Tag Archives: security

Not my plant! Preventing ransomware attacks on manufacturers

Posted on by

The world’s largest meat production company was recently sidelined by a ransomware attack. The hack forced the company to temporarily shutter plants in the United States, Canada and Australia, affecting the U.S. meat supply and even hurting commodity prices.

If it seems like cybercriminals often target manufacturing (including food processing) and distribution companies, that’s because they do. According to software company Varonis, manufacturers account for nearly a quarter of all ransomware attacks — more than any other industry. To prevent your company from becoming another statistic, learn about security breaches and protect your network. 

A high price

It’s only natural that manufacturers fear data breaches — and unfortunately hackers often can use that fear to cripple organizations through ransomware. This type of malware is installed on a computer or network without the user’s consent. Hackers subsequently demand that the company pay a ransom to regain control of its data.

Cyberattacks can harm a manufacturer or distributor by causing safety issues, negative publicity, lost productivity, and compromised personal and corporate data. IBM reports that the average cost of a company data breach was approximately $4 million in 2020.

Role of employees 

Employees are a manufacturer’s first line of defense against hackers. But your workers can also be a liability if they aren’t vigilant and knowledgeable about cyberthreats. It’s critical to provide training about the latest scams and encourage employees to report suspicious emails immediately to your IT department.

Many hackers look for easy targets, so even the simplest security measure will deter some cyberbreaches. For example, you can use relatively inexpensive encryption software and phishing filters to make it harder for hackers to get inside your network. Probably the most important simple step you can take is to update security software as soon as updates and patches become available.

On the safe side

To minimize losses if a breach occurs or a ransom demand is made, think about purchasing cyber insurance to cover direct losses and the associated costs of responding to breaches. Your traditional business liability policy probably doesn’t include such coverage.

Also consider assembling a breach response team. The team should be responsible for making a response plan, identifying potential weaknesses in your network and conducting breach response drills. Include cybersecurity, financial, legal and public relations experts on your response team. They’ll be essential in the event a criminal demands ransom and your company must weigh the difficult decision about whether to pay it.

More to lose

No company can afford a cyberattack, but manufacturers that rely on automation, robotics and network connections may have more to lose than businesses in other industries. Contact us for help protecting your assets from fraud.

© 2021 Covenant CPA

Digital documents with e-signatures aren’t going away

Posted on by

Have you applied for a business loan lately? Or had some repairs done on your facilities? Maybe you’ve signed a contract with a certain technologically inclined customer or vendor. In any of these instances, you (or one of your employees) probably had to electronically sign a digital document.

So, the next question is: Why isn’t your company using this technology? If the answer is, “We are,” kudos to you (assuming it’s working out). But if your reply is, “We’ve always used paper and don’t want to deal with the expense and hassle of converting to digital documentation,” you may want to reconsider — because it’s not going away.

Why go digital?

For businesses, there are generally three reasons to use digital documents with e-signatures:

1. Speed. When you can review and sign a business document electronically, it can be transmitted instantly and approved much more quickly. And this works both ways: your customers can sign contracts or submit orders for your products or services, and you can sign similar documents with vendors, partners or consultants. What used to take days or even weeks, as paper envelopes crisscrossed in the mail, now can occur in a matter of hours.

2. Security. Paper has a way of getting lost, damaged and destroyed. That’s not to say digital documents are impervious to thievery, corruption and deletion, but a trusted provider should be able to outfit you with software that not only allows you to use digital docs with e-signatures, but also keep the resulting files encrypted and safe from anyone or anything who would do them harm.

3. Service. This may be the most important reason to incorporate digital docs and e-sigs into your business. Younger generations have come of age, if not grown up, with digitized business services. They expect this functionality and may prefer a company that offers it to one that still requires them to put pen to paper.

What about the law?

Many business owners hesitate to dive into digital docs and e-sigs because of legal concerns. This is a reasonable concern. However, e-signatures are now widely used and generally considered lawful under two statutes:

  1. The Electronic Signatures in Global and National Commerce Act of 2000, a federal law, and
  2. The Uniform Electronic Transactions Act, which governs each state unless a comparable law is in place.

What’s more, every state has some sort of legislation in place legalizing e-signatures. There may be some limited exceptions in certain cases, so check with your attorney for specifics.

Is now the time?

To be clear, investing in digital documents with e-signatures, and training your employees to use them, is a major strategic initiative. You need to ensure the return on investment will be worth the effort. We can assist you in evaluating whether now’s the time to “go digital” and, if so, in setting a budget for the software purchase and implementation.

© 2020 Covenant CPA

What’s the right device policy for your company?

Posted on by

Device policies pertaining to smartphones and other technology tools continue to frustrate business owners as they try to balance their needs for security and functionality against employees’ rights to privacy and freedom. At some companies, loose “bring your own device” (BYOD) policies are giving way to stricter “choose your own device” (CYOD) or “corporate-owned, personally enabled” (COPE) policies.

CYOD: Their device, your data

A CYOD policy lets employees buy a device for combined personal and work purposes from an approved list of products. Generally, the employee owns the device with the business retaining ownership of the SIM card and any proprietary data. Many employers pay for the accompanying mobile plan. Sometimes, high-performance devices are made available only to “power users,” while employees with fewer tech-related job requirements must choose from lesser models.

Under a CYOD policy, you can:

  • Ensure device compatibility with your systems,
  • Require security protections on the devices, and
  • Conduct ongoing security monitoring.

It also makes maintenance and support easier for your IT department, because IT staff will know exactly which devices they’ll need to handle.

Some employees may be unhappy with their choice of devices, which can undermine morale and productivity. Then again, many workers appreciate the improved functionality and flexibility of owning a device that connects them to work.

COPE: All yours

If you’re looking for even greater control and security, look into a COPE policy. They’re most common at large companies or those with heavy compliance burdens.

Here, you buy and own the device, which is intended primarily for business purposes. Most policies do allow for limited personal use — such as phone calls and messaging, approved non-work-related apps and some settings customization.

COPE policies are like CYOD policies in that you can configure employees’ devices for maximum security (including blocking certain features or apps and activating remote wipe capabilities). But they go one step further by minimizing personal use and allowing you to retain possession after an employee leaves the company. Another upside: Many employees will view an employer-provided device as a valuable perk.

One downside is you’ll incur higher costs in covering both the purchase price and mobile plans, though you may be able to lessen the hit through volume discounts. In addition, employees may have concerns about their employer-provided devices inevitably containing some of their own information. “Containerization” tools can help alleviate such worries by segregating business and personal data.

A matter of priorities

The right move for your company comes down to priorities. To tighten security and control costs, a CYOD policy may be a reasonable upgrade to an existing BYOD approach. But if you need absolute security, a COPE policy could be necessary.

Bear in mind that you can always customize a policy to best suit your needs. For example, you might apply different requirements to different departments based on the type of work performed and data accessed. Our firm can help you analyze the potential costs of any device policy and make the right choice.

© 2019 Covenant CPA

Why your phone may be a fraud risk

Posted on by

As more people use mobile phones, more fraud perpetrators target these devices. According to Javelin Strategy & Research, between 2017 and 2018 the number of fraudulent mobile-phone accounts opened grew by 78%. Schemes in which thieves open a phone account in your name and use it to access your bank account, sign up for credit cards and gain access to personal information are only some of the recent fraud trends. Fraudsters have plenty of ways to defraud consumers through their phones.

Why they’re vulnerable

One of the reasons mobile phones are so vulnerable is that phone security hasn’t kept pace with traditional computer security. Mobile devices rarely contain comprehensive security measures, and mobile operating systems aren’t updated as frequently as those on personal computers.

Yet users routinely store a wide range of sensitive information — including contact information, emails, text messages, passwords and identification numbers — on their phones. Geolocation software can track where phones are at any time, and various apps can record personally identifiable information. Hackers can target a phone and use it to trick its owner, or the owner’s contacts, into revealing confidential information. Or phones can spread viruses to computers — a big problem for companies with “bring your own device” policies.

How thieves get in

Sometimes attackers obtain physical access to a device. More frequently, a hacker achieves virtual access by, for example, sending a phishing email that coaxes the recipient into clicking a link that installs malware.

Apps can be dangerous, too. A user might install an app that turns out to be malicious or a legitimate app with weaknesses an attacker can exploit. A user could unleash such an attack simply by running the app.

What you can do

Encryption is probably the most highly recommended defense against mobile phone fraud. When data is encrypted, it’s “scrambled” and unreadable to anyone who can’t provide a unique “key” to open it. Two-step authentication is also advisable. This approach adds a layer of authentication by calling the phone or sending a password via text message before allowing the user to log in.

Phone owners should always activate PINs or passwords, and other options such as touch ID and fingerprint sensors if available. Conversely, users should disable Bluetooth and Wi-Fi when not in use, and set Bluetooth-enabled devices to be nondiscoverable.

Also request a freeze on the credit information that’s used to open a mobile-phone account with the National Consumer Telecom & Utilities Exchange. This is a credit reporting agency fed by data supplied by phone companies, pay-TV companies, and utility service providers.

Evolving threats

In only a decade, mobile phones have completely changed our daily lives. Unfortunately, fraud has kept pace with technology. To protect your personal information, you need to be aware of the constantly evolving threats.

© 2019 Covenant CPA

Taking the hybrid approach to cloud computing

Posted on by

For several years now, cloud computing has been touted as the perfect way for companies large and small to meet their software and data storage needs. But, when it comes to choosing and deploying a solution, one size doesn’t fit all.

Many businesses have found it difficult to fully commit to the cloud for a variety of reasons — including complexity of choices and security concerns. If your company has struggled to make a decision in this area, a hybrid cloud might provide the answer.

Public vs. private

The “cloud” in cloud computing is generally categorized as public or private. A public cloud — such as Amazon Web Services, Google Cloud or Microsoft Azure — is shared by many users. Private clouds, meanwhile, are created for and restricted to one business or individual.

Not surprisingly, public clouds generally are considered less secure than private ones. Public clouds also require Internet access to use whatever is stored on them. A private cloud may be accessible via a company’s local network.

Potential advantages

Hybrid computing, as the name suggests, combines public and private clouds. The clouds remain separate and distinct, but data and applications can be shared between them. This approach offers several potential advantages, including:

Scalability. For less sensitive data, public clouds give businesses access to enormous storage capabilities. As your needs expand or shrink — whether temporarily or for the long term — you can easily adjust the size of a public cloud without incurring significant costs for additional on-site or remote private servers.

Security. When it comes to more sensitive data, you can use a private cloud to avoid the vulnerabilities associated with publicly available options. For even greater security, procure multiple private clouds — this way, if one is breached, your company won’t lose access or suffer damage to all of its data.

Accessibility. Public clouds generally are easier for remote workers to access than private clouds. So, your business could use these for productivity-related apps while confidential data is stored on a private cloud.

Risks and costs

Using a blended computer infrastructure like this isn’t without risks and costs. For example, it requires more sophisticated technological expertise to manage and support compared to a straight public cloud approach. You’ll likely have to invest more dollars in procuring multiple public and private cloud solutions, as well as in the IT talent to maintain and support the infrastructure.

Overall, though, many businesses that have been reluctant to solely rely on either a public or private cloud may find that hybrid cloud computing brings the best of both worlds. Our firm can help you assess the financial considerations involved. Call us today at 205-345-9898.

© 2018 Covenant CPA

A strong BYOD policy combines convenience with security

Posted on by

It’s easy to understand why more and more businesses are taking a “bring your own device” (BYOD) approach to the smartphones, tablets and laptops many employees rely on to do their jobs. BYOD can boost employee efficiency and satisfaction, often while reducing a company’s IT costs. But the approach isn’t without risk for both you and your staff. So, it’s highly advisable to create a strong formal policy that combines convenience with security.

Primary concerns

As an employer, your primary concern with BYOD is no doubt the inevitable security risks that arise when your networks are accessible to personal devices that could be stolen, lost or hacked. But you also must think about various legal compliance issues, such as electronic document retention for litigation purposes or liability for overtime pay when nonexempt employees use their devices to work outside of normal hours.

For employees, the main worry comes down to privacy. Will you, their employer, have access to personal information, photos and other non-work-related data on the device? Could an employee lose all of that if you’re forced to “wipe” the device because it’s been lost or stolen, or when the employee leaves your company?

Important obligations

A BYOD policy must address these and other issues. Each company’s individual circumstances will determine the final details, but most employers should, at minimum, require employees to sign an acknowledgment of their obligations to:

  • Use strong passwords and automatic lock-outs after periods of inactivity,
  • Immediately report lost or stolen devices,
  • Install mandated antivirus software and other protective measures,
  • Regularly back up their devices,
  • Keep apps and operating systems up to date, and
  • Encrypt their devices.

The policy also should prohibit the use of public wi-fi networks or require employees to log in through a secure virtual private network when connecting via public wi-fi. You may want to forbid certain apps, too.

In addition, you need to spell out your rights to access, monitor and delete data on employees’ devices — including the types of data you can access and under which conditions. In particular, explain your wiping procedures and the steps employees can take to protect their personal information from permanent erasure.

Protection now

Nearly everyone who works for your company likely has a smartphone at this point. As such devices integrate themselves ever more deeply into our daily lives, it’s only natural that they’ll affect our jobs. Establishing a BYOD policy now can help prevent costly mistakes and potential litigation down the road. We can provide further information, so call us at 205-345-9898.

© 2018 Covenant CPA