October 20, 2015
Minimize fraud and make security second nature
Five ways to minimize fraud in your business
by Steve Lumley
Small businesses with fewer than 100 employees are the most frequent fraud victims, with the median loss exceeding $150,000, according to the Association of Certified Fraud Examiners.No matter the size of your organization, that’s significant money.
One thing I’ve learned from my career heading an outsourced CFO firm is this: it’s nearly impossible to predict which employees may attempt to steal from your business. After 25 years of helping small businesses and nonprofits manage their finances, I’ve found it’s easier to minimize opportunities for fraud than to predict or prevent it.
Some examples of fraud include credit cards being used for personal purchases; changing payees on check; stealing cash from a cashbox; paying fictional vendors; and inflating payroll or expense accounts. Business owners and nonprofit directors should randomly check financial reports and information. Data should be backed up daily so fraud can be proven later if needed.
And while these may seem like commonsense controls, during the daily routine of doing business with people you know and trust, sometimes CEOs and managers may not be as diligent as they should be.
Here’s a list of five ways to prevent fraud in your business:
- Beef up internal controls– Segregate duties between employees who maintain records and those with custody of assets. Review payroll before it’s processed, especially for the payroll clerk. Knowing that an independent party will review the financial statements periodically helps prevent fraud. Also, set up safeguards for assets such as cash, receivables, inventory and fixed assets. Internal controls are important for accountability and accurate financial statements as well as preventing and detecting fraud.
- Incorporate “detective controls” –These are mostly conducted to detect fraud rather than prevent it. An independent person should review the bank reconciliation and test some checks to see who they are made out to– especially if a signature stamp is used. The use of signature stamps should be carefully controlled. Credit card fraud in businesses is relatively common. Credit card statement reconciliations should be reviewed and all receipts accounted for, especially for gas cards. Controls are better when employees use their own credit cards and submit receipts for reimbursement.
- Compare and contrast expenses-- Each month’s operating results should be compared to the same month in previous years and to budget, with an explanation of significant variances provided by your financial team.
- Insure your business against fraud-- Employee dishonesty insurance coverage is inexpensive. Often, maximum coverage is $500,000. I recently received a quote to increase coverage for a company with $30 million in annual sales from $100,000 to $500,000 for only $660 per year.
- Reinforce a positive corporate culture-- Upper management sets the tone in any organization for behavior that is allowed or disallowed as it pertains to all matters of business, including company finances. An ethics policy is important for every organization.
Having proper internal controls against fraud can save your business or nonprofit not only a lot of money, but the time and distress to untangle the fraud and replace the perpetrating employee.
3 ways to make security second nature
by Joe Baker
One of the most difficult jobs in information technology is that of network security engineers. The demands of the work are incredible. Network security engineers need to be technically gifted to keep up with the breakneck pace of new technologies and vulnerabilities. They must be ready to put their life on hold to go into work at all hours of the night to remediate security incidents. Those incidents could range from code upgrades all the way to security breaches of the network. The most challenging part of their job is protecting the identity and information from security breaches. Effective network security engineers take personal value in ensuring that all users are educated about security risks through suitable network practices and training seminars.
What Security-Conscious Employee is Always Asking?
Making Security Second Nature-The security-conscious employee is always asking, "How could someone take advantage of this situation?" #securityawarenessUsers are the biggest security threat to any organization. They don’t mean to be so dangerous, but users are the only component of an organization that we cannot secure and configure ourselves. Network engineers conceptualize user behavior to deliver security standards centered on protecting valuable user information. On top of their technical duties, security experts are also tasked with formulating a plan on how to secure the impossible. Many organizations utilize required security training during orientation and sometimes on an annual or bi-annual basis. I have been on the receiving end of these training programs, and the content has varied from network and email security procedures to physical security and building access. These are valuable subjects for all people to know—not just employees. But how do we make sure that employees can make thinking about security a custom practice?
A fine line exists between being security focused and being a conspiracy theorist. Although, I’ll bet that the conspiracy theorist has a better handle on his Facebook privacy settings than the average user. The security-conscious employee is always asking, “How could someone take adMaking Security Second Nature-The security-conscious employee is always asking, "How could someone take advantage of this situation?" #securityawarenessvantage of this situation?” The primary objective of security training is to instill security awareness.
Best Intentions Gone Wrong
Let’s say a group of employees receives a spam email asking them to download a particular file or click on a link. Often, employee’s first response is to use the “reply all” feature to notify others that the file is spam. This behavior leads to multiple “reply all” responses including “stop responding” emails.
Quickly, an inbox multiplies from containing one copy of a potential virus to fifty copies. The recommended response is to forward the email as an attachment to the security expert so that the security expert can notify the rest of the company that the spam email had gotten through the filters.
How do we get the security-thought process in the heads of our employees?
So how do we do it? How do we get this security-thought process in the heads of our employees? I’ve mentioned required training, but Making Security Second Nature-The security-conscious employee is always asking, "How could someone take advantage of this situation?" #securityawarenessthat will only work on the willing. I have found that the most efficient form of learning is through experience. There are companies that specialize in security audits that evaluate which employees give up information or run a virus on their computer unknowingly. This kind of service can be costly, so it isn’t feasible for every company.
Some companies practice office hijinks to teach security lessons. For example, when employees walk away from their computer without securing it, the employees often discover that their background picture has been changed, or their icons moved. This type of inconvenience is mostly harmless, but security awareness should be a comprehensive, user-centric process that starts with employee onboarding and continues throughout employment.
The most feasible and cost-effective measure is somewhere in the middle, and it includes layering the following methods:
- Interactive online security training programs:
Conduct interactive security training during employee onboarding. Quarterly training programs could be used as knowledge generators and security knowledge assessment tools. The areas that indicate low user scores can be further evaluated during real world exposure audits and newsletters to reaffirm the security guidelines.
- Exposure to real world experience of security threats:
Perform a yearly security assessment audit to identify security risks and provide recommendations.
- Periodic newsletter highlighting security breaches:
Use newsletters as educational reminders to highlight key security vulnerabilities. The newsletter content should be light and interesting enough for someone to take a few minutes to read.
One more thing before I go: Do you remember that Nigerian prince who wants to make you a millionaire if you help him open a bank account with a couple thousand dollars? There is a possibility that he isn’t 100% legit…just sayin’.
Steve Lumley is founder and CEO of member company LGI CFO of downtown Cincinnati, which celebrates its 25th year in business this year. The outsourced CFO services company serves privately-held small businesses and nonprofits throughout greater Cincinnati, Dayton and northern Kentucky. For information, go to www.lgicfo.com, or contact Lumley at firstname.lastname@example.org or (513) 576-9880.
Joe Baker is the Senior Network Engineer at member company AfidenceIT which provides IT services for small businesses through Enterprise level IT support organizations in a wide range of industries and sizes.