Ready for Cybersecurity Awareness Month? Get Ahead With Our Top Five Tips

October is cybersecurity awareness month — and while organizations can never drop the ball on securing corporate networks, the end of summer is a great time to pause, take a deep breath and take a hard look at security processes currently in place. Is your business doing enough? Where can finance leaders improve? How can your organization stay ahead of threats?

From mitigating systemic threats to evaluating internal controls, reducing BYOD risk, boosting email security and educating employees on data safety, we’ve collected the top five tips to help enhance your security posture.

1. Stemming Systemic Financial Risk

As noted in Cybersecurity Attacks: The Rise of Systemic Financial Risk, the interconnectivity of modern organizations leads creates both tremendous opportunities for businesses and attackers alike. The result? Costs are on the rise with enterprises out almost $1 million per attack. More worrisome? Systemic, widespread threats such as popular POS compromises or “runaway algorithms” could have global repercussions. Staying safe means recognizing this new threat vector and implementing new security controls, such as cloud-based monitoring systems for automated algorithms that communicate with human IT personnel and ensure all third-party security expectations are clear and in writing.

2. Improving Internal Controls

Effective cybersecurity awareness demands solid review and testing, particularly when it comes to internal controls. As explained in Reevaluating Internal Controls for Financial Security, while permission-based controls are essential, organizations also need to stop and ask themselves why specific controls are in place. It’s also a good idea to regularly audit and test your control system for faults, then ask employees to “swap roles” for a day to get a fresh perspective — new users often see issues that staff using the system every day might overlook.

3. Mitigating BYOD Risk

Finance leaders can’t avoid BYOD, but they do need a reliable way to mitigate potential security risks. As noted by Mitigating Risk in BYOD Security, “corporate networks can be easily breached through lapses in BYOD security” and this risk is increasing as employee devices diversify. The solution? Start with reliable, cloud-based mobile device controls that let IT monitor connections, regulate downloads and wipe data at a distance if required. Just as important? A robust mobile management policy which clearly states expected employee conduct and potential consequences.

4. Evolving Email Security

Despite the rise of SMS and video conferencing, email remains the go-to corporate communications method. The problem? As noted by Leading the Charge: HR Managers and Employee Email Security, 30 percent of phishing emails are still opened by employees and more than 10 percent of staff click on suspicious links — putting entire networks at risk. Security here requires a dual effort: First, organizations need to leverage technology controls such as Transport Layer Security (TLS) and Domain-Based Message Authentication, Reporting and Conference (DMARC) to manage obvious attacks. Next, finance leaders should tap human resource professionals as “the ideal choice to design people-friendly training plans, which help staff recognize potential email scams and report any accidental opening or downloading.” Put simply? Tech solutions combined with “human firewalls” can help evolve email security efforts.

5. Educating Employees on Data Safety

Employees are also a feature in the effort to improve data safety. As the article 4 Methods to Enhance Data Security highlights— “data security begins with the employee.” But what does this look like in practice? First, staff must understand the value of their network credentials; passwords and login details should always be kept confidential. Next up is strong password creation. Consider: Bill Burr recently took back his advice on regularly changing passwords and ensuring they’re replete with numbers and symbols. Now, experts suggest that employees create strong passwords composed of phrases or concepts they’ll remember, and to only change these passwords in the event of a potential breach. Last but not least? Restrict access per-employee and across departments.

Cybersecurity awareness month offers the opportunity to take stock, evaluate current processes and make infosec improvements. Start strong — address systemic and BYOD risk, improve internal controls, evolve email access and educate employees to shore up corporate security.

Do You Have a Sexual Harassment Complaint Procedure in Place?

No business is invulnerable where sexual harassment in the workplace is concerned. Does your small business need a sexual harassment complaint procedure?

No business is invulnerable where sexual harassment in the workplace is concerned. Federal, as well as state and local laws prohibit workplace harassment. However, some laws apply to employers who meet certain employee thresholds.

However, even if small employers aren’t subject to anti-harassment rules, should they follow suit?

The short answer is yes. Just because your tight-knit business’s employee headcount doesn’t meet the threshold of anti-discrimination laws like Title VII of the Civil Rights Act (15 employees) or applicable state and local laws, it doesn’t mean that you and your business can’t be sued — or that harmful and inappropriate behavior can’t occur.

“It is still a best practice for a small business owner to have an effective anti-harassment policy in place,” advises Kristin LaRosa, senior counsel at ADP. “A company’s demonstrated commitment to an organization free from harassment or discrimination is the first step toward eliminating workplace harassment.”

Create a Policy

To be effective, your anti-harassment policy should expressly state your zero-tolerance stance toward harassment. Consider whether your policy will extend to non-employees such as third parties, clients, vendors, or contractors. Some state or local anti-harassment rules may even extend to such individuals

“The policy should provide clear examples of both physical and nonphysical prohibited conduct,” according to LaRosa. Prohibited physical conduct could be quid-pro-quo threats along the lines of, “If you don’t let me X, I’ll sabotage your work.” Nonphysical harassment creates a hostile work environment, for example telling crude sexual jokes to an unwilling listener or sending an offensive email or text message.

In your policy, clearly state that protections extend to not only sex-based harassment but to any other federal, state or locally recognized characteristic, including race, color, national origin, religion, disability and age. Also include a statement making it clear that if the policy is not followed, action up to and including termination may occur. As LaRosa warns, “Companies should emphasize [that] all complaints will be treated seriously and receive a prompt response and appropriate remedial action.”

Lastly, state that no one who raises a complaint or participates in investigations will experience retaliation. Your policy’s effectiveness will be severely limited if employees are afraid of using it.

Create a Procedure

Your sexual harassment complaint procedure, which should be included in the policy, starts with a complaint by either a victim of or a witness to harassment. Your complaint, investigation and resolution procedure should allow “employees to immediately report complaints and provide multiple avenues to raise the complaint,” advises LaRosa.

The procedure should:

Denote who receives complaints — for example human resources, supervisors, the C-suite or board members

Designate who conducts investigations, whether a well-trained internal investigator (traditionally HR conducts) or an independent outside investigator (especially when the accused is high-level), as long as they’re unbiased and unconnected with either party

Determine exactly what happened

Document every step from complaint to investigation to interviews and determination in a fact-centric way

The investigator should have “clear guidelines on how to assess the credibility of the complainant, alleged harasser and any witnesses,” notes LaRosa. “Once the investigator makes their recommendations, take any appropriate corrective action and advise the complainant that appropriate action was taken. Continue to follow up with the complainant to ensure that no further harassment has occurred.”

Take Action

Once your policy and procedure are written, implement them with training. It’s not simply best practice — in states like Maine, California, Connecticut and New York, it’s mandated. Ensure that leaders are trained not only on policy and procedure but also on how to prevent, identify and handle complaints. Have everyone sign off on the policy, indicating that they’ve read and understood it, and make that acknowledgment part of their files.

“Business owners cannot afford to bury their heads in the sand,” warns LaRosa. “They must constantly audit effectiveness of their policies and procedures to ensure all employees, including those in the C-suite and ‘star’ performers, are held accountable for their conduct.” Make modeling expected behavior and monitoring situations part of leaders’ jobs.

Big Data for Cost-Effective Expansion: What You Need to Know

When it comes to expanding into new locations, the first question is always, where? For the CHRO, the question may actually be who? While the rest of the C-suite may be scoping locations based on customer base or tax regulations, HR will be working to find the best talent in the best location for the best money. To get this done, you will want to consider big data for cost-effective expansion.

Choosing a Location Based on Revenue

The decisions surrounding new locations is never simple. For example, retailers and food franchises not only need to know where potential customers are, but where customers will be over the 10- to 25-year lifetime of the investment in new locations. But for HR, expanding to a new location goes beyond finding where the customers are.

Your organization may be using big data to identify the main components of existing effective locations and why they succeed, as well as locations most likely to pull in customers. For example, John Crouse, director of Wendy’s real estate services, told Fast Company that the restaurant chain came up with its own “urbanicity scheme,” using “GIS platforms to help break down which blocks in an urban downtown will have high foot traffic and similar factors.” Starbucks, on the other hand, uses data pertaining to “nearby retail clusters, public transportation stops, and neighborhood demographics” from their “in-house mapping and business intelligence platform” when evaluating new locations in China.

Once your location and potential customers are identified, how do you find the talent to fill positions in your new location? According to LinkedIn, you might want to start with the Bureau of Labor Statistics (BLS) to analyze metrics like unemployment rates in the area, to get a better sense of how many people may answer your ad and what kind of compensation they’ll be looking for.

Choosing a Location Based on Talent

If your organization is choosing a new location based on available talent, you’ll need to decide what elements are the most vital to your organization’s new office. The Corporate Executive Board (CEB) suggests that CHROs take the same approach to analyzing labor markets in new potential locations with fact-based analysis of talent demographics seeking answers to questions like: Which cities have the talent with the right skills? What are the hiring patterns in the cities of interest? What universities are or could be the most logical sources of future talent? How can the firm get the optimal talent at the best price? Where are competitors, partners and suppliers establishing talent skill hubs?

Those determinants need to be expressed in a number value. For instance, instead of stating that an important segment is a “strong labor market,” it should be expressed as the number of universities and colleges within 50 miles of the potential location.

Collect and Analyze the Data

The next step in using big data for cost-effective expansion involves collecting the data for each factor in each location. What are the tax rates in each location? What are average commute times? How many competitors are located near those locations? How many universities within 50 miles? When it comes to compensation and benefits, what is appropriate given local market averages?

It’s at this point that patterns and correlations in the data will become evident, and it can then be compared to benchmarking data from both GIS and human capital management (HCM) systems so that HR teams can analyze data in comparison to industry best practices.

Use Insights to Find New Locations That Match

Considering the large investments required to expand into new locations, organizations should make the most informed decisions possible. By correlating existing data and benchmarking data, CHROs gain insight that informs the best expansion decision possible for their organizations.

Drug Use in the Workplace: What Employers Should Know

Eliminating drugs at work can provide a safer and more productive place of business — but there are legal considerations.

In a recent analysis of approximately 11 million employer drug test results, Quest Diagnostics reported an increase in drug use in the workplace for the fifth consecutive year. The analysis, which showed upticks in amphetamines, heroin and marijuana, found that almost one in 11 job applicants failed an oral fluid drug test.

Bloomberg, too, reports that drug abuse in the workplace is “a growing challenge for American business.” According to Bloomberg, employees who test positive for opioids may slow down productivity, increase health care costs and endanger themselves and other employees.

As an employer, what can you legally do to limit drug use in the workplace? Here are factors to consider for curbing or eliminating drugs at work in order to provide a safer and more productive place of business.

Prohibiting Drug Use

Employers may prohibit drug use in the workplace and can generally test for illegal drugs, too. That said, according to The Balance, employers must meet the requirements of applicable state laws for such drug tests, like cause for suspicion.

Employers may not discriminate against employees who have previously struggled with drug addiction, are no longer using drugs or are in a rehabilitation program. In fact, reasonable accommodation must be provided to individuals undergoing rehabilitation efforts or who have been in rehabilitation, for example allowing time off for medical care.

Further, individuals with alcohol use disorders may be considered employees with disabilities pursuant to the ADA, and employers must act accordingly. On the other hand, such protections do not apply to drug addicts if they are A) not in recovery and B) are addicted to an illicit substance.

Terminating Employees Using Illegal Drugs

Employers may terminate an employee’s tenure if their use of drugs in the workplace affects their ability to do their job. This can mean, as Bloomberg points out, that employers find themselves having to terminate employees who have previously had no problems with job performance. Consult an employment attorney before taking action, as this is a complex area.

In some cases, you may not want to terminate the employee, at least not immediately. Work with your insurance company to find resources available to the employee. If it is compliant with the law in your area, you may consider giving the employee an ultimatum: get treatment or have your employment terminated.

Employers can take all or a combination of the steps above to protect themselves and their businesses. But these steps and guidelines need to be included in the organization’s policies and procedures. A written policy can be a first step toward ensuring a healthy workplace

Ex-Employees Claim Intuit Let Fraudulent TurboTax Returns Through For The Money

Are fraudulent tax returns the fault of the IRS, or caused by a weakness in the most popular software programs that consumers use to file their taxes? Former employees of Intuit, maker of TurboTax, allege that the company prevented security staff from flagging and shutting down obviously fraudulent accounts. Why? Market share. Fraudsters were ditching TurboTax and using other tax software when the company flagged their returns.

Depending on what state the person lives in, a fraudster must pay TurboTax $25-50 to file a state income tax return. They often use a service that deducts the filing fee from the victim’s refund, so Intuit doesn’t have to deal with the hassles of scammers using stolen credit card numbers to pay, which is often the problem.

It wasn’t difficult for Intuit employees to flag who the fraudsters are. “If I sign up for an account and file tax refund requests on 100 people who are not me, it’s obviously fraud,” former XX Robert Lee explained to Krebs on Security.

This wasn’t a case of Intuit being evil for evil’s sake. (Some customers would argue that their reshuffling of desktop software features was.) Lee explained that while Intuit’s security team noticed and reported fraudulent returns, the identity thieves simply turned to one of their competitors. Another former employee has filed a whistleblower complaint with the Securities and Exchange Commission alleging that the company delayed or didn’t send fraud reports over to the IRS so the fraudulent returns would go through.

Tax software publishers are not required to screen for fraud and report it to the Internal Revenue Service. That means there was money out there to be made from fraudulent returns, and someone was going to make it.

An Intuit spokesman countered the whistleblowers’ arguments, pointing out that it’s the IRS that ultimately decides which tax returns are fraudulent, and if a return is officially flagged and not processed, there’s no refund from which Intuit could collect its fee. “When it comes to market share, it doesn’t count toward our market share unless it’s a successful return,” the chief communications officer explained to Krebs. Neither the IRS nor Intuit wants to hold up legitimate tax returns and refund checks in bureaucratic hell when that return is flagged for possible fraud.

New Payroll Fraud Variation: Scammers Gain Access To Corporate ADP Accounts

In recent months, we’ve seen a scam aiming to social engineer payroll information out of employees hit well-known companies like Snapchat and Seagate. The fraudsters’ goal is to get employees’ personal information and salary data, and file tax returns to collect refunds under their names. Now the tax scammers have found the ultimate source of payroll data: they’re able to access some companies’ accounts with payroll processing company ADP.

You may not recognize the name ADP, but most adults have probably held at least one job where the company printed their paychecks. Around the world, the company has 610,000 clients. That’s companies, not individuals.

For example, they handle payroll for U.S. Bancorp, and Krebs on Security shared a letter that a reader received when they were the victim of one of these breaches. Employees received a notice that fraudsters had established fake accounts under real employees’ names, harvesting their payroll information. Presumably, this data would later be used for tax refund scamming.

Bancorp has around 64,000 employees, and not all of them were victims of this scam. To establish a fake account on the ADP portal, the scammers needed to know that the person works for U.S. Bancorp, and pieces of personal data that are common targets for identity thieves, like the person’s name, date of birth, and Social Security number. Victims needed to already be victims of identity theft.

Another key part of the breach is that the employer needed to make the company-specific URL and a company code public. Simply having employee handbooks or information on how to find one’s W-2 available on a public Internet page instead of a building-exclusive intranet would be enough to put the not-so-secret URL and code in the fraudsters’ hands.

U.S. Bancorp became aware of the breach on April 19, after the tax deadline, but tax returns for 2015 may have already been filed for employees.

6 Things We Learned About The IRS’s Fight Against Fraud And Identity Theft

Things are difficult for the IRS right now. For the last few years, people contacting the IRS have encountered lengthy phone hold times, and identity theft and refund fraud drain billions of dollars’ worth of tax refunds into the pockets of international criminals. The Government Accountability Office has the job of overseeing government agencies, including the IRS, and it released a new report today about its issues and possible ways to fix them.

The 23-page report is actually quite readable, and worth looking at if you’ve been a victim of identity theft or refund fraud, you’re a tax preparer, or you’re interested in the future of how Americans file our taxes.

1.The IRS paid out $3.1 billion in refunds to scammers last year. We’ve discussed in the past how this scam works: someone with basic information about a U.S. taxpayer files a return with fake information, depositing their refund in the scammer’s own account. It’s a sophisticated operation and very lucrative.

While the IRS was able to stop most fraudsters in tax year 2014, they’re already figuring out how to hack and social engineer their way into more refunds next year. People whose W-2 information was taken in a variation of the Boss Scam this year should be especially vigilant, locking down their IRS e-filing information and filing their real returns as soon as possible.

2. The IRS doesn’t actually have your W-2 information before they issue your refund. Your employer had to send it to them, yes, and you used those numbers to file your taxes, but a previous GAO reprot on the IRS pointed out that the agency doesn’t actually match up the numbers that you put down on your return with the numbers that your employer provided until July.
This means that if you delay in filing, someone can file a fake return on your behalf and scoop up a fake refund based on whatever information they make up. If you put false information in your tax return, later in the year, the IRS will catch up with you. Scammers who live thousands of miles away don’t care.

3. The IRS could prevent fraud by checking taxpayers’ pay information against what their employers submitted before issuing refunds. This would be theoretically possible if they received W-2s electronically, but anyone with fewer than 250 employees can submit them on paper.
The GAO suggests that the IRS consider making all employers but the smallest businesses (with 5 to 10 employees) submit their W-2s electronically, and change their workflow to verify returns before cutting metaphorical and literal refund checks.

4. The IRS began an agency-wide information security program to lock things down  But failed to implement all parts of it across the entire massive agency, leaving weak spots. An example: auditing who had access to which systems, and making sure that people only had enough access to do their own jobs.

5.  The IRS did better dealing with taxpayers contacting them by phone this year, but took the average wait time down to an estimated 25.8 minutes, compared to 30.5 minutes last year.
IRS_wait_time

6.The most important part of information security at the IRS is users getting access to e-file their returns: methods need to be secure enough that someone who has stolen a taxpayer’s identity can’t easily access their tax history and filing PIN, but easy enough to use that we don’t all forget our passwords from year to year.

Fighting Payroll Fraud? Combine Education and Oversight for Best Results

Payroll fraud can severely damage businesses of all sizes. Here’s what you can do to prevent it.

Fraud is a serious problem for organizations. 27 percent of all businesses experience payroll fraud, per Entrepreneur magazine, which helps explain how U.S. enterprises lose $50 billion to employee theft each year, as reported by CNBC.

How do financial leaders determine the sources of fraud and take steps to stop it?

Common Causes

Who’s committing payroll fraud? According to a study by Association of Certified Fraud Examiners, 44 percent of perpetrators are employees, 34 percent are managers and 19 percent are owners/executives. There are several types of payroll fraud including:

Time Fraud: Employees might log extra hours worked or have other staff members clock their time cards in/out so as to leave an inaccurate record. Employees may also claim extra overtime worked.
Benefit Fraud: Staff may leverage sick days or workers’ compensation claims inappropriately.
Ghosts in the Machine: In these cases, staff create fake employee profiles or use the information of workers who have recently left the organization to keep collecting checks.
False Expenses: Inflated or falsified travel and expense claims can add up over time, especially if individual amounts aren’t large enough to catch the attention of finance leaders.
Error Issues

While it’s tempting to attribute all payroll losses to fraud, watch out for payroll errors. For example, if employees are misclassified as exempt under the Fair Labor Standards Act, you may not be paying them overtime, or for time spent training.

The lesson here? Make sure payroll solutions are working properly before you go looking for fraud.

Mitigating Factors

So how can you help limit the chance of payroll fraud? It starts with employee training. Be up-front about the causes and outcomes of fraud and encourage staff to speak freely about their concerns. The goal is to create a corporate culture of integrity and respect.

Careful oversight is also essential. This means conducting a regular, thorough evaluation of current payroll procedures, which can help spot possible “ghost” payments, catch time-card fraud and reduce the chance of expense-claim fraud.

It’s also a good idea to have a third party perform regular audits. This offers a dual benefit: In the event that payroll staff are committing fraud, outside evaluation may help detect irregularities, and having a fresh set of eyes examining time-card, overtime and benefit claims can help identify issues that might otherwise go unnoticed.

The bottom line? When it comes to payroll fraud, be both proactive and reactive in order to create a system where malicious theft is easy to detect and a culture where employees are unlikely to want to attempt it.

This article provides general information, and should not be construed as specific legal, HR, financial, insurance, tax or accounting advice. As with all matters of a legal or human resources nature, you should consult with your own legal counsel and human resources professionals.