News, Info and More…
News, Info and More…
Before the threat of a cyberattack became a top concern for business leaders and board members alike, finance played a limited role in security management. Today, finance leaders increasingly find themselves part of the team responsible for developing and implementing their employers cybersecurity strategy. So why the change? Why do finance leaders now play such an important role in protecting organizations from the never-ending, and increasingly damaging stream of cyberattacks?
The reason is quite simple to appreciate, especially for those who have watched the finance department evolve from its role of corporate check-signer, to a critical department with a permanent position in the C-suite. By virtue of its role as corporate accountant, the finance department is often the only area within the organization that possesses a detailed view of the firm’s entire operations, warts and all. Therefore, since cybercriminals look for security gaps across the enterprise, finance’s detailed knowledge of the organization’s inherent strengths and weaknesses can help ensure the deployment of an effective cybersecurity program.
Educating the Boardroom on Security Management
This overarching view of the organization’s operations is just one reason why finance leaders continue to play a bigger role in stopping cyberattacks. Cybersecurity is complex topic with the potential to overwhelm board members, especially those with limited technical knowledge and experience. Since finance leaders distill and present complex financial data to the board on a regular basis, they often know how to deliver information in a way that builds trust and triggers action. When discussing cybersecurity-related topics, they can leverage their existing relationships with each board member, anticipate the types of objections individual directors might raise and consequently, present an insightful, detailed and compelling case to justify the investment in cybertechnology.
Further, given that finance leaders know where a firm’s critical assets reside within the corporate network, they can provide context for requests to invest in cybersecurity technology. Using layman’s terms, they can describe what a proposed technology investment will accomplish that the existing software and hardware is unable to do. They can explain to board members in specific terms why it’s important to invest in a next-generation firewall, for example, and how that software protects the firm’s critical assets.
Providing such context can make the difference between the board accepting or rejecting a request for an investment in technology. Without context, a CIO’s request for a more advanced firewall might fall on deaf ears if the board fails to understand the “why” driving the purchase decision. Finance leaders can also function in their traditional role by explaining the impact of any cybersecurity-related purchases on the organization’s existing budget and projected financial statements.
A New Era Creates a New Role for Finance Leaders
The rush to automate business transactions means that technology will play an increasingly larger role in how businesses operate as a whole. Unfortunately, the more technology that businesses embed within their operations, the greater the threat posed by cybercriminals. Finance leaders excel at the basic elements of their role, yet today, they must also help bridge the gap between the board and the IT department. In extreme examples, the ability of an organization to withstand a cyberattack and remain in business depends on it.
The W-2 phishing scam often targets payroll and HR professionals. Learn how to prevent it and what to do if your data is compromised.
Often appearing to be from a corporate executive, it begins with a friendly “Are you working today?” email. But the W-2 phishing scam quickly escalates to a request for W-2 information.
What happens when fraudsters succeed? “Cybercriminals who successfully steal W-2 forms immediately attempt to monetize their thefts,” notes the IRS. “Criminals may immediately attempt to file fraudulent tax returns claiming a refund. Or, they may sell the data on the internet’s black market sites to others who file fraudulent tax returns or use the names and SSNs to create other crimes.”
Here’s what finance leaders need to know about avoiding W-2 phishing scams and limiting the damage if one should occur.
Any employee — especially in this case HR or payroll staff — who has access to sensitive information should receive regular training and updates on phishing scams and how to avoid them. The IRS notes, for example, that it “never initiates contact with taxpayers by email, text messages or social media channels to request personal or financial information. Any contact from the IRS will be in response to a contact initiated by you. Cybercriminals, when they learn of a new IRS process, often create false IRS websites and IRS impersonation emails.”
In addition, cybersecurity experts strongly recommend auditing and potentially reducing the number of employees with access to W-2 and other sensitive information. The more people with access, the greater the risk of falling victim to a scam.
In the unfortunate event that employee information has been compromised, speed is of the essence. As soon as you believe that you may be a victim of a W-2 phishing scam, the IRS recommends emailing email@example.com to alert them of a W-2 data loss. Putting “W-2 Data Loss” in the subject line will help ensure that the email ends up in the right place. In the email, make sure to include the following information:
Business employer identification number (EIN) associated with the data loss
Contact phone number
Summary of how the data loss occurred
Volume of employees impacted
In the email, do not include any employee personally identifiable information.
October is cybersecurity awareness month — and while organizations can never drop the ball on securing corporate networks, the end of summer is a great time to pause, take a deep breath and take a hard look at security processes currently in place. Is your business doing enough? Where can finance leaders improve? How can your organization stay ahead of threats?
From mitigating systemic threats to evaluating internal controls, reducing BYOD risk, boosting email security and educating employees on data safety, we’ve collected the top five tips to help enhance your security posture.
1. Stemming Systemic Financial Risk
As noted in Cybersecurity Attacks: The Rise of Systemic Financial Risk, the interconnectivity of modern organizations leads creates both tremendous opportunities for businesses and attackers alike. The result? Costs are on the rise with enterprises out almost $1 million per attack. More worrisome? Systemic, widespread threats such as popular POS compromises or “runaway algorithms” could have global repercussions. Staying safe means recognizing this new threat vector and implementing new security controls, such as cloud-based monitoring systems for automated algorithms that communicate with human IT personnel and ensure all third-party security expectations are clear and in writing.
2. Improving Internal Controls
Effective cybersecurity awareness demands solid review and testing, particularly when it comes to internal controls. As explained in Reevaluating Internal Controls for Financial Security, while permission-based controls are essential, organizations also need to stop and ask themselves why specific controls are in place. It’s also a good idea to regularly audit and test your control system for faults, then ask employees to “swap roles” for a day to get a fresh perspective — new users often see issues that staff using the system every day might overlook.
3. Mitigating BYOD Risk
Finance leaders can’t avoid BYOD, but they do need a reliable way to mitigate potential security risks. As noted by Mitigating Risk in BYOD Security, “corporate networks can be easily breached through lapses in BYOD security” and this risk is increasing as employee devices diversify. The solution? Start with reliable, cloud-based mobile device controls that let IT monitor connections, regulate downloads and wipe data at a distance if required. Just as important? A robust mobile management policy which clearly states expected employee conduct and potential consequences.
4. Evolving Email Security
Despite the rise of SMS and video conferencing, email remains the go-to corporate communications method. The problem? As noted by Leading the Charge: HR Managers and Employee Email Security, 30 percent of phishing emails are still opened by employees and more than 10 percent of staff click on suspicious links — putting entire networks at risk. Security here requires a dual effort: First, organizations need to leverage technology controls such as Transport Layer Security (TLS) and Domain-Based Message Authentication, Reporting and Conference (DMARC) to manage obvious attacks. Next, finance leaders should tap human resource professionals as “the ideal choice to design people-friendly training plans, which help staff recognize potential email scams and report any accidental opening or downloading.” Put simply? Tech solutions combined with “human firewalls” can help evolve email security efforts.
5. Educating Employees on Data Safety
Employees are also a feature in the effort to improve data safety. As the article 4 Methods to Enhance Data Security highlights— “data security begins with the employee.” But what does this look like in practice? First, staff must understand the value of their network credentials; passwords and login details should always be kept confidential. Next up is strong password creation. Consider: Bill Burr recently took back his advice on regularly changing passwords and ensuring they’re replete with numbers and symbols. Now, experts suggest that employees create strong passwords composed of phrases or concepts they’ll remember, and to only change these passwords in the event of a potential breach. Last but not least? Restrict access per-employee and across departments.
Cybersecurity awareness month offers the opportunity to take stock, evaluate current processes and make infosec improvements. Start strong — address systemic and BYOD risk, improve internal controls, evolve email access and educate employees to shore up corporate security.
This site was created to help victims of ADP’s crimes and warn others. Join other victims of frauds, together we will fight back! Contact us if you have been wronged by ADP Payroll Services, Retirement Services, Total Source Division, Tax Fraud, Social Security Fraud, Undisclosed and Excessive Fees, Unauthorized Charges, ADP Partner Programs, FLSA violations and ADP Employee Victims.