Tag Archives: hacking

Keep Rolling

gratisography-433H

When I first started running, I was out training, and my knee suddenly buckled in pain. I thought I had broken something, but it turned out that I had IT band syndrome. I tried several approaches to get better. Among these, I would change up my routes so that I was balancing out which leg was favored, I worked to improve my gait and I started foam rolling. No one warned me about that rolling. I think tears sprung to my eyes that first day I foam rolled. I know for sure that I yelped in pain, several times (thankfully I was alone). I couldn’t believe that I was supposed to do this every day, but I had to roll through the pain because I had a race on my schedule and I needed my knee to start working again.

After rolling consistently, I was amazed by how much better everything worked. I was also incredibly relieved that the rolling didn’t hurt so much anymore. I was a foam rolling disciple and whenever anyone told me they were contemplating taking up running, I urged them to also contemplate taking up foam rolling. At a point, I actually found joy in foam rolling. I could get through a rolling session with nary a yelp. It was glorious.

Recently, foam rolling slipped out of my life. After a fall apparently chipped a piece of my knee into non-existence, I could not run at all and I was, instead, focused on weight training to strengthen my knees. At the end of a week of working out, the trainer advised a foam rolling session. I didn’t even think twice; I hadn’t been running, how bad could things be? Painfully terrible, it turns out.

Managing controls in a business works in a similar manner. Sometimes, when a company sets up or has an auditor highlight weaknesses in its control systems, the company will go about creating policies and procedures that address risks and institute controls. At times, with that company, new hires will be given these manuals to read and, if they are lucky, these new employees will receive training. This training will teach the employees about the culture of the company and how to follow policies and procedures, in order to minimize risk within that company. However, how often will that company review its policies and procedures to see if they are relevant to technological advances and new risks that have arisen?

  • How often will the company’s leadership review policies and procedures with existing staff, to ensure that people have not slacked off and are still, for instance, getting the approvals that they are supposed to obtain for transactions?
  • Is anyone checking that reconciliations are occurring monthly (or at whatever frequency has been established) and, once performed, that those reconciliations are being reviewed by the relevant staff?
  • If there is a policy for checks over a certain amount to be signed by two signatories, is anyone reviewing to make sure this is the case?
  • When employees have left the company, have their access to the company’s system been suspended? Once suspended, have their accounts been deleted so that no one else in the company can use them? If they were signatories for bank accounts, has the bank been informed and has the bank removed them from the signatory list?
  • Have the company’s staff received training in how to reduce the risk of phishing?
  • Has the company’s leadership received any training themselves to update them on current risks and to remind them what the policies and procedures of the company are?

These are just a few examples of the many ways in which a company should be regularly checking in and exercising its control muscles. If all you are doing is handing over a manual on day one and assuming that your staff knows what and how they need to do things, you are only setting yourself up for possible pain in the future.

  • Can you be surprised if one of your staff members gets phished and hackers gain access to your company? Think about the pain of finding out that someone pretending to be the CEO sent an email that instructed accounts payable to wire a sizeable amount of money to an offshore account and that accounts payable fell for the scam?
  • If no one is regularly reconciling accounts, can you really be shocked when you discover that an employee has taken advantage of this lack of oversight and embezzled money?
  • If accounts of former employees are not properly suspended and deleted, how will you figure out who has been using them since the former employee left? How will you be able to trace unauthorized transactions?
  • If your company’s leadership is not up to date on policies and procedures, how can they enforce them? At that point, everyone will be just guessing and hoping for the best. Being unprepared and hoping for the best tends to only work out well in the movies.

Maintaining and updating policies and procedures should be a proactive and continuous activity. Speak with a forensic CPA about how to create, institute and regularly review your control systems to reduce risk in your company. It may seem like schlep in the beginning, but having the systems serves a deterrent to those contemplating wrongdoing, it also keeps your staff more educated about how, for instance, they can recognize errors or attempts to suck them into a scam. This can also mean that when something is going awry, it is spotted earlier, minimizing possible losses.

You should be doing this to avoid or, at the very least, minimize any future pain. You don’t want to be like me where incredible pain leads to you even more pain, on the eventual path to healing. Take it from my IT band, proactive is so much better than reactive.

 

Advertisements
Tagged , , , , , , , , ,

Oh, Not So Much Fun…

ice-sculpture-1935357_1920

On Christmas day, I was chatting with my niece, during family celebrations. My phone buzzed and I saw a notification that she had just sent me a message. That was truly odd, because, as I mentioned, we were chatting and, unless she was using her telepathic skills, she was not texting at the same time. Nevertheless, I asked her if she had sent me a message. She looked at me as though I had lost my mind, but double checked her phone and shrugged. It wasn’t me, she said and carried on with her day. Since she was engaging with people and not her phone, and because we were having a fun time with family, I decided that the likely bad news could wait.

I attended a talk earlier in the year where the speaker told us – There are two types of people: those who have been hacked, and those that don’t know it yet. By the time we got home, my niece had gone from being in the latter group to being a panicked person in the former. Often, a person finds out that they have been hacked when, as happened to my niece, their contacts complain about spam messages that they have received from that person. However, more and more often, people don’t know that they have effectively been hacked because the party hacked is a company that is holding people’s information.

In 2017, the most notorious example was, on 17 September, when the credit reporting agency, Equifax was hacked. Initially, the information was that about 143 million people might have been impacted. However, that number has climbed and what kind of information was accessed was vague. When people tried to check with Equifax, they often got different responses each time that they tried. Also, as the months have gone by, the number of people impacted has climbed. If Yahoo! is anything to go by, who knows what the final count will be. The best advice to take right now, is to assume you have been impacted and to take preventative steps and, if you have not already done so, freeze your credit with all four of the major credit reporting agencies.

What is unsettling about how companies announce that they have been hacked is how long it takes for the news to come out. Equifax claimed that it discovered their breach at the end of July but they only made a public announcement in the middle of September. It was only in October 2017 that Yahoo announced that all of its accounts were hacked in 2013. That’s not a typo; they are telling us that if you had Yahoo, Flickr, Tumblr, or any other account owned by Yahoo, you were hacked in 2013. What is anyone supposed to do with that information, four years later? This is worse than a “Look out for falling ice” sign. In November, we found out that Uber had been hacked in 2016 and that the company had opted to pay off the hackers to destroy the information and keep the hack quiet.

The big takeaway is that it may be a while before anyone lets you know that you have been hacked and, unless you live completely off the grid, it is smart, and safe, to assume that you have been hacked. That said, there are steps that you can take to try to minimize the damage that can be caused by hacking:

  • Freeze your credit with the major credit bureaus. Learning about the Equifax breach was especially frustrating because people do not choose to share their information with the credit bureaus. I rolled my eyes at a headline that referred to “customers” being compromised. The best one can do right now (beyond not having a credit history of any kind) is to try to limit how much information gets out.
  • Check your credit regularly. Do this at least quarterly, to make sure that cards have not been opened in your name and without your permission. Annual Credit Report is the only website, authorized by federal law to provide you with a free credit report from a credit reporting agency every twelve months. A great way to spread out the checking over the year is to get a report from one of the agencies every 4 months (instead of getting all three in one fell swoop).
  • Use two factor authentication. This gives extra security over only using a password. The most common method of two factor authentication is having a company send you a text with a unique code, before you can complete logging into an account.
  • Don’t click on every link you come across. If you receive an email with a link and it is not something you have been expecting (and sometimes even if it is something you have been expecting) don’t click on a link because it is there. Check the email to make sure you recognize where the message is coming from.
  • If you trust the link and have clicked on it, still be careful about what information that you share. If you start to feel as though a company is asking for too much – either over the phone or through a website, stop sharing information. Find out, independently, if you really need to share that information and, again, make sure you know who you are sharing your information with and why.

Try to include these in your list of New Year’s resolutions. It won’t stop you from being hacked but at least, it may improve your chances of finding out about it early and taking appropriate steps.

Tagged , , , , , , , , ,
Advertisements