Cybersecurity is a growing concern for many organizations, regardless of size. While you can never fully take away the risk of an attack or breach, with some planning, due diligence, and regular review, you can take helpful steps to protect your entity in this important area.
Operations & Human Resources
Educate Your Employees. Data breaches are often caused by employees – navigating to sites infected with malware, downloading infected attachments, and/or accessing Wi-Fi from an unsecured location. Educate your employees on your policies and why they are in place. Encourage them to frequently change passwords and offer guidelines on creating secure passwords.
Review Accounts and Financial Statements. Review your operating business account(s) and financial statements for suspicious amounts or vendors. By keeping a regular pulse on the financial state of your business, you will be more likely to recognize the fraudulent activity.
Segregation of Duties. Regularly review your company’s segregation of duties for any gaps, especially if there has been staff turnover in the accounting department. This issue is best dealt with as soon as an employee leaves, but you may find it helpful to set a regular review schedule to ensure that proper controls are in place.
Technology Controls. When reviewing gaps in employee turnover, don’t forget technology controls. Companies often forget to change access codes and passwords when an employee leaves, leaving their technology at risk. A regular review of policies and access levels will help to prevent security breaches.
Data Security. Recovering all data from the desktop hard drive and notifying vendors so that this individual cannot place orders or incur obligations on behalf of the company.
Company Policies and Educational Processes
Each year, companies should review their anti-fraud and whistleblower policies to ensure they are still effective for the company’s current size and that they are serving their intended purpose. While these are general risk areas that affect every company, it is essential to understand your business’ specific risks, which will depend on your size, structure and industry. Involve your Board of Directors, Audit Committee, or Certified Public Accountant as appropriate. Larger organizations may want to engage a Certified Fraud Examiner to help it review and develop the appropriate controls. A small-time investment upfront may just pay off by preventing costly fraud expenses.
Internal Controls and Policies. Just like you have internal controls for your financial processes, you need controls and policies around your IT assets, as well. Ensure that passwords are changed, and access is removed for terminated employees as soon as possible, and limit employee access to sensitive data.
Develop and communicate clear policies for employees regarding what devices they can use, what types of programs/applications they can download, and how to securely access Wi-Fi when needed. Make sure to communicate clear policies around your company’s IT security controls to help decrease your company’s vulnerability.
- Implement a mobile device management program, requiring authentication to unlock a device, locking out a device after failed attempts, using encrypted data communications/storage, and enabling the remote wiping of devices if a mobile device is lost or stolen.
- Permit only authorized wireless devices to connect to your network, including point of sale terminals and credit card devices, and encrypt communications with wireless devices such as routers and printers. Keep all "guest" network access on separate servers and access devices with strong encryption such as WPA2 with AES encryption or use of an IPSec VPN.