Cyber fraud: The biggest threat to your organization is you

When it comes to ransomware and other cyber threats, the leading risk comes from your employees. If they either don’t care or haven’t been trained to understand when an email link is suspect or a request for information requires a phone call first, your organization may join the growing ranks of financial fraud victims.

“It can happen to anybody. It can happen to any size company and any type of organization,” says Reggie Novak, CPA, CFE, senior manager at Ciuni & Panichi.

Everyone needs to be asking: What can I do? What types of controls do I need to help mitigate and deter fraud?

Smart Business spoke with Novak about cyber and financial fraud threats.

What are common types of cyber fraud to guard against?

Ransomware is a type of malicious software that infects and restricts access to a computer until a ransom is paid. Although there are other methods of delivery, ransomware is frequently delivered through phishing emails and exploits unpatched vulnerabilities in software or lack of knowledge from the organization’s employees.

Phishing emails are crafted to appear as though they’ve been sent from a legitimate organization or known individual. These emails often entice users to click on a link or open an attachment containing malicious code. After the code is run, your computer may become infected with malware.

That’s why training is critical, along with adequate password controls, up-to-date software and antivirus programs. While smaller organizations, nonprofits and governmental entities may not have the resources for segregated duties or the most up-to-date accounting programs, they can still educate staff and mitigate the risk.

How should organizations secure their operations?

Establish security practices and policies to protect sensitive information. Make sure employees know how to handle and protect personally identifiable information and other sensitive data. Clearly outline the consequences of violating these policies.

Educate employees about cyber-threats and hold them accountable. Also educate your employees about how to protect your business’s data, including safe use of social networking sites.

Protect against viruses, spyware and other malicious code. Ensure each computer is equipped with antivirus software and antispyware, which is readily available online. Since vendors provide patches and updates to correct security problems and improve functionality, configure all software to install updates automatically.

Secure your networks and internet connection with a firewall and encryption. Protect your Wi-Fi network. Set up your wireless access point or router so it doesn’t broadcast the network name, known as the Service Set Identifier or SSID. Also, password protect access to the router. If employees work from home, ensure their home system(s) are protected by a firewall.

Require employees to use strong passwords and change them often. Consider implementing multifactor authentication that requires additional information to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication.

Employ best practices on payment cards. Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are used. Isolate payment systems from less secure programs. Don’t use the same computer to process payments and surf the internet.

Make backup copies of important business data and information. Back up data automatically, or at least weekly, and store this offsite or on the cloud. This can cut down on your ransomware risk especially.

Control physical access to computers and network components. Prevent access or use of computers by unauthorized individuals. Laptops are easy targets; lock them up when unattended. Create a separate account for each employee with strong passwords. Administrative privileges should only be given to a few people.

Create a mobile device action plan, especially when these devices hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt data and install security apps for when the phone is on public networks. Set reporting procedures for lost or stolen equipment.

Insights Accounting is brought to you by Ciuni & Panichi, Inc.