Best Practices in Protecting
your Information
Steve Peacock
November 17, 2011
NorthSky Nonprofit Network
Workshop
Presentation Overview
•
•
•
•
Rehmann Overview
Non Profit Industry Experience
Fraud Risk Management
Digital Risk Management
Rehmann Overview
• A Michigan corporation founded in 1941.
• The 38th largest accounting and business consulting
firm in the United States.
• Second largest Michigan-based public accounting
firm. Eleven offices and more than 600 associates.
www.rehmann.com
One
Rehmann…
 Corporate Investigators – Offers a global approach to mitigate risk and
ensure informed business decisions.
 CPAs & Consultants - Provides clients with expertise in all areas of
accounting, tax and assurance.
 Wealth Advisors - Whether it's personal wealth management or the right
retirement plan for your employees, we develop financial plans and
strategies to meet long-term objectives.
…One Team, One Focus, Your Success
Non Profit Experience
• Currently serve over 650 non-profits and nearly 500
governmental units
• Our Nexia affiliates audit numerous non-profit
organizations
• Executives average 15-20 years of experience
• Annual firm-wide training and planning session for
non-profit engagement teams
• Dedicated staff focused on non-profit industry
Non-Profit Experience
• Devoted 140,000 hours to over 650 non-profit and
governmental audit clients last year.
• Industry association involvement
– MNA, MACPA, AICPA
• Keep current with industry issues and
pronouncements
– FASB and GAGAS
– A-133
Non-Profit Experience
• OMB Circular A-133 experience
– Perform 200+ A-133 audits annually for a total of
over $400 million of federal awards expenditures
tested
• Form 990 experience
• Indirect Cost Plans
• Risk Assessments
www.rehmann.com
Corporate Investigative Services (CIS) specializes in:
◘ Litigation support
◘ Threat Response & Asset Protection
◘ Insurance defense
◘ Investigative Services
◘ Background/Due Diligence
◘ Computer & Information Technology Security
◘ Fraud Risk Assessments
◘ Forensic accounting
www.rehmann.com
Managing
Fraud Risks
www.rehmann.com
The “411” on Fraud
◘ The Perpetrators (The Threats?)
◘ How Fraud is Committed
◘ Detection and Prevention
◘ Questions to consider
◘ Fraud Risk Assessment
www.rehmann.com
Threats
◘ In 2/3 of schemes, person acts alone.
◘ 50% are in accounting or upper management.
◘ More than ½ involve a fraudster over age of 50.
◘ Conspiracies increase loss amount by over 25%.
◘ The majority of occupational frauds are committed by employees and
managers as opposed to owners. While owners and executives are involved
less often, the median loss in their frauds is much higher at approximately
$800,000.
◘ There is no correlation between the length of service and the timing of
initiation of the fraud. Generally speaking though, longer serving employees
tend to commit larger frauds.
www.rehmann.com
How is Fraud Committed
Three categories of occupational fraud and abuse:
◘ Asset Misappropriation (80%)
 Cash: larceny; skimming; fraudulent disbursement
 Inventory and all other assets
◘ Fraudulent Statements (7%)
 Financial: asset/revenue over or under misstatements
 Non-Financial: internal and external documents
◘ Bribery and Corruption (13%)
 Conflicts of interest; bribery; illegal gratuities; economic extortion
www.rehmann.com
How Fraud is Detected
◘ Tips - 39.6%
◘ Internal audits – 23.8%
→ 60% from employees
◘ By accident – 21.3%
→ 20% from customers
◘ Internal controls – 18.4%
→ 16% from vendors
◘ External audit – 10.9%
→
◘ Other .9%
4% other
Note: %’s are greater than 100% due to multiple methods identified by respondents
www.rehmann.com
Causes of Fraud
◘ Resentment
◘ Opportunity
◘ Technology
◘ Justifications
◘ Misplaced trust
◘ Overbearing and ultra-thrifty management
www.rehmann.com
Warning Signs
Disorganized operations in bookkeeping
Unrecorded transactions
Missing records
Excessive voids or credits
Unreconciled bank accounts
www.rehmann.com
What to Look For
◘ Living beyond means
◘ Special circumstances that require money
(divorce/death in family/medical care)
◘ Gambling, alcohol and drugs
◘ Out of balance situations
◘ Close relationship with suppliers
◘ Employees that become upset when questioned
www.rehmann.com
Fraud Prevention
◘ “Trust” is not an internal control, “Hope” is not a strategy
◘ Develop a fraud training program
◘ Implement an employee code of ethics
◘ Develop and follow internal controls
◘ Conduct periodic independent reviews of financial information
◘ Conduct employee backgrounds
◘ Conduct random investigations of suspected fraudulent comp
claims
◘ Set up an employee issue hot line
www.rehmann.com
Fraud Prevention Continued…
◘ Expect fraud
◘ Assess your risk
◘ Segregate duties
◘ Make approvals meaningful
◘ Screen and monitor vendors
◘ Review canceled checks
◘ Monitor write-offs
◘ Zero Tolerance – Prosecute Offenders
www.rehmann.com
Questions to Consider
• If a fraud were alleged in your organization, would you be
prepared to investigate and discover the truth?
• How has the current economic climate impacted your
internal controls?
→ Re-evaluate as circumstances change?
→ Commitment to code of ethics?
www.rehmann.com
Be Proactive…
 Create a culture of high
ethical standards
 Constantly evaluate antifraud processes and controls
 Implement an oversight
program
www.rehmann.com
Risk Assessments
◘
Despite the various requirements to
do a fraud risk assessment, no single
standard exists.
◘
Parts of the requirements show up in
the accounting or audit standards and
others in the updated federal
sentencing guidelines.
◘
No single standard pointing the way.
◘
"There is no single way to do it right
but lots of ways to do it wrong.”
www.rehmann.com
Common Qualities of Fair Assessments
◘ Include clear methods of identifying and
measuring fraud vulnerabilities.
◘ Companies whose management is allowed
to talk openly about the potential for fraud
are more likely to have conducted proper
assessments.
◘ Beneficial if the company has provided an
open forum to discuss the possibilities and
has heard from middle managers,
employees, control owners and the board.
www.rehmann.com
Digital Risk
Management
www.rehmann.com
How your information is obtained…
◘ Business record theft
◘ Stolen wallet, mail, etc.
◘ Shoulder surfing
◘ Change of address form
◘ Desk surfing
◘ Spyware
◘ Web surfing / Public records
◘ Keylogger
◘ Dumpster diving
◘ Phishing / Pharming
◘ Skimming
◘ Under the color of authority
(social engineering)
www.rehmann.com
Spyware - The Story!
Imagine if intruders entered your home without your
knowledge or permission.
The interlopers looked at all your confidential papers copying credit card, social security and bank account
numbers before carefully replacing everything as if
undisturbed.
The only change they made was a slight rearrangement of
some of the items at the back of your closet.
That’s Spyware…
www.rehmann.com
Spyware Continued…
◘ Spyware applications are typically bundled as a hidden
component of freeware or shareware programs or
attached to malicious emails or websites.
◘ Once installed, spyware can monitor user activity,
gather information about e-mail addresses, passwords,
and credit card numbers in the background, then
transmit this information to someone else.
◘ Many spyware removal tools have been released.
Some are spyware!
www.rehmann.com
Phishing Definition
Phishing is the act of tricking someone into giving
them confidential information or tricking them into
doing something that they normally wouldn’t do or
shouldn’t do.
– Example: sending an e-mail to a user falsely claiming
to be an established legitimate enterprise in an
attempt to scam the user into surrendering private
information that will be used for identity theft.
www.rehmann.com
•
•
•
•
•
Phishing
for the
‘Big One’
-----Original Message----From: System Administration [mailto:administration@fedreservebank.us]
Sent: Monday, January 26, 2009 8:35 PM
To: XXXXXXXXX
Subject: Attention - Read Carefully
•
•
•
•
•
y
Important:
You're getting this letter in connection with new directions issued by U.S.
Treasury Department. The directions concern U.S. Federal Wire online payments.
•
•
•
On January 21, 2009 a large-scaled phishing attack started and has been still
lasting. A great number of banks and credit unions is affected by this attack
and quantity of illegal wire transfers has reached an extremely high level.
•
•
•
•
•
•
•
•
•
U.S. Treasury Department, Federal Reserve and Federal Deposit Insurance
Corporation (FDIC) in common worked out a complex of immediate actions for the
highest possible reduction of fraudulent operations. We regret to inform you
that definite restrictions will be applied to all Federal Wire transfers from
January 26 till February 6.
Here you can get more detailed information regarding the affected banks and
U.S. Treasury Department restrictions:
http://security.ebanks-connect.net/375891638/wire/
Federal Reserve Bank System Administration
FEDERAL RESERVE BANK
www.rehmann.com
Pharming Definition
Pharming involves Trojan programs, worms, or
other virus technologies that attack the Internet
browser address bar and is much more
sophisticated than phishing.
When users type in a valid URL they are
redirected to the criminals' websites instead of the
intended valid website.
www.rehmann.com
From: PayPal Inc. <service@paypal.com>
To: xxxxxxx@sbcglobal.net
Sent: Tuesday, March 14, 2006 2:18:21 PM
Subject: Account Notice!
Would you respond?
Unauthorized access to your PayPal account!
We recently noticed more attempts to log in to your PayPal account from a foreign IP address.
If you accessed your account while traveling, the unusual log in attempts may have been initiated by you.
However, if you are the rightful holder of the account, please visit Paypal as soon as possible to verify your
identity:
Click here to verify your account
You can also verify your account by logging into your PayPal account at http://paypal.com/us/. If you choose
to ignore our request, you leave us no choice but to temporally suspend your account.
We ask that you allow at least 72 hours for the case to be investigated and we strongly recommend to verify
your account in that time.
Thank you for using PayPal!
The PayPal Team
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For
assistance, login to your PayPal account and choose the Help link located in the top right corner of any
PayPal page.
To receive email notifications in plain text instead of HTML, update your preferences here.
PayPal Email ID PP468
www.rehmann.com
Is this legitimate?
www.rehmann.com
Social Engineering
◘ Bypasses the most sophisticated
security measures.
◘ Targets weakest link…humans.
◘ Extremely successful.
◘ Attack scenarios are limitless.
• Social Engineering
– “Successful or unsuccessful attempts to
influence a person(s) into either revealing
information or acting in a manner that
would result in unauthorized access,
unauthorized use, or unauthorized
disclosure, to an information system,
network, or data.”
(Rogers & Berti, 2001)
– Basically, using deception or persuasion
to “con” someone into providing
information or access they would not
usually have provided.
www.rehmann.com
The Equipment
www.rehmann.com
Don’t get hooked…
◘
◘
◘
◘
◘
◘
◘
◘
◘
◘
◘
◘
Consult system support personnel if you work from home
Keep anti-virus/spyware software updated
Use a firewall
Secure wireless connections
Don’t open unknown email attachments
Don’t run programs of unknown origin
Keep applications/operating system patched
Turn off your computer when not in use
Select strong passwords
Select strong and different online passwords
Don’t email personal or financial information
Review credit report and bank statements
Protective Measures
• Use a dedicated computer for all online transactions
and implement white listing methods to prevent the
system from going to any site/address that does not
have a documented business need.
• Educate users on good cyber security practices to
include how to avoid having malware installed on a
computer and new malware trends.
• Utilize a security expert to test your network or run
security software that will aid you in closing known
vulnerabilities.
Protective Measures
• Change the default login names and passwords on
routers, firewalls, other network equipment and
software.
• Make sure the banking site you are using starts with
“https://” instead of “http://”. The “s” indicates a secure
transaction.
• Never use a link to reach your financial institution;
emails and search engine links should not be trusted.
Type the bank’s website address into the Internet
browser’s address bar every time.
www.rehmann.com
What to do…

Report the incident to the fraud
department of the three major
credit bureaus.

Contact the fraud department of
each of your creditors.

Contact your financial
institution.

Contact law enforcement.
Emerging Targets in
Financial transactions
• Cyber criminals target small to medium-sized
businesses due to the fact that they lack the complex
security of a large corporation, but maintain a larger
cash balance than most individuals.
• The majority of these attacks require the attacker to
compromise the target computer, install a keylogger,
retrieve the keylogger’s information, and force the
target user to answer banking security questions.
Average Loss
• Small and medium-sized commercial, educational,
and state and local government organizations
(“SMEs”) in the United States are losing on average
$100,000-$200,000 per day to criminals who steal
their money using various forms of Malware designed
to leverage weaknesses in both the wire transfer and
ACH process.
Most Targeted Industries
Source- Anti-Phishing Work Group 1st Quarter 2010 Report
Handling of Customer Information
• Employees must use all reasonable care in protecting
customer information .
• Any printed reports, receipts, etc. that contain customer
information must be shredded when the information is
no longer needed – place in shred bins for proper
disposal.
• Any electronic media such as diskettes, hard drives,
magnetic tapes, or CD-ROM disks that contain or
previously contained customer information must be
destroyed or securely wiped to prevent recovery of
information.
• Employees should contact their supervisor and/or
Network Administrator for the proper destruction
procedure of electronic media.
Public Conversations
• Do not discuss sensitive information in halls,
elevators, lobbies, lunchrooms, restaurants,
lavatories, parking lots, or other public areas.
• If you should overhear other employees discussing
sensitive and confidential information, politely caution
them that they may be overheard.
• Confidential or sensitive information must not be
discussed with any employee that does not have a
need to know the information.
Social Networking Sites
• Reputational Risk
• Do NOT post any form of customer
information or Bank information.
Questions??????????