Security and Fraud: Preparing For What’s Next
Many businesses and individuals hope they are prepared for the next security or fraud event, but do little in preparation of that event. There are thousands of vulnerabilities in today’s applications and organizations. Often times the quantity and mass of these vulnerabilities causes employees to be stunned and do nothing. As we saw on May 12, 2017 with the new Ransomware strain called WannaCry, doing nothing sometimes causes a bad situation. In response to this, Microsoft released a patch to fix the vulnerability two days later. Organizations and individuals had nearly two months to apply the fix that could have easily been obtained with Windows updates and made an extraordinary bad day a normal day.
Mitigating High Risk Vulnerabilities
We need to stop hoping nothing bad happens to our organizations, and make an effort to mitigate the high risk vulnerabilities. In the example above, this would be considered a high risk area with an easy low resource fix. The fix for the WannaCry vulnerability was easy to get accomplished because everyone has access to the free updates from Microsoft. As cost, employee time, and resources go up, the struggle increases. Is your organization capitalizing on easy fixes that fix costly vulnerabilities? Below are some examples of areas you probably already have made an investment in, but may not be fully utilizing that investment.
- Application security – Are user’s limited to what they need to do their jobs? Is an application security audit done annually to make sure users maintain just what they need? Are there procedures in place to make sure when an employee switches positions their application rights also change? Most of today’s applications have user application controls built in. Are you taking advantage of this?
- Banking – Is your organization using Positive Pay which allows the bank to only pay out on checks that you have submitted to the bank for payment? Positive Pay often matches the checks on date, check number, and amount. Do you have ACH Blocks and filters in play to prevent unauthorized ACH transfers?
- Segregation of Duties – Is more than one person required to do a task?
It would be very rare if the above areas are not high risk to your organization. Although, to properly understand what an organizations risks are, an internal or external risk assessment would need to be completed.
Let’s not fall short because we are overwhelmed by the task at hand. Every organization can improve, and no system or procedure is perfect. The goal is to be more secure or more fraud resistant then yesterday. Each organization needs to answer this question for themselves, what are the organization’s risks, and how can they best mitigate those risks with their available resources?
If your organization would like to continue a discussion on this topic, or other fraud related topics, please email me at dhammarberg@macpas.com.