Category Archives: My Two Cents

Just In Case

stockvault-journey190946

 

I’m that person. Next to you on the plane. Pulling out that safety booklet and reading it, from beginning to end. I’m that person. Listening attentively while the flight attendants go through their entire routine, from how to buckle and unbuckle your seatbelt, to the reminder to not inflate your lifejacket until you are outside the plane. Every time, I’m that person. I look around for the nearest exit and sometimes do a mental calculation of my best route there. I check in the booklet to see where my lifejacket is supposed to be and I sometimes feel about to make sure that the booklet is correct. As often as I have flown, I take the time to go through the process and remind myself of what I know and to see if there is something I have missed in the past or a new instruction that may have been added.

Sometimes I wonder if it’s a bit much. However, recently when a plane in New York City made an emergency landing, video taken by a passenger showed that many people on that plan had no idea how to operate the lifejackets and way too many of them had inflated their lifejackets while still inside the plane. This may have been related to panic during a stressful situation but, from looking around me during the pre-flight safety instruction session, it seems the bigger issue is that most passengers just don’t pay attention. There are more interesting or pressing matters that command our attention and, specifically for those who fly often, we are likely lulled into an arrogance of the familiar. We have done this many times before, we must know exactly what’s up at this point. It may be only on that rare occasion of an emergency that we realize that it is ha been so long since we paid attention to the instructions that we now have a very vague idea of what to do.

Many businesses will have a company policy, code of conduct and operations manual and include training. When a new employee starts with a company there is often some kind of onboarding process that includes either training sessions or handing over a policies and procedures manual or a combination of the two. In addition to sharing with the employee how the employee should go about doing their job, the training and manuals should also include what should be done when things go awry. These instructions should be clear, and employees must know not only what to do but also who to go to for guidance when things are not right. Employees must also know who to inform and the various levels of leadership that this information should go through. If there is no protocol, an employee will not know who to take a problem to and those who are told may not know what to do with the information. You don’t want to be that company in the news admitting that people noticed an issue early on but that the information did not make its way to the right people to manage it.

In addition to the initial training, companies should remind employees often. This can be performed in-person, in an online session or through other messaging, like posters around the company. It is dangerous and foolish to believe that employees will remember their week of training or the contents of a manual years into employment, especially during the first week at a company an employee is not yet familiar with the day to day workings of that company. When a crisis hits, you don’t want to be the person being told, “You should have known what to do. We told you during your initial training, ten years ago.” You especially don’t want to be the person asking a coworker why they can’t remember that old training – honestly, what do you remember from ten years ago?

Thinking about your business, take steps to:

  • Include in your training, what a person should do when something is wrong, who they should report to and options for anonymous reporting, in case the matter is sensitive, and an employee might fear retaliation for reporting.
  • Make sure that your training is clear and easy to understand and follow up with employees to make sure that they have understood and retained the training.
  • Have a non-retaliation policy at your company, for people who report wrongdoing and errors. This policy must be something your business takes seriously.
  • Have a disaster recovery policy that you revisit and update regularly. Make sure your employees are familiar with the policy so they know what they are responsible for doing.
  • Have important policy information displayed around the office, to remind employees what is expected of them.
  • Perform regular training updates of your employees so that you are not relying on ten-year-old memories.

It takes me only a couple of minutes to get through the safety brochure and some airlines put time and energy into creating engaging and fun pre-flight safety videos that are actually fun to watch. I hope I am never in a flight emergency situation, but I go forward knowing that if that should happen, I shall at least remember to not inflate my lifejacket while still on the plane.

Advertisements
Tagged , , , , ,

Taking Over…

a-woman-buries-her-face-in-her-hands

Last year, I visited Atlanta Airport seeking an incident report. The airport is a massive place and, after I found a very helpful airport employee, I wound up outside the emergency services offices. Fortunately, the staff was both friendly and helpful and, within minutes, the gentleman I was speaking with was asking his colleague to look up the incident in question in order to provide me with the information I needed for the next steps forward. It all seemed very easy until it wasn’t. His colleague looked at his screen and then stated that something seemed to be going on and his computer was not responding. After trying a few things without success, I was given a phone number to call and follow up. I was to get what I was looking for within the next couple of days.

I left and heard nothing for almost a month, which actually worked out for me because I was traveling a lot and would not have been able to do much with the information. When my call was finally returned, I learned that the reason it had taken so long was that the city of Atlanta had been taken down by a Ransomware attack. The day I was at the airport, was when the attack was happening! Imagine that, I was in the midst of a lot of drama and excitement and had no idea. The only story I have to tell is that I saw a blue screen of death and then it took three weeks for my call to be returned.

I will say this: if anyone is affected by a ransomware attack, my story is probably the best outcome to have. A couple of years ago I shared a story about my friend whose clients were victims of ransomware attacks where $300 to $600 was demanded of them. In that time, ransomware attacks have become more sophisticated and a lot more frequent. Cryptocurrencies have also contributed to the boom because it makes the attackers more difficult to track down. As I wrote in a piece on ransomware, the first known ransomware attack happened in 1989, where the attacker sent floppy disks to attendees at a conference. A program on that disk locked the computer on its 90th restart, demanding $189 of the user for a resolution. The Atlanta ransomware attackers demanded $52,000 (and it took over $2.5 million for the city to recover from the attack). The attackers may ask for what may seem as relatively small amounts when they attack but it adds up. In 2016, ransomware attackers made over $1 billion and that amount climbs every year. In addition to the upfront cost of the ransomware demand, often a victim has to spend a lot of time and money recovering from the attack. I mentioned before that Atlanta spent over $2.5 million and they are not alone. Ransomware damages are predicted to reach $11.5 billion this year.

As you can see from my friend’s experience and that of Atlanta, there is no victim too large or too small for an attack and so it is imperative for all of us to take steps to protect ourselves and do what we can to mitigate any damages should we be attacked.

  • The first easy step is backup, backup and then backup offline. Because I have had backups fail on me, I try to have two backups of information and itis important to make sure that your backup is separate from your computer. In this way, should your computer be attacked, your backup will be someplace else.
  • Then try to use two-factor authentication for your logins. Many applications and websites already insist on this but try to make it a habit for yourself, whether or not someone else is doing it.
  • Update your passwords regularly – yes, it’s a schlep but especially with very regular news about companies being hacked, companies that house your sensitive information and logins, it makes sense to keep changing these.
  • Be careful about opening up emails and clicking on attachments or links in those emails. I know we live in a world with way too many emails and way too little time, but think before you click. If you receive an email you are not expecting, check to make sure that it is a valid email. Just last week, I received an email from a fellow CPA and when I checked with her, it turned out that her email was hacked and was sending out malicious links. If the tone and language of the email are vague or don’t sound like the voice of the person you have dealt with in the past, double-check with the person. It doesn’t take long and can save a lot of pain.
  • Update your software. A lot of ransomware takes advantage of vulnerabilities in software and taking advantage of the fact that many people do not regularly update their software. Set your machine to update automatically, then you don’t even have to think about it.
  • If, unfortunately, you are a victim of a ransomware attack, think on it before you pay. You are dealing with criminals. Although it seems that more often ransomware attackers do restore machines after attacks (it’s better for business, apparently) it is not assured. Often people find that they have no option because they do not have a recovery plan. If you have the option of recovery, it is easier to make the decision on whether or not to take the chance of paying.

Ransomware is on the rise and so it seems that more of us are at risk than before. It is smart to take a few protective steps if only to keep you from taking weeks to return a call.

 

Tagged , , , , , ,

Keep Rolling

gratisography-433H

When I first started running, I was out training, and my knee suddenly buckled in pain. I thought I had broken something, but it turned out that I had IT band syndrome. I tried several approaches to get better. Among these, I would change up my routes so that I was balancing out which leg was favored, I worked to improve my gait and I started foam rolling. No one warned me about that rolling. I think tears sprung to my eyes that first day I foam rolled. I know for sure that I yelped in pain, several times (thankfully I was alone). I couldn’t believe that I was supposed to do this every day, but I had to roll through the pain because I had a race on my schedule and I needed my knee to start working again.

After rolling consistently, I was amazed by how much better everything worked. I was also incredibly relieved that the rolling didn’t hurt so much anymore. I was a foam rolling disciple and whenever anyone told me they were contemplating taking up running, I urged them to also contemplate taking up foam rolling. At a point, I actually found joy in foam rolling. I could get through a rolling session with nary a yelp. It was glorious.

Recently, foam rolling slipped out of my life. After a fall apparently chipped a piece of my knee into non-existence, I could not run at all and I was, instead, focused on weight training to strengthen my knees. At the end of a week of working out, the trainer advised a foam rolling session. I didn’t even think twice; I hadn’t been running, how bad could things be? Painfully terrible, it turns out.

Managing controls in a business works in a similar manner. Sometimes, when a company sets up or has an auditor highlight weaknesses in its control systems, the company will go about creating policies and procedures that address risks and institute controls. At times, with that company, new hires will be given these manuals to read and, if they are lucky, these new employees will receive training. This training will teach the employees about the culture of the company and how to follow policies and procedures, in order to minimize risk within that company. However, how often will that company review its policies and procedures to see if they are relevant to technological advances and new risks that have arisen?

  • How often will the company’s leadership review policies and procedures with existing staff, to ensure that people have not slacked off and are still, for instance, getting the approvals that they are supposed to obtain for transactions?
  • Is anyone checking that reconciliations are occurring monthly (or at whatever frequency has been established) and, once performed, that those reconciliations are being reviewed by the relevant staff?
  • If there is a policy for checks over a certain amount to be signed by two signatories, is anyone reviewing to make sure this is the case?
  • When employees have left the company, have their access to the company’s system been suspended? Once suspended, have their accounts been deleted so that no one else in the company can use them? If they were signatories for bank accounts, has the bank been informed and has the bank removed them from the signatory list?
  • Have the company’s staff received training in how to reduce the risk of phishing?
  • Has the company’s leadership received any training themselves to update them on current risks and to remind them what the policies and procedures of the company are?

These are just a few examples of the many ways in which a company should be regularly checking in and exercising its control muscles. If all you are doing is handing over a manual on day one and assuming that your staff knows what and how they need to do things, you are only setting yourself up for possible pain in the future.

  • Can you be surprised if one of your staff members gets phished and hackers gain access to your company? Think about the pain of finding out that someone pretending to be the CEO sent an email that instructed accounts payable to wire a sizeable amount of money to an offshore account and that accounts payable fell for the scam?
  • If no one is regularly reconciling accounts, can you really be shocked when you discover that an employee has taken advantage of this lack of oversight and embezzled money?
  • If accounts of former employees are not properly suspended and deleted, how will you figure out who has been using them since the former employee left? How will you be able to trace unauthorized transactions?
  • If your company’s leadership is not up to date on policies and procedures, how can they enforce them? At that point, everyone will be just guessing and hoping for the best. Being unprepared and hoping for the best tends to only work out well in the movies.

Maintaining and updating policies and procedures should be a proactive and continuous activity. Speak with a forensic CPA about how to create, institute and regularly review your control systems to reduce risk in your company. It may seem like schlep in the beginning, but having the systems serves a deterrent to those contemplating wrongdoing, it also keeps your staff more educated about how, for instance, they can recognize errors or attempts to suck them into a scam. This can also mean that when something is going awry, it is spotted earlier, minimizing possible losses.

You should be doing this to avoid or, at the very least, minimize any future pain. You don’t want to be like me where incredible pain leads to you even more pain, on the eventual path to healing. Take it from my IT band, proactive is so much better than reactive.

 

Tagged , , , , , , , , ,

Three Words for 2018? We Got This!

IMG_2843

Over the last week, I have been thinking about 2018. I don’t know about you, but 2018 snuck up on me. One moment I was caught up in the day-to-day of 2017 and the next moment 2018 was just a couple of weeks away! After my initial panic, I thought – well, it’s great because I get to think of my three words. Three words? Well, if you haven’t been on this journey with me before, I shall explain. In 2012, I met and was inspired by Tom Hood and he introduced me to the Three Words approach, which came from Chris Brogan. At the start of every year, now, I sit and think about what three words I would like to guide me through that year. During the year, I come back to those words, to help center, direct and motivate me. Over the last few days, I have thought about how to make this work better for me, and I determined that I must display these words to remind me, even when I am not thinking about being reminded, to move me when I feel stuck and to hold me accountable. I say this in part because, 2017 was a challenging year for me and I found that I often lost track of my guiding lights. Involved in, and sometimes overwhelmed by, the moment, I often forgot to even look for my words. Putting the words everywhere, will go a long way to keeping me mindful of that.

Last year, I started looking back over my year and I have found this to be a great way to assess how things went and to help me set my intentions for 2018. My three words:

Imagine. This is the first word that came to me. During 2017, in part through work and volunteering with the New York State Society of CPAs and the AICPA, I have had some truly new experiences. I have learnt how to play poker and how poker skills can benefit me in the workplace; I have worked with a team to consciously inch towards better health – physically, emotionally, and spiritually – and that has included laughing more and skating in Byrant Park; I have collaborated with incredible people and presented in various spaces, from a national conferences to a college campus. During the year, I have been involved in conversations that have opened my eyes, that have ventured into spaces that are often afraid to even tiptoe into, that have renewed my hope when things have seemed bleak. I have often reminded myself to listen and to hear because that is when I find the moments that hit me hard and that get me to imagine and those moments are incredible. When we imagine, and step outside of what we know, we can find brilliance, we can find understanding and, just as important, we can also see and revise the not so great. In 2018, I want to imagine without fear of where my imagination will lead me. I want to imagine and be okay with when what I imagine doesn’t always work out. I also want to make sure that I make the time and space for my imagination. Back in 2015, I tried to create space for me to be bored, which is a big part of creating the space for imagination and, as the exercise stated, brilliance. It did free my mind in great ways and, looking back and looking at now, I know I need a lot more boredom in my life. And I still haven’t finished my Starry Night jigsaw puzzle!

Innovate. During 2017, I listened and took part in conversations about change. The conversations were about artificial intelligence (AI) about blockchain (and cryptocurrencies, like Bitcoin) and about cybersecurity. Other conversations were about what diversity, inclusion, and belonging mean and if and why it is important. We had conversations about what to do about all the change happening in our professions, in our world and in our lives. We talked about how we react to it and how we can embrace, be ahead of and even create greatness out of all the change. Beyond the conversations, we brainstormed and tried new things. We looked at the new approaches other took and ran with them. I spend a lot of time looking at challenges and how, sometimes, people take the same approach to resolving them and see minuscule results. As much as we tout how “change is good”, it is a human thing to resist changing the status quo. During this year, I want to innovate. I want to collaborate and brainstorm and determine to try something new. I want to embrace the difficult conversations, appreciate and improve upon feedback and, on my part, provide truly constructive feedback. I want to remember the power of synergy and never forget that the best innovations come through a community of people sharing, listening and taking risks.

Act. My third word came to me after I wrote and thought about my 2017 look back. When it comes to training, I have established and go with what gets me to success. If I have a race, I print up a daily timetable that includes rest days, cross training days and exactly what I shall do on each day (distance, goals, tempos if needed). The night before every training, I put out exactly what I am going to wear on the day and I determine my route. I think about and take away all my excuses so that, when I wake up, I just do exactly as planned and that gets me a step closer to where I need to go. I keep my schedule on the wall and tick off each day as I go along. During 2017, I often did not apply this approach. As a result, especially where I felt the stakes were high, I became adept at getting cold feet, at second-guessing myself and at putting things off until I decided it was too late to do them. There are many reasons why this happened but knowing the reasons and doing nothing about them is not helpful. I am going to do more acting in 2018. To help me do this, I am going to find the ways to take away my excuses, and I am also going to be more realistic about what I can get done, so that I don’t end up doing many things in a mediocre manner that only serves to disappoint me and others. I also must remember to be kinder to myself when I act and to see the power in action. I must remember that it is through action that I can bring value and have impact.

Before diving into 2018, I want to take a moment and meditate upon my previous three words:

2013 – Change, Discover & Motivate
2014 – Transform, Pursue & Collaborate
2015 – Receptive, Synergy & Service
2016 – Learn Fear & Community
2017 – Embrace, Persevere & Monchu

Several years ago, I went to Hawaii with friends and decided to take surfing lessons. I was a couple of months out of surgery and hesitated before I went out – I wasn’t at full strength, everyone else was going on a fun outing and I would be doing this solo, as no one else was interested. But, I had been thinking about taking a surfing lesson and I had told my surfing neighbor (who ultimately became my husband) that I was going to take a lesson and that made me feel accountable. During the lesson, I fell countless times, I scraped my knee and sometimes even got to the point where I was able to ride a wave while kneeling on the board. Then, I stood, and rode, and didn’t fall off. It was glorious and totally worth every fall, and the skin missing from my leg. When I finally fell off the board, I rose out of the water with a victorious yell! It is this that I must remember – it is a journey but it can only happen if I Imagine, Innovate AND Act.

Happy and wordy 2018 to you! Please share with me – what are your words for 2018?

Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Fare Thee Well!

IMG_1800

“2017 was an intense year”. That’s the news alert that I received on 26 December. You’re not kidding me! – that was my response. This year has been a more challenging year than I expected it to be. Last year, I decided to do a year in review. Looking back helped me think more about my plans for the future. I have decided to do the same thing again. It is important to take stock. Without that, how can one think about the future?

As the year began, I decided to deal with minor health issues that turned out to be way more tedious and drawn out than I ever expected. Something that I thought would not take much time at all ended up lasting through July. What a drag. A trip that my husband and I had been planning, to visit my grandmother, was postponed. Then, on 10 June, my grandmother passed away. It was devastating news and made more so because, being in the midst of my own treatments, I could not travel for her funeral. The silver lining in this was that I discovered something I had never known. My family in Zimbabwe shared the above photo and I was stunned to see just how much I look like my grandmother.

Despite the challenges that came with the new year, I was honored and excited to be an instrumental part of a new committee with the New York State Society of CPAs – the Diversity & Inclusion Committee. It has been an eye-opening and insightful year, working to provide programming to our members to improve diversity & inclusion in our profession and to have frank and enlightening discussions and events around the topic. I have had fun times with members and those who have attended events and I like to think that, one little step at a time, we are making progress.

I have continued with the cello lessons that I started a year ago. I have woken up on Saturday mornings, exhausted after a long week at work, drained and not looking forward to the long drive back to downtown Brooklyn and the horror that is looking for a parking spot. However, once I get into class, I find joy. Our cello instructor started an adult orchestra and I have already had two recitals. A year ago I was learning how to play “Twinkle, Twinkle” and that was an important milestone. A couple of weeks ago, our orchestra played the theme to Jurassic Park AND I played a solo!! I’m no Yo-yo Ma (and never plan to be) but I always welcome the opportunity to work my brain and heart in new ways. I believe it makes me a better person, a happier person and a much better CPA!

I have continued to be inspired by high school and college students. These interactions renew my energy to work to build the pipeline to our profession – there is so much incredible talent out there and some of that talent should be a part of our profession. I speak with young people who are full of passion and promise and it fills me with joy!

I spoke at the AICPA’s Forensic & Valuation Services Conference. I met an incredible range of fellow professionals and came away feeling as though my brain had expanded a little bit. Every year, I look forward to sharing thoughts and insights and learning from Forensic & Valuation professionals and this year did not disappoint.

During the year, something I struggled to do was run. A couple of years ago, while taking out the trash, I tripped over a concrete block in my parking lot and fell, hard. I fell hard enough to fracture my leg and spent several months in a brace. As I failed to make a comeback, I went to see a doctor and found out that I had a torn meniscus. I closed out the year a procedure to fix the meniscus. That is all sorted out, but it turns out that, through that fall, where I wasn’t even running away from a rabid raccoon, I managed to do more damage to my knee that may need to be sorted out. The sad part of this is that I have been told to give up running. Honestly, I was gutted. Running has become a large part of who I am. My runs are my quiet time, they are my meditation and my medication. I have run through a Times Square that is cleared of traffic and pretended that I am trying to escape zombies. I have run through all five boroughs of New York City, during the marathon, and found delight and strength from those lining the route. To be told, “no more” is a difficult thing to swallow. I keep faith that I shall find new adventures and hold the secret (not so much now) hope in my heart that I shall run again.

  • I skated in Bryant Park and even let go of the railing!
  • I spent time with friends and family at the beach (I live here now!)
  • I went to an interactive screening of The Big Lebowski. There were a lot of bathrobes and even more spandex.
  • I have met new people who have made my life better.
  • I continue to be extremely grateful for all those I have known, who have given me hope, joy and support, sometimes even when they don’t realize they are doing so.

Yes, 2017 was a year with pain and disappointment but 2017 was also a year of inspiration and joy and it is important to see the progress that we have made, the work that has been done and the relationships that have been formed and built upon. I am ready for next year because I know I have great things to carry forward with me.

It is two days before 2018 – a year that will bring the Winter Olympics and the FIFA World Cup! I already have three words for 2018 – Bring It On!!!

Tagged , , , , , , , ,

Oh, Not So Much Fun…

ice-sculpture-1935357_1920

On Christmas day, I was chatting with my niece, during family celebrations. My phone buzzed and I saw a notification that she had just sent me a message. That was truly odd, because, as I mentioned, we were chatting and, unless she was using her telepathic skills, she was not texting at the same time. Nevertheless, I asked her if she had sent me a message. She looked at me as though I had lost my mind, but double checked her phone and shrugged. It wasn’t me, she said and carried on with her day. Since she was engaging with people and not her phone, and because we were having a fun time with family, I decided that the likely bad news could wait.

I attended a talk earlier in the year where the speaker told us – There are two types of people: those who have been hacked, and those that don’t know it yet. By the time we got home, my niece had gone from being in the latter group to being a panicked person in the former. Often, a person finds out that they have been hacked when, as happened to my niece, their contacts complain about spam messages that they have received from that person. However, more and more often, people don’t know that they have effectively been hacked because the party hacked is a company that is holding people’s information.

In 2017, the most notorious example was, on 17 September, when the credit reporting agency, Equifax was hacked. Initially, the information was that about 143 million people might have been impacted. However, that number has climbed and what kind of information was accessed was vague. When people tried to check with Equifax, they often got different responses each time that they tried. Also, as the months have gone by, the number of people impacted has climbed. If Yahoo! is anything to go by, who knows what the final count will be. The best advice to take right now, is to assume you have been impacted and to take preventative steps and, if you have not already done so, freeze your credit with all four of the major credit reporting agencies.

What is unsettling about how companies announce that they have been hacked is how long it takes for the news to come out. Equifax claimed that it discovered their breach at the end of July but they only made a public announcement in the middle of September. It was only in October 2017 that Yahoo announced that all of its accounts were hacked in 2013. That’s not a typo; they are telling us that if you had Yahoo, Flickr, Tumblr, or any other account owned by Yahoo, you were hacked in 2013. What is anyone supposed to do with that information, four years later? This is worse than a “Look out for falling ice” sign. In November, we found out that Uber had been hacked in 2016 and that the company had opted to pay off the hackers to destroy the information and keep the hack quiet.

The big takeaway is that it may be a while before anyone lets you know that you have been hacked and, unless you live completely off the grid, it is smart, and safe, to assume that you have been hacked. That said, there are steps that you can take to try to minimize the damage that can be caused by hacking:

  • Freeze your credit with the major credit bureaus. Learning about the Equifax breach was especially frustrating because people do not choose to share their information with the credit bureaus. I rolled my eyes at a headline that referred to “customers” being compromised. The best one can do right now (beyond not having a credit history of any kind) is to try to limit how much information gets out.
  • Check your credit regularly. Do this at least quarterly, to make sure that cards have not been opened in your name and without your permission. Annual Credit Report is the only website, authorized by federal law to provide you with a free credit report from a credit reporting agency every twelve months. A great way to spread out the checking over the year is to get a report from one of the agencies every 4 months (instead of getting all three in one fell swoop).
  • Use two factor authentication. This gives extra security over only using a password. The most common method of two factor authentication is having a company send you a text with a unique code, before you can complete logging into an account.
  • Don’t click on every link you come across. If you receive an email with a link and it is not something you have been expecting (and sometimes even if it is something you have been expecting) don’t click on a link because it is there. Check the email to make sure you recognize where the message is coming from.
  • If you trust the link and have clicked on it, still be careful about what information that you share. If you start to feel as though a company is asking for too much – either over the phone or through a website, stop sharing information. Find out, independently, if you really need to share that information and, again, make sure you know who you are sharing your information with and why.

Try to include these in your list of New Year’s resolutions. It won’t stop you from being hacked but at least, it may improve your chances of finding out about it early and taking appropriate steps.

Tagged , , , , , , , , ,

If Lost… Then What?

img_1715.jpg

At the end of May, I was on my way to an event, when a flash of pink on the sidewalk caught my attention. I stopped and realized that I was looking at a small square of leather. I bent down, picked it up and turned it over in my hands. It was a wallet with a MetroCard, some credit and debit cards and a driver’s license in it. I pulled out the license, looked it over, and walked over to the restaurant that was a few feet away from where I had just found the wallet. I must have made a few people nervous, staring at them and then down at the license, to see if anyone there resembled the photo. No luck. I then pulled out my phone and tried a few quick searches, online, to see if I could figure out how to contact this woman. Her name was more common than I imagined; several options came up and none appeared to be her. Yes, her license had an address on it but, the license had been issued several years earlier and people in New York City can move around quite a bit, in search of amenities such as a view, an elevator or affordable rent. As I was running late, I decided to go to my event and put my search off until later. On my way, I spotted a parked police car. I got excited, thinking that I may be able to hand over the wallet, but the excitement faded when I got close to the car and found that there was no one sitting in it.

When I got home and had more time to do so, I hunted down the woman whose wallet I had found and delivered it to her. Even if she had cancelled her cards, I am sure she was happy to get her stuff back – who knows maybe her MetroCard still had 29 days of use left on it. That experience reminded me of a time, years ago, when someone stole my handbag at the airport. I was livid that someone had invaded my space and even stood yelling, in the terminal, for the thief to just take my cash and give me back my stuff. Suffice to say, that did not happen. I did, fortunately, have a kind gentleman give me money to get the train back home. However, a few weeks later, my phone rang and it was the airport, calling to tell me that my bag had been found. They had been able to contact me because I happened to have a dry-cleaning slip in my wallet, and my phone number was on it. I was lucky that I had that slip in my bag but these two events really got me thinking about recovery plans, not just in business, in other aspects of our lives.

With a wallet, for instance, you can keep a business card in the wallet, or put a small card in your wallet with an email address and/or phone number so that, should you be unlucky enough to lose the wallet and a kind stranger picks it up, they can contact you and figure out how to get it back to you. It is an easy thing to do and could be hugely useful. It doesn’t even have to be your usual email address, if you have fears about your inbox being inundated by unwanted email, you can create an email address that you keep for moments such as this.

We never think that we will either lose our stuff or have it stolen from us but it can happen to any of us. It can be personal or it can be a business loss, such as a system crash, or theft and, in all cases, having a recovery plan will go a long way to make recovery less stressful and less expensive. If, at this very moment, you lost everything on your computer, what would you do? Does the thought give you heart palpitations because you would lose very important data, with no way of getting it back? Would you have to shell out a lot of money and spend valuable time working to try to recover everything? Would you wonder whether or not your business could survive such a loss? If this thought is a scary one to you, you should be thinking about sitting down with trusted professionals, to create and put a comprehensive protection and recovery plan in place. You should review various scenarios, even if you think it wouldn’t happen to you. Things to consider when doing this:

  • Are you backing up your data on a regular basis? Automating this process is a great way to make sure that it happens – you don’t want it to all depend on your remembering to do it.
  • Where are you keeping your backups? Do you keep a backup offsite and unconnected to your current system? You don’t want your backup corrupted, should your system go down.
  • Are you checking the integrity of your backups? It isn’t helpful to think you have been creating backups and find out, when you need the backup, that the process was not occurring.
  • Now that you have backups, do you have a recovery plan? Do you know what you are going to do should things go awry? Does your staff know? Do you have the plan in writing and in a space where it can be easily accessed? Have you trained your staff in this recovery process?

There are people who are well-trained in helping you create a backup and recovery plan and that can start with your CPA. You want someone who has experience and knowledge regarding best practices that are practical, useful and effective.

We are humans who work with technology that we have built and we must, therefore acknowledge that we are not infallible and we must therefore create, review and update our contingency plans. And that plan can never just be relying on the kindness of strangers.

Tagged , , , , , ,

Now That I Think About It…

408H

When we talk about fraud and how it tends to happen, the classic fraud triangle is most commonly used to help us understand how it all happens. The sides of this triangle represent opportunity, pressure and rationalization. In this triangle there is a person, just a regular old person, like you and me. Fraud can happen to anyone and fraudsters are often regular people who find themselves under pressure, faced with the opportunity to perpetrate a fraud and the ability to rationalize it all.

Sometimes this person may face pressures. Maybe she has a family member who gets sick and now they have to deal with massive bills. Maybe the person has a gambling problem. Maybe he wants to live the jet set life that he sees his friends living. Whatever the reason may be, these people feel under a lot of pressure to get their hands on more money than they are currently earning.

Pressure or not, maybe this person sees an opportunity to defraud. Perhaps he can sign checks, AND, he has custody of the checkbook AND he performs the company’s bank reconciliations. He has all this access and responsibility and no one checking his work. So, now he has access to the money and he can doctor the books to cover up his wrongdoing. However it works out, these people see a weakness that they can take advantage of.

The third leg of this triangle is rationalization. This is where a person tells himself that there is a justification for what he is doing. Maybe she tells herself that she really needs the money to deal with this one emergency and this will happen only once. Maybe she then tells herself that this will happen only once and, to boot, she has been a loyal employee for a while so the company really owes her a little leeway for all that she has done. Maybe she tells herself that once she is out of this spot of trouble, she will pay the company back and it will be like it never happened in the first place. Maybe he tells himself that he is underpaid and that what he is doing is merely taking the money that he is rightly owed for all the hard work and time that he puts into the business. The rationalizations that people use are practically endless.

Earlier this year, I listened to the podcast “Ponzi Supernova”, a podcast about Bernie Madoff’s Ponzi scheme and what has happened since. One thing that was fascinating about this series was the conversations that Steve Fishman, journalist and narrator of the series, had with Bernie Madoff, infamous perpetrator of a massive Ponzi scheme. Bernie talked about his childhood and how affected he was by his father’s financial failures. Bernie tells Steve that, after seeing his father lose a lot of money and what it did to the family, Bernie swore he would never let that happen to him (perhaps one could see this as a pressure looming over his life). In the early 1960’s, Bernie Madoff violated market regulations and his clients’ trust by losing their money on risky deals. Instead of letting them know that this had happened, he lied to his clients, borrowed money from his father-in-law and carried on as though he was a brilliant investor. Speaking with Fishman, Madoff made it sound as though, because he did not want to fail as his father had, he took these steps so that he could continue to, at least, appear to be successful and very talented.

Bernie Madoff spoke with Steve Fishman a couple of years after he was caught (though, in some versions of his story, he claims he quit). Bernie Madoff also spoke with Diana Henriques, who wrote the book The Wizard of Lies, which is now an HBO Film by the same title. Their interactions also occurred a couple of years after Madoff’s fraud was discovered. After he had plead guilty to his crime. Yet, over and over again, Madoff seemed to continue to make excuses for his behavior and try to minimize what he did. Even though, when pleading guilty, he claimed that he acted alone, he has since changed his tune and as co-conspirators have testified against him, he then seems to say, “well, except for that person, I acted alone”. So, it seems that even after being caught, he is only sharing as much of the truth as he needs to and, what I have found to be most interesting, is that he appears to continue to rationalize what he did.

In an ideal world, one would imagine that having a fraud exposed and pleading guilty would bring a fraudster to his senses. When we imagine a person committing fraud as a regular person who has fallen into irregular behavior, the hope is that putting an end to this irregular behavior will bring this person to her senses and get them to admit that what they did was without excuses; that, even though they rationalized their actions when they perpetuated the fraud, they now saw the error of their ways and realized that the rationalizations were all without merit. During the hearing when he plead guilty, Madoff read a prepared statement where he apologized to his victims. However, even that apology came with a “but” attached. “While I never promised a specific rate of return to any client, I felt compelled to satisfy my clients’ expectations, at any cost.” Yet, listening to Ponzi Supernova, you learn that some clients would demand an adjustment to their statements when they did not receive the return they had been promised. Madoff has also placed blame on his victims, claiming that they knew, or should have known, what they were getting into, that he had warned them and that they did not lose as much as they claimed. And, I have found that it is not just Madoff who does this. The Association of Certified Fraud Examiners talks to people who were convicted of fraud and, in video after video, the perpetrators found ways to hold others responsible for what they did – and this is after they had been found guilty and served their sentences. For instance, one blamed her supervisor for being too trusting, “I don’t blame them but…” she started her sentence. Another stated, “I asked you for help and you said no”, while yet another said “I won’t get caught again”, not “I won’t do it again because I realize it was wrong.

It may be human to not want to admit full responsibility. Perhaps it is too hard for most of us to admit that we have done terrible things. Who really wants to be a monster, blamed for ruining lives, even when those lives are laid out in front for you? And if we are not harshly judging ourselves, even when caught, then can we really adjust our behaviors to do right and get back on the straight and narrow? I don’t know the answers to this but it is something I think about as I perform my work as a forensic accountant. If a person is not able to strip away rationalization and admit that they were just wrong when they perpetuated their fraud, then what are the chances that it won’t be so difficult to do it again?

Tagged , , , , , , , , , , , , , , , ,

Makes You WannaCry

ransomware

A couple of years ago a lawyer friend told me about clients who were coming to her office, panicked because their computers had been locked by parties claiming to be the FBI. In order to get their machines unlocked, these fake FBI agents demanded to be paid a ransom. On Friday, over 200,000 machines were locked by people (I assume it was more than one person) who did not even pretend to be good. They encrypted the information on these machines and demanded $300 to $600 per machine or, they threatened, all the data on those machines would be destroyed. This type of attack is called a ransomware attack. A program is introduced into the machine, and it locks and encrypts all the data on the machine. A message pops up on the infected machine demanding that money be paid, almost always via bitcoin. Once the ransom has been paid, the message says, a method to unlock the machine will be sent. If the ransom is not paid within the time demanded, all the data on the machine will be erased. So much of our lives, both personal and business, is stored on computers; can you imagine what would happen if your computer was locked? The mere thought makes my heart speed up.

Earlier this year, a hacker crew called Shadow Brokers released several tools used by the National Security Agency (NSA). Among these tools was one called EternalBlue and this tool exploited a flaw in Microsoft Windows. Armed with the information that was leaked, Microsoft created a patch to fix this flaw and released this patch in March. Perhaps you have now read this far and you are wondering, if the patch was released in March, how did this massive attack happen in May? How many times has a message popped up on your machine while you are in the middle of something. The message tells you that an update is available for your machine. You see it, but you are in the middle of something important. You close the window and delay the update. This can happen over and over again. Some people, irritated by the notices, turn off the alerts altogether. Now, these automatic alerts are only available on versions of Windows that Microsoft is still actively supporting. So, if you have an older version of Windows, such as XP, Windows 8 or Windows Server 2003, you no longer receive alerts for updates. Either way, there are millions of machines that were vulnerable to attack on Friday. And on Friday, ransomware aptly called WannaCry, wreaked havoc all over the world.

It is believed that the attackers gained access to computers and systems using infected zip files attached to emails. People opened emails and clicked on attachments. These emails did not come from friends and the people clicked on attachments, not knowing what they were opening. Taking advantage of the fact that many organizations store their computer information on servers, making all users interconnected. The WannaCry ransomware, once released by one user, made its way through the interconnected systems and attacked other machines, even those belonging to people who did not click on the infected attachments.

This attack has made many things apparent:

  • Keeping secrets can sometimes go very wrong. The NSA knew that there was a vulnerability in Microsoft Windows. If it was not for the Shadow Brokers leak, Microsoft may not have discovered this vulnerability and they would not have developed a patch to fix it. One can also argue that, if Shadow Brokers had not leaked this information, the hackers may not have known to create WannaCry and none of this would have happened in the first place. I have found, though, that generally speaking, secrets are not kept that way forever.
  • When I wrote about the fake FBI attacks, I stated the importance of keeping your computers up to date. I cannot stress this enough. When the reminders pop up on your machine to update your software, update your software. Install the security fixes. If you don’t want to be disturbed, set up a timetable so that your machine will automatically check for and install updates on a regular basis. Remember, also, to restart your machine on a regular basis. Many installations are not complete without a restart and some updates are triggered by a restart.
  • We live in a time where everyone receives more email than they want to deal with. We run the risk of making careless mistakes, opening up emails and clicking on attachments when we have no idea who sent the email and what is in the attachment. Nowadays, you are almost lucky if the only thing that the attachment does is send out a lot of spam to your friends. More often, click on that attachment can lead to hackers stealing information from you or holding your machine hostage. Sometimes, even when I receive an email, with an attachment, that appears to be from a friend, I will double-check with the friend to make sure that they have sent the email and their account has not been hacked. The extra step may seem tedious but, enough times I have found out that my friend was hacked, so I keep asking when I am suspicious.
  • If your operating system is no longer supported, you should consider getting new software that is. I say this with mixed feelings. Like most people, I hate being forced to buy something when what I already have has been working well for me and when I don’t like the new version. I feel scammed being made to spend that extra money and if the world only contained righteous people I would tell you to keep your software and change it when you are ready. But, we live in a world where people are ready to take advantage of an opportunity to get money out of you. Microsoft stopped providing support for Windows XP in 2014. This ransomware is specifically taking advantage of this fact. It’s a shame, but it is the way it is.
  • Back up, Back up and back up some more. If you are regularly backing up your machine and keeping the backup either in the cloud or on an external drive, you know what you can do when your machine is held for ransom? You can ignore the ransom demand because you have your data saved some place safe. The clock can tick down, the files on your machine can all be delete and, even though it will suck to restore everything, you can do so.

On Monday morning, people are going to go to work and turn on their machines and many machines running Windows XP or that have not been updated in months will be open to attack. Many of those that are attacked will want to pay the ransom because their data has not been backed. Just weeks ago, articles were written about how British hospitals spent nothing on cyber-defense.  On Friday, they could barely function. Maybe they had started having meetings and started discussing taking steps to protect their systems. But, like we all do when that warning popped up, they put it off. I am sure right now they are wishing they had done something to protect themselves because they had to scramble to fix a disaster.

Tagged , , , , , , , ,

2017! Three Words! Let’s Go!

img_1043-2Yesterday, I took a moment to look back at 2016 and I am glad that I did. After that exercise in honoring history, I actually changed one of my words for 2017. My words for 2017? That may be what you are wondering. Let me explain. In 2013, Tom Hood introduced me to the concept of Three Words (and that concept came from Chris Brogan). I use these three words to give the year ahead a theme, almost like a rhythm that I can dance to as I go through the year; and isn’t everything better with dance? The process of thinking about my three words and then coming back to them throughout the year, help consolidate, direct and give confidence to what I do and how I do it. As I read over yesterday’s post, I saw my 2016 Three Words dancing over my year, in ways that I had not thought about as I was writing the post – Learn. Fear. Community.

For several days, I thought about what my words for 2017 would be – and how those words would serve to seal my intentions for the days ahead. I think I have it now.

Embrace: In previous years I have written about changing things in my life. Transform was one of my words in 2014. Then, in 2015, Receptive was a word of mine. Last year we moved to a new neighborhood. When I was a kid, due to politics and other adventures in their lives, we moved around a lot. Between first and third grade, I went to four different schools in three different countries, in four different cities. During my first two years in New York City, I lost count of how many places I lived in. I even spent a couple of months camping out on a (very amazing) friend’s couch on weekends, while I worked in Florida during the week. Last year, I talked transformation and I was receptive to talk of moving but, now that I am here, I realize that it is not going to work until I embrace it. This is where I am now with my move, with my work, with my life. I can talk about how great innovations in my line of work are; I can marvel at how awesome some of the tools that are available to us are; I can wax lyrical about the incredible people who cross my path and make me better at what I do, but all of that is not worth much unless I dive in there, snuggle in and just embrace it all.

Persevere: When I started training to run long distance, I learnt about the power of a mantra. The mantra was invaluable to me, when doing hill repeats. I would chug up a hill and repeat, over and over again, “I love hills.” I will say this, I reached the top of that hill and many others AND I hate hills less and appreciate their value. I actually surprised myself when I told a cousin that I wished there were a few more hills around my new home. In 2015, I embarked on a new journey of sorts. I started my own business and decided that I wanted to do work that made me look forward to getting out of bed every day. I loved that my husband’s work, as a photographer, was something he also did for fun. I admired how excited he got about his projects and I wanted some of that. At times I would talk to some people about what I wanted to do and how I wanted to do it and they would tell me, “that will never work.” Fortunately, my incredible community (2016 word, hello!) took over and repeated the mantra I had not yet learnt to say myself. However, as the year came to an end, I started to believe. So this year, I shall remember to say to myself, “You got this. You can do this,” not just when I am running, or doing pull-ups. I shall tell myself this as I am serving my clients, community and the public.

Monchu: My last word is a word that I have borrowed from Chris Brogan. Chris tells us Monchu is an Okinawan word that means “one family”. It essentially means that we treat people who are not our blood as though they are family. I have benefited from this concept forever. As someone who lives very far away from most of my blood, I just don’t know where I would be with my one family. For instance, I just wrote about how I was able to crash on a friend’s couch when I first moved to New York. I didn’t mention that I had only known her for months and she offered her home to me, and her husband and adorable daughter didn’t seem to mind either. That is just one of a million of my stories. I know that I could do a way better job of keeping in touch with people to let them know that they are part of my one family. I know that this philosophy will guide me to be better at what I do and how I do it. I hope to also inspire others around me to embrace this philosophy.

As I share my words for 2017, I want to acknowledge my words from previous years:

2013 – Change, Discover & Motivate
2014 – Transform, Pursue & Collaborate
2015 – Receptive, Synergy & Service
2016 – Learn, Fear & Community

And now for 2017 – Embrace, Persevere & Monchu. I am excited for the year ahead and I know that the view from my new home will help me do so. You see it up above, I can see forever now. I got this.

Tell me, what are your words?

I hope 2017 is your best year ever!

Tagged , , , , , , , , , , , , , , , , , ,
Advertisements