Category: compliance

Posted on

Improve Processes and Profit More

Reducing paper, streamlining the work and producing better financial results

Article 2 in 4-part series

When it comes to providing solutions that help small businesses manage their finances and other information, Intuit QuickBooks is typically the first choice. This decision usually occurs just after the business determines what sort of productivity and messaging (email/voice) solutions will be used, and more often right after the first revenues are earned which need to be accounted for.

For most small businesses, having a copy of QuickBooks is how the company tracks the money.

What’s interesting is that most of these small businesses really operate outside of the financial application, doing the actual deliverable work using some other type of solution. Finding a way to support the work performed in the business and then having all that information flow through to the accounting system isn’t always easy.

On the one hand there are the people, resources and activities which make up the work, but there are payroll, billing, expenses and cash management activities that result from all that work. Tracking it all in a meaningful and affordable way was exactly the challenge that Jeff and Donovan Sachs faced with their business, Alembic Computer Services, Inc.

Alembic Computer Services is among those small businesses that use QuickBooks for financial management but not to actually support the wide variety of processes that make up the business.

ACSI, also known as the QB Resource Center, sells QuickBooks software and provides custom development and implementation services to customers throughout the US. The team at ACSI recognizes the benefits of applying the right technology and applications to any particular task, and embraces the same philosophy and working models internally that they recommend to their forward thinking clients.

The business of software development and implementation isn’t simple, and it is founded in the delivery of professional consulting and development services. Where some professional service offerings may be standardized to the point of enabling “templated” production and performance, custom software configuration and development requires that each project be viewed individually in order to fully understand the requirements and deliverables.

Where the actual production requirements of the project may be unique, the processes for guiding the flow of work through the business are highly consistent and well understood.

Providing consulting and implementation support in addition to custom development has introduced Alembic Computer Services to a wide variety of businesses and working models.  Because QuickBooks software is recognized as a fundamental tool for most small companies, delivering guidance and support to QuickBooks customers became a solid foundation for discovering where customization or other software implementations were required in order to fully address the business needs of their clients.

What became apparent to ACSI while working with these vastly different organizations was that there were similarities in the fundamental workflows and information management processes, and that these processes were not being adequately supported by any of the accounting or ERP systems. Even more than with software customization and development, ACSI recognizes the potential for helping a wide range of businesses with improvements that could be made by implementing standardized workflow and business process support systems.

The real basis for delivering work at Alembic Computer Services is the team that makes up the company. 

Fully leveraging the capabilities of each developer and supporting staff member is essential to creating and retaining profitability, which places employee time, resource and project management as the absolute top priorities. Managing the scope of information necessary to support each consulting or development project is no small task, nor is managing the time and activities of a team of developers and other employees, and flowing all of that data through to scheduling, payroll and billing systems.

To meet these internal requirements as well as establishing a basis for expanding high value service offerings to clients, Alembic Computer Services selected Exact Synergy Enterprise, a business management solution from the Dutch software company Exact (www.exact.com).

“For over 35 years, the tag line at Alembic has been ‘Productivity by Design’. It is our mission to improve the businesses of our clients by providing quality software solutions and the highest level of customer service. Exact Synergy Enterprise provides us with a unique tool that enables us to help almost any business achieve a greater level of productivity. With our many years of experience with Synergy, we are very excited to be the ones to introduce this special product to the QuickBooks community.”

Alembic Computer Services stands out among the numbers of consultants and resellers working with Synergy, largely due to the focus on bringing the value and power of Synergy Enterprise into the QuickBooks user space. 

While there are other partners selling ERP products that integrate with Synergy, Alembic Computer Services works primarily with QuickBooks Enterprise customers who need flexible workflow and business process management support that can’t be handled with QB alone or by other solutions in the QB marketplace.

“The Exact partner community has a rich history of enabling integration with other small and mid-size financial applications, giving companies the ability to modernize the business processes surrounding financial data that is so important to them. We strongly support what firms like Alembic Computer Services are doing to marry Synergy Enterprise with QuickBooks” says Philip Bini, Director for Exact Americas.

“Exact is excited to see advisors like Alembic Computer Services apply their passion for Synergy Enterprise by creating a business management blueprint for businesses that use QuickBooks for their accounting needs. Exact Synergy Enterprise allows business users to interact on their business transactions in a collaborative environment.  As a result, the integration between Synergy and QuickBooks makes the complete solution more relevant and widely accessible to QuickBooks ProAdvisors, reseller communities and the QuickBooks customer base at large. It really is an exciting time for the entire QuickBooks market to be introduced to Exact Synergy Enterprise.”

Within Synergy Enterprise, the people, actions and activities, and business resources are all tracked in order to inform other applications and processes which support the business and operation. 

By centering the Synergy workflow solution in the business applications infrastructure and utilizing its flexible and extensible framework to embrace the full realm of business activities, Alembic Computer Services is able to automate and fully streamline processes that were previously very time-consuming and which did nothing to directly support or improve business profitability.

In order to create the most efficient and high performance approach possible, Alembic Computer Services knew they wanted a solution which natively addressed standard business needs like electronic document management, customer relationship and personnel management, but which could also be custom configured to handle their development and project-related workflows at a very detailed level.

While Jeff and Donovan are developers by profession, there was little interest in embarking on a large customization project to support their own business needs, so any solution would have to provide not only strong essential functionality right out of the box, but should allow for a great deal of customization of the solution without coding. Synergy delivered on those capabilities richly.

Using a standards-based approach to framing the activities and guided by logic infused into the Synergy system, Alembic Computer Services created their own professional project management and time and billing system within Synergy that directly and efficiently addresses the specific tasks, activities, resources and services involved in any given customer project. Storing not just customer and baseline project information, the system tracks every document, activity, research item and production element which associates to the performance of the tasks or which is provided through guided workflow.

Further, by integrating the project, time and resource data with their QuickBooks financials, the company was able to create an end-to-end solution which addresses the wide array of activities involved in running the business, increasing efficiency and effectiveness in back-office operations as well as those in front. This benefit was among those most apparent to Alembic Computer Services, and was the fuel behind the development of the integration between QuickBooks and Synergy.

Unaccounted for time or resources, incomplete task performance, and undocumented project activities leads to inconsistent performance and lower profits.

Integrated workflows and the elimination of double-entry ensures greater accuracy in payroll, billing and other related processes, allowing ACSI personnel and business managers to more efficiently perform their required tasks, reducing friction and smoothing performance to a consistent and predictable flow.

For the project managers at Alembic Computer Services and the QB Resource Center, the big benefit of Synergy is that the developers know what projects are assigned to them at all times and can view exactly what tasks must be performed and when. For owners Jeff and Donovan Sachs, the confidence comes from knowing that every business process structured and defined, that the processes will be handled in a complete and timely manner, that all documentation and data is sufficiently collected and filed, and that their systems have the agility and power to carry the business well into the future.

Make Sense?

J

 

Read the Introduction: Fringe to Foundation: Aligning Business Goals and Lifting Business Performance through Digital Workflows

Article 1: Every Business Deserves a Chance to be Better

Posted on

Every Business Deserves a Chance to Be Better

Amazon's Domes

Article 1 in 4-part series

Every business owner or manager wants to see growth in revenue and profits, and sustaining a high level of performance requires that the business operate smoothly and without breakage or imbalance. When workers know their jobs and do them well, and when workload performance is regular and timely, the business operation glides.

Yet few organizations fully understand how all of their processes weave together to form the operation, or how changes in workloads and task performance will impact the bottom line. Growing or shrinking workloads, supply chain interruptions and other conditions influence the flow of work in the business, which is why a clear understanding of the workflows and the dynamics of the processes they connect is so essential.

It really comes down to a “degrees of success” question: how much better could the business be?

It is said that the only constant is change, and businesses must find a way to effectively and cost-efficiently meet changing demands and conditions in order to survive.  What frustrates many business owners is that change is generally disruptive to the business, representing a significant challenge when it comes to the development of internal processes, procedures and the workflows which bind them.   At issue is the understanding that proven, structured and repeatable processes help to improve efficiency, yet changing conditions often require changes to these processes.

Creating agility and sustainable value in the organization suggests that guidance for workers, processes and controls, business and system policies, activities and agents and resources all be brought together to form a complete picture of the business and operation.  With this in hand, the business is better able to communicate to each member what is expected of them and when, and to make adjustment or enhancements to how the work flows in order keep moving toward the stated goal.

Informed workflows guide smarter processes, and smarter businesses are more resilient.

Smarter business is built from knowledge and understanding not just of the systems and actors in the enterprise, but of the higher level goals motivating the activity.  In a global economy, where competitive pressures are increasing every day for even the smallest of businesses, making process improvements and creating sustainability become as much a focus for the business as growth once was.

Developing strategies for retaining profit margins, improving cash flows, solidifying supply chains and streamlining operational processes is essential when designing the business to handle the stresses of a changing economy. The foundations of such strategies are the people, processes and knowledge in the business, and the workflows which tie them together into a cohesive, high performance enterprise.

What comes as a surprise to many businesses is that their efforts to structure the work – defining the activities which string together to form the process, or connecting the processes in a workflow – often reveals why certain things are done the way they are. Where process and workflow modeling most frequently addresses the “what” and “how” of the business, less often is the “why” question directly approached. The discovery of “why” is sometimes a revelation which comes unexpectedly, providing insight into areas of the business where change could be made, leading to improved process performance and moving the operation closer reaching its goals.

With the popularity and proliferation of online applications and cloud computing, many businesses have transformed how they manage activities, people and resources.

The adoption of individual apps to support specific business activities and processes is increasing, where solutions are often loosely connected, integrating or syncing only selected data used for a particular purpose.  The Internet-connected marketplace has introduced both opportunity and challenge for businesses of all sizes, and much of the focus has been placed on the management and control of digital documents and data.

Centralized electronic document management has been commonly used in business for many years, yet has not always been viewed as an essential technology to apply in the context of organizing and structuring the workflows in the business.

Particularly in situations where apps and activities are not always directly connected to their dependent or resultant processes, electronic document management and integration of external data elements become critical to structuring the flow of work.

In structuring workflows and documents systems which support the various business processes, the organization will find that it has developed the means to collect and memorialize the business and operational knowledge owned only by individuals in the business.

Gathering together the “tribal knowledge” from users in the business – investing the learning and experience of individuals into the DNA of the business processes and organization of work– is an essential element in crafting meaningful workflows which capture the human-based considerations that are often overlooked.

When individual knowledge becomes business knowledge and is turned into documents, systems and structured processes which guide the operation, results are able to be reproduced more consistently and reliance upon individuals is reduced significantly.

Business processes are now considered to be corporate assets which require consistent and ongoing management and review.

Because business is not stagnant, processes and workflows will necessarily evolve as conditions change. Managing these processes and the workflows which attach them is an iterative process that must be actively pursued in order to ensure that evolving approaches don’t fail to support higher level business objectives.

While an electronic document management solution may address many of the challenges involved in working with large volumes and varieties of documents and data, there are few DM products on the market which can approach the full realm of business workflows and how they are impacted by business or data-driven events or by the availability of people or resources to facilitate the process.

Businesses must not only structure their documents and data, but also their workflows necessary to support the various processes and should seek to normalize those workflows as much as possible. Through a standards-based approach to workflow development, businesses are able to develop a consistent and methodical approach to the work which results in more predictable and consistent outcomes.

The workflow “engine” is truly the workhorse in the business, connecting the people, activities and information required to fulfill each required task.

Fueled by stored documents, data and business policy, workflows inform the organization on the effectiveness of applied resources, events and agents. Not only providing a basis for measuring process effectiveness, structuring all workflows in the business often reveals why certain previously unrecognized processes occur.

Sometimes referred to as “process mining”, activity monitoring and regular workflow and process evaluation allows the business to develop greater understanding of the rationale it must apply to detect or diagnose processes which deviate from the desired path and cause the business to track away from its strategic goals.

Exact Synergy is the workflow engine which powers global businesses and drives performance.

The business fundamental framework of Synergy allows organizations to structure the entire realm of business activities and provide digital workflows and automation to enhance productivity and ensure accuracy at every step. The core of Synergy connects and tracks the entities, transactions and documents associated with every aspect of the business.

Recognizing that business happens with people, systems and processes, Synergy is the tool organizations use to describe the various entities, actions and requests involved in performing the business, guiding process performance with meaningful workflows which clearly communicate to each participant what is expected from them, when it is expected, and even how to perform.

While essential business needs are met with the initial installation, Synergy is extensively configurable and customizable, considering all areas of the enterprise and offering functionality to support a vast array of requirements.  A business may use the solution in a limited capacity, guiding certain HR and other back-office functions, or it can be applied to the entire business and operation, spanning departments and locations, joining processes and acquiring data which might otherwise remain unmanaged and disconnected.

Synergy helps businesses keep actions and decisions aligned, sharpening the competitive edge.

Synergy’s framework combines entity management, process governance and strict security and data controls with a presentation which allows for everyone in the business to view and manage their workloads quickly and directly. Synergy provides each user with the information they need to get their job done without complication or interference, providing the views and access to increase process effectiveness and supporting the most efficient flow of work through the business.

If actions and decisions inside a company aren’t aligned, processes are disrupted and the competitive edge gets lost. With a more intelligent approach to enabling and managing the work flowing through the enterprise, businesses can be smarter and introduce new value for those involved with them.

Make Sense?

J

Read the Introduction: Fringe to Foundation: Aligning Business Goals and Lifting Business Performance through Digital Workflows

Posted on

‘Tis the (Filing) Season – Time for W2s and 1099 Reporting

1099-santa-hatEvery year-end brings with it not just the holiday spirit, but also the underlying dread felt by small business owners – a creepy and back-of-your-neck hair-raising feeling associated with annual business tax reporting and filing. That old saying about “death and taxes” has a lot of validity to it; sometimes they feel like the same thing to a small business owner. And this is the filing season. Ho ho ho.

The reporting requirements for small businesses seem to be growing at a rapid pace, and business owners are struggling to find the information and tools that ease the adjustment to increasingly burdensome reporting and compliance. The IRS has implemented a number of measures to increase tax revenues and enforce compliance, including stricter 1099 reporting requirements. With information provided at both ends of the “transaction” it is easier to identify those discrepancies which trigger audits.   With this type of business intelligence, the IRS has developed a fairly strong weapon to combat non-compliance, so small business owners need to really pay attention (the IRS is).  If the feds are tooling up, then business owners should, too.

Just to add to the seasonal festivities, make sure you upgrade your accounting software in time to benefit from the right rules and forms. If you run a small business and keep most of your information on spreadsheets (still? really?), that’s OK because there are solutions available which draw the information from spreadsheets, eliminating the need to re-enter data. Seriously, though, you should consider using actual bookkeeping or accounting software.

It is also important to remember that payroll tax filing dates for W-2s and 1099 forms were changed for 2016 taxes, and these changes continue for 2017. The filing deadline for 2017 W-2s and 1099 forms (including Form 1099-MISC) is January 31, 2018, which is a month earlier than the pre-2017 filing date. Thankfully, the deadline for providing W-2 forms to employees and 1099-MISC forms to other workers for 2017 has not changed. This deadline is still January 31, 2018. 

Using a cloud-based service to file 1099s online should be something your business considers doing if it isn’t already. Because most services include form and feature updates, users don’t have to go looking for the right documents or worry that they are using an outdated form.  In an online or hosted solution, users benefit from updates without downloads and get stricter security around their data than would likely be present on their own PC.  As it relates to your accounting software, make sure it has the capabilities you need in this area and don’t settle for limited functionality.

Here are some features you’ll want to look for in your e-filing solution this year:

  • The ability to print and/or mail forms to recipients as well as e-filing forms directly with the IRS or SSA
  • Have Form 1096 or W-3 automatically calculated and transmitted electronically with the detail forms
  • Upload volumes of data with Excel templates or import from your accounting software (saves time and reduces input errors)
  • Store data securely and provide full access to filed forms for multiple years
  • Maintain payer and recipient records securely for use year after year.
  • Encrypt data upon submission and keep it encrypted throughout the entire process
  • Supports 1099 Corrections (should allow filing of corrected forms regardless of how the original form was filed)
  • Accountants, Bookkeepers and Tax Preparers should be able to set up multiple payers and file on behalf of many clients from a single account, even filing for all clients at once or via batch submission

Year-end tax filing, especially dealing with 1099s and W2s, is an arduous task for most small businesses and their professional service providers, yet it is one of those things that simply can’t be put off.  Where there is a single income tax return there could be literally hundreds of associated 1099s or W2s to file.  1099 filing in particular has become more of a focus as authorities crack down on contractor versus employer classifications and seek to develop easier identification of audit candidates (something every business owner wants to avoid).

The point of the discussion is that there are cloud-based tools which are highly useful, feature rich, and very affordable… and business owners and their accountants or bookkeepers would be wise to take a look rather than assuming that the general accounting software will do the trick this year and the next.  Remember that tax filing season is an annual event, and being able to rely on a consistently useful solution can make the season a bit merrier (or at least a little less stressful) for all.

jmbunnyfeetMake Sense?

J

Hi! I was looking for the Frangos.

Posted on

Mobility Solutions to Support the Booming Home Health Services Market

The market for home health care services is growing rapidly and is not likely to slow any time soon. The expanding need is due in large part to the aging of the baby boomers, those born between 1946 and ‘64.  The boomers were once the nation’s largest living generation, defined by a notable increase in births in the United States following World War II. As this generation ages, it is creating a boom of sorts in the home health services industry.

Roughly 10,000 baby boomers turn 65 every day, and increasingly these seniors wish to continue living in their own homes rather than being moved to nursing homes or assisted living facilities.   According to AARP, nearly 90 percent of seniors want to stay in their own homes as they age, referred to as “aging in place.” Most seniors (up to 82 percent) would prefer to stay in their homes even as they need daily assistance or ongoing health care.  Few seniors say they would prefer to move to a care facility, and even fewer identify living with extended family as a desirable option.

The rate of home ownership among boomers is higher than with the rest of the population today, which is one of the primary reasons for increased demands for home care services.  Reports reflect that 81% of seniors today own their own homes, compared to 68% for the rest of the population. The majority of these seniors live alone or with a spouse – we’ve already established that living with extended family isn’t a frequent choice, possibly due at least in part to reduced home ownership rates. There are also suggestions that the reduced economic status of later generations has similarly reduced the capacity for extended families providing the long-term care for their seniors.

Projected to double by the year 2050, the number of Americans requiring daily help with living at home is expected to grow from the current 12 million to 27 million.  Older adults will make up almost 20 percent of the population, if not more.

These and other factors are driving rapid growth and expansion in the home health care field. Projected job growth for home health providers and personal care aids is expected to reach a whopping 70 percent by 2020. Larger than any other occupation grouping in the country, direct care workforce is projected to exceed teachers from kindergarten through high school (3.9 million), all law enforce and public safety workers (3.7 million), and registered nurses (3.4 million). Between 2010 and 2020, the fastest growing occupations in the country are projected to be Personal Care Aides and Home Health Aides.

Home health care businesses providing in-home senior care, hospital after-care, veteran care and numerous other specialized and general services are supported by a number of specialized software solutions designed to meet the specific needs of this segment of the healthcare industry.  The software used to support the business generally includes specific functionality for managing client and patient records, caregiver and provider information, scheduling and dispatch, payroll and HR, billing, and other back office and accounting processes.

Many of the industry-specific solutions available on the market address different or unique aspects of operating the home health care business, integrating data from their system with separate accounting and finance applications (such as QuickBooks desktop editions) for the rest of the functionality needed.  This allows the developer of the line of business application to focus on the valuable features and capabilities that will make the practice more efficient, compliant and profitable, leaving general accounting processes (payroll, accounts payable, general ledger and reporting) to the accounting software.

With greater frequency, the applications servicing the home health care industry are SaaS solutions, crafted with online access and mobility in mind.  This industry in particular has a specific need for remote and mobile access to information, as it is a “field service” operation at its core with healthcare rolled in.  The requirements to manage not just scheduling and services, but to deal with compliance, privacy and other factors involved with healthcare information complicates matters, placing an additional focus on the security and mode of access to the software and information.

Businesses using solutions such as Kinnser ADL, Shoshana Rosemark, Kaleida eRSP and Generations Homecare System rely on the software to streamline their operations.  Not only designed to support a remote and mobile workforce, these application services also provide business owners and managers with the ability to access essential business data at any time.  At issue is the rest of the software and systems which support the business operation and its processes.  Word and Excel or other productivity tools are almost certainly used at some level, and QuickBooks is in use, too.  These applications and their data typically reside on the desktop computer or local network.  As desktop applications, these solutions deliver the best power and performance for the business in terms of features and usability.  While some users may consider moving to web-based versions of these products, those who favor performance and functionality over framework often return to the feature-rich desktop applications that do the full job required.

In order to give business owners and remote workers the access they need to desktop applications and data, secure remote access solutions are required.  When the software and systems reside in the locked office of the business, the people operating outside aren’t usually able to access them in a way that is useful – or useful for more than one person at a time.  Remote control solutions that broker access to a PC cannot provide the multi-user support, application security or overall performance that most businesses require.  Attempts to implement simple RDS solutions or use similar products to create access often expose the business to unnecessary risk and limited capability while introducing heavy technical and licensing expenses.

With an offsite option, where the applications and data reside with the commercial hosting provider, business owners and line managers benefit from being allowed to focus on operations and not on managing the underlying software and systems. The business outsources the provisioning, management and protection of primary IT resources to support users, software and data, but the business should retain the capability to administer their own cloud as personnel changes impacting information access can occur at any time.

Whether their software and data are hosted on-site with existing equipment or offsite with managed hosting, home health care businesses need to have an easy-to-use solution for administration of user accounts, application access and secure filespaces.  For the home health care business, this is critical functionality that can mean the difference between spending too much time in the office handling general business and software matters versus meeting with clients and managing caregivers and revenue-generating activities.  In a fast moving, fast growing and highly mobile business, getting to information at anytime from anywhere using any device means being able to meet booming business demand.

Make Sense?

J

https://www.census.gov/newsroom/press-releases/2014/cb14-84.html https://www.ioaging.org/aging-in-america http://www.pewresearch.org/fact-tank/2016/04/25/millennials-overtake-baby-boomers/ http://www.iyhusa.com/AginginPlaceFacts-Data.htm http://economistsoutlook.blogs.realtor.org/2012/01/13/homeowners-by-age/
Posted on

Securing Business Data When Mobility is the Target

driving1-ANIMATIONToday’s workforce is a mobile workforce. Technology has enabled businesses to allow their employees to reach beyond the office walls, doing business and operating effectively from just about any location.  SaaS, online access to business data, and smart phone technologies have brought flexibility in working models previously only imagined by the workforce tethered to business locations and office computers. Yet this flexibility comes at a price if the business is to keep up with securing and protecting data assets as readily as it extends access to them.  The bad guys are well aware that mobile computing and remote access working models are growing in adoption with businesses, and are finding ways to take ever-greater advantage of the situation.

Teleworking, which is not quite the same thing as telecommuting, is on the rise and it doesn’t look to be a trend that will slow down any time soon. According to GlobalWorkplaceanalytics.com, “telework is defined as the substitution of technology for travel”.  Those who work sometimes from an office, but sometimes not, are teleworkers. Working at the office during the day and then taking work home at night makes you a teleworker. The primary tool of the teleworkforce is the smart phone – the mobile computer with built-in connectivity and enough processing power to handle many basic office workloads.

  • 50% of the US workforce holds a job that is compatible with at least partial telework and approximately 20-25% of the workforce teleworks at some frequency
  • 80% to 90% of the US workforce says they would like to telework at least part-time. Two to three days a week seems to be the sweet spot that allows for a balance of concentrative work (at home) and collaborative work (at the office).
  • Fortune 1000 companies around the globe are entirely revamping their space around the fact that employees are already mobile. Studies repeatedly show they are not at their desk 50-60% of the time.  http://globalworkplaceanalytics.com/telecommuting-statistics

The number of teleworking employees is on the rise, and so is the variety of devices used to facilitate mobile working.  Smartphones, tablets and phablets and, of course, laptop computers are used by mobile workers – often in addition to the company-supplied desktop in the office. The variety and number of computing devices per user is growing. Knowing this, businesses must take increasingly expansive steps to strengthen and secure remote access systems and business data, yet many organizations are just beginning to fully realize that the mobility they extend to their users is part of the reason for the increasing number of data breaches and attacks against business information systems.

Cybercriminals and their crafty programs are often able to steal important information or access a network by first infecting computers and devices used for telework.  Many of the devices available to the attackers are not company-owned, but are introduced to the system by contractors, vendors and employees (BYOD or bring-your-own-device users).

Even if the device isn’t a vehicle delivering a nasty payload into the network, data breaches may still occur when business information is stored on an improperly secured device. Most people who work with computers have some recognition of the potential for virus attacks and malware, but far fewer recognize the threat potential of attacks against mobile devices such as phones and tablets, and even fewer may implement meaningful protections on those devices.

“To prevent breaches when people are teleworking, organizations need to have stronger control over their sensitive data that can be accessed by, or stored on, telework devices,” said Murugiah Souppaya, a NIST computer scientist. [1]

Providing guidance and information to the public on such topics, NIST (National Institute of Standards and Technology) is revising its publications on telework to cover growing use of BYOD and how contractor and vendor devices are increasingly used to access company information resources.  Two new publications – one for organizations and one for users – are now available for review and comment.  You can find them here.

“As one of the major research components of the National Institute of Standards and Technology, the Information Technology Laboratory (ITL) has the broad mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology through research and development in information technology, mathematics, and statistics.”  [NIST Information Technology Laboratory Mission]

The rising number of threats, attacks and breaches caused by compromised devices used for teleworking is nothing to take lightly, and protecting against them shouldn’t be approached as a merely perfunctory obligation. Organizations must create and consistently update policies and requirements relating to protecting information accessible by remote workers if they intend to reduce business risk and provide assurances to stakeholders and customers that the information is adequately guarded.  But it doesn’t stop with the policy; businesses must also make an effort to properly educate their users (employees, contractors, vendors, etc.) on those policies, ensuring that all parties involved understand the responsibilities and requirements and strictly adhere to them.

jmbunnyfeetMake Sense?

J

[1] http://www.nist.gov/itl/csd/attackers-honing-in-on-teleworkers-how-organizations-can-secure-their-datata.cfm
Posted on

SEC Watchful Eyes Focus On Cybersecurity and Protecting Personal Information

SEC Watchful Eyes Focus On Cybersecurity and Protecting Personal Information  #cybersecurity BehindBars

Information privacy used to be a fairly simple thing.   Systems – what systems there were – weren’t so interconnected and information wasn’t so easy to share with thousands (millions) of people all over the world.  Security used to come down to gaining physical access to the information, which was usually on paper.  If you couldn’t get to the paper, you couldn’t get to the information. Yet those very analog days are long gone, and most of us have come to recognize that our personal information assets are no longer so tangible that we can touch them and feel them and keep them secured safely in the lockbox in the closet. What’s disturbing about the landscape of security in the cyber-world is that it is risky to trust not just the systems but the users – including the folks you want and need to trust – with your personal information.  It isn’t that you can’t trust anyone these days.  You just can’t trust that everyone is taking the precautions necessary to protect YOUR information.  You need to be sure.

Trust has always been an essential element in business and finances, and in every business relationship there is some element of it present. The prudent customer performs necessary due diligence before entering into any business arrangement, but there are often factors taken for granted in the review; factors which are overlooked or remain unconsidered, often due to an essential level of trust which  is placed with the other party. This is among the issues identified by the SEC as it relates to broker/dealers and their recognition of the importance of securing their clients personal information.  Yet recognition of the risk and responsibility isn’t always enough, especially with the number and makeup of bad actors out there. As the threat landscape changes, so must the approaches and technologies used to protect information from those threats.

Consumers place a high level of trust with their financial advisors and generally provide them with a great deal of personal information, and the broker-dealers and advisors generally recognize the importance of protecting the personal information they are entrusted with.  The problem is that these entities too often approach the problem of information security and protection as something with static and unchanging requirements. Compliance in establishing a baseline of protection is met.  A lack of ongoing diligence required to adjust to new threats and changing conditions… not so much. According to a summary report on the subject issued by the SEC in February 2015, the “vast majority” of examined broker-dealers and advisors have adopted written information security policies, yet the report goes on to discuss additional measures and constant reviews which should be applied to better guard the personal information of consumers.

Most of the examined firms reported that they have been the subject of a cyber-related incident.  A majority of the broker-dealers (88%) and the advisers (74%) stated that they have experienced cyber-attacks directly or through one or more of their vendors.  The majority of the cyber-related incidents are related to malware and fraudulent emails.

National Exam Program Risk Alert issued By the Office of Compliance Inspections and Examinations (“OCIE”); Volume IV, Issue 4 February 3, 2015

Among the agencies placing focus on the issues of cybersecurity and personal information protection is the SEC.  Within the SEC (Securities and Exchange Commission) is an office called the Office of Compliance Inspections and Examinations (OCIE).  The OCIE exists to “protect investors through administering the SEC’s nationwide examination and inspection program”.  Registered entities examined by this office (in Washington, DC and the Commission’s 11 regional offices) include broker-dealers, transfer agents, investment advisers, investment companies, municipal advisors, the various national securities exchanges, clearing agencies, and certain self-regulatory organizations (SROs) such as the Financial Industry Regulatory Authority (FINRA) and the Public Company Accounting Oversight Board (PCAOB).

In February 2015, OCIE published a summary of observations of the findings from a SEC-sponsored Cybersecurity Roundtable which included SEC Commissioners and staff as well as industry representatives.  The roundtable discussion, held in March 2014, focused on the important part cybersecurity plays in preserving the integrity of the market system and protecting customer data.  On the heels of the roundtable came a Risk Alert published by OCIE, in which it announced a series of examinations and tests aimed at the identification of cybersecurity risks and assessing the preparedness of the securities industry to meet the challenge.  After all, federal securities laws require registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information.

Paperless_468x80

The watchful eyes of the SEC are looking directly at broker-dealers and advisers, bringing additional attention to messaging about the requirement for these entities to protect consumer personal information.  The message is more likely to be heard when it includes the threat of censure and big fine. In September 2015 the SEC charged an “investment adviser with failing to adopt proper cybersecurity policies and procedures prior to a breach”.  According to the SEC release, the firm “failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.”  Also in September, the OCIE communicated another Risk Alert notifying of their intent to focus on cybersecurity compliance and controls, including information about the next round of examinations which will include more testing to evaluate firms’ implementations of procedures and controls around information protection and cybersecurity.

Gathering information on information security and privacy practices is not always easily accomplished for the SEC OCIE.  FinCin (US Dept of the Treasury Financial Crimes Enforcement Network), on the other hand, seems to get more reports of breaches from broker-dealers than does OCIE.  Maybe it is due to the advisor wanting to take more the role of the victim rather than admittance of culpability in any way, but the OCIE reports that roughly 65% of broker-dealers that acknowledged receiving fraudulent emails, for example, reported them to FinCen, yet perhaps 7% or fewer actually reported the information to law enforcement or other regulatory agencies.  It is the public report of the breach which gets the attention, and which continues to spur the efforts within the OCIE.

Public reports of cybersecurity breaches occur with too much frequency.  Sadly many of these events are due to failures or weaknesses in basic controls – failures which might have been identified if testing and review of basic processes, systems and controls was part of regular procedure.  With some of the largest data breaches possibly resulting from hacking of 3rd party vendor systems and platforms, review and assessment of vendors and suppliers must also be folded into the realm of consideration.  Failure to protect personal information of consumers and clients is risk to not just the firm or the client, but also to the entire market.  Risk reduction and management is among the focus areas for OCIE, a charter which supports the recent creation of the Office of Risk and Strategy, and which recognizes the challenge in gaining the information necessary to effectively inform the SEC and the market on cybersecurity issues.

jmbunnyfeetMake Sense?

J