access to offices or other physical facilities via unlocked doors and social engineering tactics. Once in, they steal proprietary information, inventory, computers and personal property, or gather information that makes it easier to hack your network.

Creepers in action

A major energy company’s Houston office was infiltrated by a creeper who’s believed to have stolen sensitive information, possibly to sell to a rival company or foreign government. Surveillance footage released by the FBI shows a man walking through an unlocked door in the middle of the night. He’s wearing office-appropriate clothing and moves confidently, like an employee who has a right to be there.

A Washington D.C. creeper also looked like she belonged where she didn’t. She walked into many supposedly secure government offices by chatting with employees outside the office, then following them through the door. When questioned, she claimed she’d left her badge at her desk.

In other cases, creepers use uniforms and props such as mops, toolboxes and clipboards to suggest they’re cleaners or that they work for building maintenance. They may wear stolen or forged ID badges, assuming that no one will examine them too closely.

Exercising vigilance

To protect your business’s and its employees’ property, keep all doors locked, even during work hours. Issue keycards and photo-ID badges to workers and instruct them to be on the lookout for possible intruders. They shouldn’t automatically assume, for example, that someone wearing coveralls and carrying a ladder is authorized to be there. And they shouldn’t unlock the door for anyone — even if that person seems like an employee — unless they know for certain he or she is.

If workers are uncomfortable approaching a possible intruder, they should immediately report the person to your office manager, HR director or building security. The stranger in question may well be an authorized visitor, but it’s better to be safe than sorry. Also ask employees to report the presence of former employees, who sometimes are recruited to carry out corporate espionage.

Even if you don’t keep high-value inventory or electronics on the premises, install security cameras. And instruct employees to lock up purses and wallets and to password-protect computers whenever they leave their workspaces — even if it’s only for a few minutes.

Virtual vs. physical threats

Obviously, IT security must remain a priority for all organizations. But don’t let virtual threats blind you to the need to protect against physical ones. Contact us for help preventing fraud and other forms of theft.

© 2019 Covenant CPA

Today’s business technology is both powerful and restive. No matter how “feature rich” a software solution or hardware asset may be, there’s always another upgrade around the corner. In other words, it’s just a matter of time before your company’s next IT project.

When that day arrives, watch out for “scope creep.” This term refers to the tendency of a project’s objective (or “scope”) to gradually expand while the job is underway. As a result, the schedule may drag and dollars may go to waste.

Common culprits

A variety of things can cause scope creep. In many cases, too few users give input during the planning stage. Or misunderstandings may occur between the project team and users, obscuring the purpose of the job.

Excessive implementation time undoes many projects as well. As weeks and months go by, business processes, policies and priorities tend to change. For a new system to meet the needs of the business, the project’s scope needs to be executable within a reasonable time frame.

Ineffective project management is another common culprit. Scope creep often arises when a project manager underestimates the complexity of the tasks at hand or fails to adequately motivate his or her team.

5 steps to success

To stop or at least minimize scope creep, follow these five steps:

1. Distinguish “must-haves” from “nice-to-haves.” Draw a red line between the functionalities your business absolutely must have and any added features that would be nice to have. Schedule the prioritized requirements in the form of phased deliverables during the project’s life cycle. Add “nice-to-haves” to the final phase or, better yet, defer them to future projects.

2. Put agreed-on deliverables in writing. Use a Statement of Work document to clearly outline the stated project requirements. Be sure to cover both those that are included and those that aren’t. Have everyone involved sign off on this document.

3. Divide and conquer. Segregate the project into small, manageable phases. As it proceeds, continue to review and sign off on each phase as it’s delivered, following an adequate testing period.

4. Introduce a formal change management process. If someone demands a change, ask him or her to rationalize the request in writing on a change order form. Then analyze the potential impact, estimate the added cost and time, and obtain consensus before proceeding. Adhering to this step typically eliminates many low-priority demands.

5. Anticipate some scope creep. It’s a rare project, if any, that proceeds exactly as planned. Allow for some scope creep in your budget and timeline.

Head-on approach

Improving your company’s technology should be cause for excitement and, eventually, celebration. Unfortunately, it too often brings anxiety and conflict. Tackling scope creep head on can help ensure that your IT projects go more smoothly. Our firm can help you assess the financial impact of any technology solution you’re considering and, if you decide to proceed, set a budget for the job. Contact us at 205-345-9898 or info@covenantcpa.com

© 2019 Covenant CPA

One thing in plentiful supply in today’s business world is help. Orbiting every industry are providers, consultancies and independent contractors offering a wide array of support services. Simply put, it’s never been easier to outsource certain business functions so you can better focus on fulfilling your company’s mission and growing its bottom line. Here are four such functions to consider:

1. Information technology. This is the most obvious and time-tested choice. Bringing in an outside firm or consultant to handle your IT systems can provide the benefits we’ve mentioned — particularly in the sense of enabling you to stay on task and not get diverted by technology’s constant changes. A competent provider will stay on top of the latest, optimal hardware and software for your business, as well as help you better access, store and protect your data.

2. Payroll and other HR functions. These areas are subject to many complex regulations and laws that change frequently — as does the software needed to track and respond to the revisions. A worthy vendor will be able to not only adjust to these changes, but also give you and your staff online access to payroll and HR data that allows employees to get immediate answers to their questions.

3. Customer service. This may seem an unlikely candidate because you might believe that, for someone to represent your company, he or she must work for it. But this isn’t necessarily so — internal customer service departments often have a high turnover rate, which drives up the costs of maintaining them and drives down customer satisfaction. Outsourcing to a provider with a more stable, loyal staff can make everyone happier.

4. Accounting. You could bring in an outside expert to handle your accounting and financial reporting. A reputable provider can manage your books, collect payments, pay invoices and keep your accounting technology up to date. The right provider can also help generate financial statements that will meet the desired standards of management, investors and lenders.

Naturally, there are potential downsides to outsourcing these or other functions. You’ll incur a substantial and regular cost in engaging a provider. It will be critical to get an acceptable return on that investment. You’ll also have to place considerable trust in any vendor — there’s always a chance that trust could be misplaced. Last, even a good outsourcing arrangement will entail some time and energy on your part to maintain the relationship.

Is this the year your business dips its toe in the vast waters of outsourced services? Maybe. Our firm can help you answer this question, choose the right function to outsource (if the answer is yes) and identify a provider likely to offer the best value. Call us at 205-345-9898.

© 2019 Covenant CPA