Embed Size (px)
Citation preview
Best Practices in Protecting your Information
NorthSky Nonprofit Network
Workshop
Steve Peacock November 17, 2011
Presentation Overview
• Rehmann Overview• Non Profit Industry Experience• Fraud Risk Management• Digital Risk Management
Rehmann Overview
• A Michigan corporation founded in 1941. • The 38th largest accounting and business consulting
firm in the United States.• Second largest Michigan-based public accounting
firm. Eleven offices and more than 600 associates.
One Rehmann…
Corporate Investigators – Offers a global approach to mitigate risk and ensure informed business decisions.
CPAs & Consultants - Provides clients with expertise in all areas of accounting, tax and assurance.
Wealth Advisors - Whether it's personal wealth management or the right retirement plan for your employees, we develop financial plans and strategies to meet long-term objectives.
…One Team, One Focus, Your Success
www.rehmann.com
Non Profit Experience• Currently serve over 650 non-profits and nearly 500
governmental units• Our Nexia affiliates audit numerous non-profit
organizations• Executives average 15-20 years of experience• Annual firm-wide training and planning session for
non-profit engagement teams• Dedicated staff focused on non-profit industry
Non-Profit Experience• Devoted 140,000 hours to over 650 non-profit and
governmental audit clients last year.• Industry association involvement
– MNA, MACPA, AICPA• Keep current with industry issues and
pronouncements– FASB and GAGAS– A-133
Non-Profit Experience• OMB Circular A-133 experience
– Perform 200+ A-133 audits annually for a total of over $400 million of federal awards expenditures tested
• Form 990 experience• Indirect Cost Plans• Risk Assessments
Corporate Investigative Services (CIS) specializes in: ◘ Litigation support
◘ Threat Response & Asset Protection
◘ Insurance defense
◘ Investigative Services
◘ Background/Due Diligence
◘ Computer & Information Technology Security
◘ Fraud Risk Assessments
◘ Forensic accounting
www.rehmann.com
Managing
Fraud Risks
www.rehmann.com
The “411” on Fraud
◘ The Perpetrators (The Threats?)
◘ How Fraud is Committed
◘ Detection and Prevention
◘ Questions to consider
◘ Fraud Risk Assessment
www.rehmann.com
Threats◘ In 2/3 of schemes, person acts alone.
◘ 50% are in accounting or upper management.
◘ More than ½ involve a fraudster over age of 50.
◘ Conspiracies increase loss amount by over 25%.
◘ The majority of occupational frauds are committed by employees and managers as opposed to owners. While owners and executives are involved less often, the median loss in their frauds is much higher at approximately $800,000.
◘ There is no correlation between the length of service and the timing of initiation of the fraud. Generally speaking though, longer serving employees tend to commit larger frauds.
www.rehmann.com
How is Fraud CommittedThree categories of occupational fraud and abuse:
◘ Asset Misappropriation (80%)
Cash: larceny; skimming; fraudulent disbursement
Inventory and all other assets
◘ Fraudulent Statements (7%)
Financial: asset/revenue over or under misstatements Non-Financial: internal and external documents
◘ Bribery and Corruption (13%)
Conflicts of interest; bribery; illegal gratuities; economic extortion
www.rehmann.com
How Fraud is Detected◘ Tips - 39.6%
→ 60% from employees
→ 20% from customers
→ 16% from vendors
→ 4% other
Note: %’s are greater than 100% due to multiple methods identified by respondents
◘ Internal audits – 23.8%
◘ By accident – 21.3%
◘ Internal controls – 18.4%
◘ External audit – 10.9%
◘ Other .9%
www.rehmann.com
Causes of Fraud
◘ Resentment
◘ Opportunity
◘ Technology
◘ Justifications
◘ Misplaced trust
◘ Overbearing and ultra-thrifty management
www.rehmann.com
Warning Signs
Disorganized operations in bookkeeping
Unrecorded transactions
Missing records
Excessive voids or credits
Unreconciled bank accounts
www.rehmann.com
What to Look For◘ Living beyond means
◘ Special circumstances that require money (divorce/death in family/medical care)
◘ Gambling, alcohol and drugs
◘ Out of balance situations
◘ Close relationship with suppliers
◘ Employees that become upset when questioned
www.rehmann.com
Fraud Prevention
◘ “Trust” is not an internal control, “Hope” is not a strategy
◘ Develop a fraud training program
◘ Implement an employee code of ethics
◘ Develop and follow internal controls
◘ Conduct periodic independent reviews of financial information
◘ Conduct employee backgrounds
◘ Conduct random investigations of suspected fraudulent comp claims
◘ Set up an employee issue hot line
www.rehmann.com
Fraud Prevention Continued…◘ Expect fraud
◘ Assess your risk
◘ Segregate duties
◘ Make approvals meaningful
◘ Screen and monitor vendors
◘ Review canceled checks
◘ Monitor write-offs
◘ Zero Tolerance – Prosecute Offenders
www.rehmann.com
Questions to Consider
• If a fraud were alleged in your organization, would you be prepared to investigate and discover the truth?
• How has the current economic climate impacted your internal controls?
→Re-evaluate as circumstances change?
→Commitment to code of ethics?
www.rehmann.com
Be Proactive…
Create a culture of high ethical standards
Constantly evaluate anti-fraud processes and controls
Implement an oversight program
www.rehmann.com
Risk Assessments
◘ Despite the various requirements to do a fraud risk assessment, no single standard exists.
◘ Parts of the requirements show up in the accounting or audit standards and others in the updated federal sentencing guidelines.
◘ No single standard pointing the way.
◘ "There is no single way to do it right but lots of ways to do it wrong.”
www.rehmann.com
Common Qualities of Fair Assessments
◘ Include clear methods of identifying and measuring fraud vulnerabilities.
◘ Companies whose management is allowed to talk openly about the potential for fraud are more likely to have conducted proper assessments.
◘ Beneficial if the company has provided an open forum to discuss the possibilities and has heard from middle managers, employees, control owners and the board.
www.rehmann.com
Digital Risk Management
www.rehmann.com
How your information is obtained…
◘ Business record theft
◘ Shoulder surfing
◘ Desk surfing
◘ Web surfing / Public records
◘ Dumpster diving
◘ Skimming
◘ Stolen wallet, mail, etc.
◘ Change of address form
◘ Spyware
◘ Keylogger
◘ Phishing / Pharming
◘ Under the color of authority (social engineering)
www.rehmann.com
Spyware - The Story!
Imagine if intruders entered your home without your knowledge or permission.
The interlopers looked at all your confidential papers - copying credit card, social security and bank account numbers before carefully replacing everything as if undisturbed.
The only change they made was a slight rearrangement of some of the items at the back of your closet.
That’s Spyware…
www.rehmann.com
Spyware Continued…
◘ Spyware applications are typically bundled as a hidden component of freeware or shareware programs or attached to malicious emails or websites.
◘ Once installed, spyware can monitor user activity, gather information about e-mail addresses, passwords, and credit card numbers in the background, then transmit this information to someone else.
◘ Many spyware removal tools have been released. Some are spyware!
www.rehmann.com
Phishing Definition
Phishing is the act of tricking someone into giving them confidential information or tricking them into doing something that they normally wouldn’t do or shouldn’t do.
– Example: sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.
www.rehmann.com
Phishing for the
‘Big One’
• -----Original Message-----
• From: System Administration [mailto:[email protected]]
• Sent: Monday, January 26, 2009 8:35 PM
• To: XXXXXXXXX
• Subject: Attention - Read Carefully
• FEDERAL RESERVE BANK
• y
• Important:
• You're getting this letter in connection with new directions issued by U.S.
• Treasury Department. The directions concern U.S. Federal Wire online payments.
• On January 21, 2009 a large-scaled phishing attack started and has been still
• lasting. A great number of banks and credit unions is affected by this attack
• and quantity of illegal wire transfers has reached an extremely high level.
• U.S. Treasury Department, Federal Reserve and Federal Deposit Insurance
• Corporation (FDIC) in common worked out a complex of immediate actions for the
• highest possible reduction of fraudulent operations. We regret to inform you
• that definite restrictions will be applied to all Federal Wire transfers from
• January 26 till February 6.
• Here you can get more detailed information regarding the affected banks and
• U.S. Treasury Department restrictions:
• http://security.ebanks-connect.net/375891638/wire/
• Federal Reserve Bank System Administration
www.rehmann.com
Pharming Definition
Pharming involves Trojan programs, worms, or other virus technologies that attack the Internet browser address bar and is much more sophisticated than phishing.
When users type in a valid URL they are redirected to the criminals' websites instead of the intended valid website.
www.rehmann.com
Would you respond?From: PayPal Inc. <[email protected]>To: [email protected]: Tuesday, March 14, 2006 2:18:21 PMSubject: Account Notice! Unauthorized access to your PayPal account!
We recently noticed more attempts to log in to your PayPal account from a foreign IP address.If you accessed your account while traveling, the unusual log in attempts may have been initiated by you. However, if you are the rightful holder of the account, please visit Paypal as soon as possible to verify your identity:
Click here to verify your account
You can also verify your account by logging into your PayPal account at http://paypal.com/us/. If you choose to ignore our request, you leave us no choice but to temporally suspend your account.We ask that you allow at least 72 hours for the case to be investigated and we strongly recommend to verify your account in that time. Thank you for using PayPal!The PayPal TeamPlease do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, login to your PayPal account and choose the Help link located in the top right corner of any PayPal page.To receive email notifications in plain text instead of HTML, update your preferences here.PayPal Email ID PP468
www.rehmann.com
Is this legitimate?
www.rehmann.com
Social Engineering
◘ Bypasses the most sophisticated security measures.
◘ Targets weakest link…humans.
◘ Extremely successful.
◘ Attack scenarios are limitless.
www.rehmann.com
• Social Engineering– “Successful or unsuccessful attempts to
influence a person(s) into either revealing information or acting in a manner that would result in unauthorized access, unauthorized use, or unauthorized disclosure, to an information system, network, or data.” (Rogers & Berti, 2001)
– Basically, using deception or persuasion to “con” someone into providing information or access they would not usually have provided.
The Equipment
www.rehmann.com
Don’t get hooked…◘ Consult system support personnel if you work from home◘ Keep anti-virus/spyware software updated◘ Use a firewall◘ Secure wireless connections◘ Don’t open unknown email attachments◘ Don’t run programs of unknown origin◘ Keep applications/operating system patched◘ Turn off your computer when not in use◘ Select strong passwords◘ Select strong and different online passwords◘ Don’t email personal or financial information◘ Review credit report and bank statements
www.rehmann.com
Protective Measures
•Use a dedicated computer for all online transactions and implement white listing methods to prevent the system from going to any site/address that does not have a documented business need. •Educate users on good cyber security practices to include how to avoid having malware installed on a computer and new malware trends. •Utilize a security expert to test your network or run security software that will aid you in closing known vulnerabilities.
Protective Measures
•Change the default login names and passwords on routers, firewalls, other network equipment and software. •Make sure the banking site you are using starts with “https://” instead of “http://”. The “s” indicates a secure transaction.•Never use a link to reach your financial institution; emails and search engine links should not be trusted. Type the bank’s website address into the Internet browser’s address bar every time.
What to do…
Report the incident to the fraud department of the three major credit bureaus.
Contact the fraud department of each of your creditors.
Contact your financial institution.
Contact law enforcement.
www.rehmann.com
Emerging Targets in Financial transactions• Cyber criminals target small to medium-sized
businesses due to the fact that they lack the complex security of a large corporation, but maintain a larger cash balance than most individuals.
• The majority of these attacks require the attacker to compromise the target computer, install a keylogger, retrieve the keylogger’s information, and force the target user to answer banking security questions.
Average Loss
• Small and medium-sized commercial, educational, and state and local government organizations (“SMEs”) in the United States are losing on average $100,000-$200,000 per day to criminals who steal their money using various forms of Malware designed to leverage weaknesses in both the wire transfer and ACH process.
Most Targeted Industries
Source- Anti-Phishing Work Group 1st Quarter 2010 Report
Handling of Customer Information• Employees must use all reasonable care in protecting
customer information .• Any printed reports, receipts, etc. that contain customer
information must be shredded when the information is no longer needed – place in shred bins for proper disposal.
• Any electronic media such as diskettes, hard drives, magnetic tapes, or CD-ROM disks that contain or previously contained customer information must be destroyed or securely wiped to prevent recovery of information.
• Employees should contact their supervisor and/or Network Administrator for the proper destruction procedure of electronic media.
Public Conversations
• Do not discuss sensitive information in halls, elevators, lobbies, lunchrooms, restaurants, lavatories, parking lots, or other public areas.
• If you should overhear other employees discussing sensitive and confidential information, politely caution them that they may be overheard.
• Confidential or sensitive information must not be discussed with any employee that does not have a need to know the information.
Social Networking Sites
• Reputational Risk• Do NOT post any form of customer
information or Bank information.
Questions??????????
