Tag: information technology

Posted on

Run Your [New, Small, Growing] Business from Anywhere

The office for a small business used to be where all the work got done.  The hub of activity and productivity for a small business, the office was where you could connect with team members and co-workers and generally keep on the same page with what was going on in the business.  Customer orders are taken, those orders are fulfilled, and bills are paid – all from the small business office.  Yet today’s small business isn’t tied to the office location any longer.fishingpoles

Mobility and the cloud now provide businesses with mobile office options that allow users to get their jobs done no matter where they happen to be.  Business moves at a fast pace, and mobility and remote access solutions help companies be more nimble.  Collaborating while on the go and exchanging ideas and concepts quickly helps businesses be more agile and better-able to meet changing customer needs.  Successful small business owners leverage mobility and action to beat the competition.

The cloud and Internet-based computing lets small businesses access and benefit from IT solutions that were previously only available to enterprise organizations.  Better IT means being more competitive, giving smaller businesses a leg up and positioning them among even the largest of competitors. For the business owner, the freedom of being able to manage the entire business from anywhere delivers a freedom and flexibility previously unimagined.

Here are some ways hosted and cloud-based IT can help small businesses overcome everyday business challenges:

Reduce or Eliminate the Need for a Physical Office

Starting a business is tough, and many small business owners decide to use their own homes as a business location rather than forking over a bunch of lease money to a commercial realtor.  Using hosting application services and cloud technologies can help keep team members and co-workers working together, no matter where they are located.  Many businesses are able to get off the ground and operating successfully without ever having an established office.

Work when it Works for You

Remote desktops and hosted applications deliver functionality to users no matter where or when they need to work.  With ready access to everything needed to get the job done, workers are able to be productive even when they’re not at a desk (or even a computer!).  Smartphone and tablet apps can make working from a mobile device highly effective, extending productivity and capability to workers whenever and wherever it is required.

Keep Everyone on the Same Page

When systems are centrally located and accessed, it is easy to keep everyone on the same version, the same edition, and the same page.  No matter where users are located, documents and application data are kept in sync, ensuring that everyone is working on the most current information available.  Mobile access to applications and data keeps information from being distributed to various devices, making revision control easier and providing better protection for valuable business information.

Mobile computing and the cloud make it easy for small businesses to have better IT that enhances productivity and supports growth.  Reducing capital costs and exchanging large technology investments with affordable monthly subscription service gives small businesses the boost they need to implement the solutions and services which will develop and improve collaboration, streamline workflows, and reduce overhead costs while enabling a fast-paced and agile business ready to meet any challenge.

jmbunnyfeetMake Sense?

J

Posted on

Securing Business Data When Mobility is the Target

driving1-ANIMATIONToday’s workforce is a mobile workforce. Technology has enabled businesses to allow their employees to reach beyond the office walls, doing business and operating effectively from just about any location.  SaaS, online access to business data, and smart phone technologies have brought flexibility in working models previously only imagined by the workforce tethered to business locations and office computers. Yet this flexibility comes at a price if the business is to keep up with securing and protecting data assets as readily as it extends access to them.  The bad guys are well aware that mobile computing and remote access working models are growing in adoption with businesses, and are finding ways to take ever-greater advantage of the situation.

Teleworking, which is not quite the same thing as telecommuting, is on the rise and it doesn’t look to be a trend that will slow down any time soon. According to GlobalWorkplaceanalytics.com, “telework is defined as the substitution of technology for travel”.  Those who work sometimes from an office, but sometimes not, are teleworkers. Working at the office during the day and then taking work home at night makes you a teleworker. The primary tool of the teleworkforce is the smart phone – the mobile computer with built-in connectivity and enough processing power to handle many basic office workloads.

  • 50% of the US workforce holds a job that is compatible with at least partial telework and approximately 20-25% of the workforce teleworks at some frequency
  • 80% to 90% of the US workforce says they would like to telework at least part-time. Two to three days a week seems to be the sweet spot that allows for a balance of concentrative work (at home) and collaborative work (at the office).
  • Fortune 1000 companies around the globe are entirely revamping their space around the fact that employees are already mobile. Studies repeatedly show they are not at their desk 50-60% of the time.  http://globalworkplaceanalytics.com/telecommuting-statistics

The number of teleworking employees is on the rise, and so is the variety of devices used to facilitate mobile working.  Smartphones, tablets and phablets and, of course, laptop computers are used by mobile workers – often in addition to the company-supplied desktop in the office. The variety and number of computing devices per user is growing. Knowing this, businesses must take increasingly expansive steps to strengthen and secure remote access systems and business data, yet many organizations are just beginning to fully realize that the mobility they extend to their users is part of the reason for the increasing number of data breaches and attacks against business information systems.

Cybercriminals and their crafty programs are often able to steal important information or access a network by first infecting computers and devices used for telework.  Many of the devices available to the attackers are not company-owned, but are introduced to the system by contractors, vendors and employees (BYOD or bring-your-own-device users).

Even if the device isn’t a vehicle delivering a nasty payload into the network, data breaches may still occur when business information is stored on an improperly secured device. Most people who work with computers have some recognition of the potential for virus attacks and malware, but far fewer recognize the threat potential of attacks against mobile devices such as phones and tablets, and even fewer may implement meaningful protections on those devices.

“To prevent breaches when people are teleworking, organizations need to have stronger control over their sensitive data that can be accessed by, or stored on, telework devices,” said Murugiah Souppaya, a NIST computer scientist. [1]

Providing guidance and information to the public on such topics, NIST (National Institute of Standards and Technology) is revising its publications on telework to cover growing use of BYOD and how contractor and vendor devices are increasingly used to access company information resources.  Two new publications – one for organizations and one for users – are now available for review and comment.  You can find them here.

“As one of the major research components of the National Institute of Standards and Technology, the Information Technology Laboratory (ITL) has the broad mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology through research and development in information technology, mathematics, and statistics.”  [NIST Information Technology Laboratory Mission]

The rising number of threats, attacks and breaches caused by compromised devices used for teleworking is nothing to take lightly, and protecting against them shouldn’t be approached as a merely perfunctory obligation. Organizations must create and consistently update policies and requirements relating to protecting information accessible by remote workers if they intend to reduce business risk and provide assurances to stakeholders and customers that the information is adequately guarded.  But it doesn’t stop with the policy; businesses must also make an effort to properly educate their users (employees, contractors, vendors, etc.) on those policies, ensuring that all parties involved understand the responsibilities and requirements and strictly adhere to them.

jmbunnyfeetMake Sense?

J

[1] http://www.nist.gov/itl/csd/attackers-honing-in-on-teleworkers-how-organizations-can-secure-their-datata.cfm
Posted on

SEC Watchful Eyes Focus On Cybersecurity and Protecting Personal Information

SEC Watchful Eyes Focus On Cybersecurity and Protecting Personal Information  #cybersecurity BehindBars

Information privacy used to be a fairly simple thing.   Systems – what systems there were – weren’t so interconnected and information wasn’t so easy to share with thousands (millions) of people all over the world.  Security used to come down to gaining physical access to the information, which was usually on paper.  If you couldn’t get to the paper, you couldn’t get to the information. Yet those very analog days are long gone, and most of us have come to recognize that our personal information assets are no longer so tangible that we can touch them and feel them and keep them secured safely in the lockbox in the closet. What’s disturbing about the landscape of security in the cyber-world is that it is risky to trust not just the systems but the users – including the folks you want and need to trust – with your personal information.  It isn’t that you can’t trust anyone these days.  You just can’t trust that everyone is taking the precautions necessary to protect YOUR information.  You need to be sure.

Trust has always been an essential element in business and finances, and in every business relationship there is some element of it present. The prudent customer performs necessary due diligence before entering into any business arrangement, but there are often factors taken for granted in the review; factors which are overlooked or remain unconsidered, often due to an essential level of trust which  is placed with the other party. This is among the issues identified by the SEC as it relates to broker/dealers and their recognition of the importance of securing their clients personal information.  Yet recognition of the risk and responsibility isn’t always enough, especially with the number and makeup of bad actors out there. As the threat landscape changes, so must the approaches and technologies used to protect information from those threats.

Consumers place a high level of trust with their financial advisors and generally provide them with a great deal of personal information, and the broker-dealers and advisors generally recognize the importance of protecting the personal information they are entrusted with.  The problem is that these entities too often approach the problem of information security and protection as something with static and unchanging requirements. Compliance in establishing a baseline of protection is met.  A lack of ongoing diligence required to adjust to new threats and changing conditions… not so much. According to a summary report on the subject issued by the SEC in February 2015, the “vast majority” of examined broker-dealers and advisors have adopted written information security policies, yet the report goes on to discuss additional measures and constant reviews which should be applied to better guard the personal information of consumers.

Most of the examined firms reported that they have been the subject of a cyber-related incident.  A majority of the broker-dealers (88%) and the advisers (74%) stated that they have experienced cyber-attacks directly or through one or more of their vendors.  The majority of the cyber-related incidents are related to malware and fraudulent emails.

National Exam Program Risk Alert issued By the Office of Compliance Inspections and Examinations (“OCIE”); Volume IV, Issue 4 February 3, 2015

Among the agencies placing focus on the issues of cybersecurity and personal information protection is the SEC.  Within the SEC (Securities and Exchange Commission) is an office called the Office of Compliance Inspections and Examinations (OCIE).  The OCIE exists to “protect investors through administering the SEC’s nationwide examination and inspection program”.  Registered entities examined by this office (in Washington, DC and the Commission’s 11 regional offices) include broker-dealers, transfer agents, investment advisers, investment companies, municipal advisors, the various national securities exchanges, clearing agencies, and certain self-regulatory organizations (SROs) such as the Financial Industry Regulatory Authority (FINRA) and the Public Company Accounting Oversight Board (PCAOB).

In February 2015, OCIE published a summary of observations of the findings from a SEC-sponsored Cybersecurity Roundtable which included SEC Commissioners and staff as well as industry representatives.  The roundtable discussion, held in March 2014, focused on the important part cybersecurity plays in preserving the integrity of the market system and protecting customer data.  On the heels of the roundtable came a Risk Alert published by OCIE, in which it announced a series of examinations and tests aimed at the identification of cybersecurity risks and assessing the preparedness of the securities industry to meet the challenge.  After all, federal securities laws require registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information.

Paperless_468x80

The watchful eyes of the SEC are looking directly at broker-dealers and advisers, bringing additional attention to messaging about the requirement for these entities to protect consumer personal information.  The message is more likely to be heard when it includes the threat of censure and big fine. In September 2015 the SEC charged an “investment adviser with failing to adopt proper cybersecurity policies and procedures prior to a breach”.  According to the SEC release, the firm “failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.”  Also in September, the OCIE communicated another Risk Alert notifying of their intent to focus on cybersecurity compliance and controls, including information about the next round of examinations which will include more testing to evaluate firms’ implementations of procedures and controls around information protection and cybersecurity.

Gathering information on information security and privacy practices is not always easily accomplished for the SEC OCIE.  FinCin (US Dept of the Treasury Financial Crimes Enforcement Network), on the other hand, seems to get more reports of breaches from broker-dealers than does OCIE.  Maybe it is due to the advisor wanting to take more the role of the victim rather than admittance of culpability in any way, but the OCIE reports that roughly 65% of broker-dealers that acknowledged receiving fraudulent emails, for example, reported them to FinCen, yet perhaps 7% or fewer actually reported the information to law enforcement or other regulatory agencies.  It is the public report of the breach which gets the attention, and which continues to spur the efforts within the OCIE.

Public reports of cybersecurity breaches occur with too much frequency.  Sadly many of these events are due to failures or weaknesses in basic controls – failures which might have been identified if testing and review of basic processes, systems and controls was part of regular procedure.  With some of the largest data breaches possibly resulting from hacking of 3rd party vendor systems and platforms, review and assessment of vendors and suppliers must also be folded into the realm of consideration.  Failure to protect personal information of consumers and clients is risk to not just the firm or the client, but also to the entire market.  Risk reduction and management is among the focus areas for OCIE, a charter which supports the recent creation of the Office of Risk and Strategy, and which recognizes the challenge in gaining the information necessary to effectively inform the SEC and the market on cybersecurity issues.

jmbunnyfeetMake Sense?

J

Posted on

Is this email legitimate? QuickBooks Payroll ACH ID Changes go live on the 22nd!

Is this email legitimate? QuickBooks Payroll ACH ID Changes go live on the 22nd!

Trusted QuickBooks Advisors – here’s another thing for you to help your clients with

Intuit recently sent an e-mail to QuickBooks Online Payroll (QBOP) and QuickBooks Full Service Payroll (QBFSP) customers about an ACH ID change.  It kind of looks like a phishing thing, but it is really a legitimate email from Intuit, and it is important to pay attention if your company uses the impacted services and a banking feature called “debit filtering”.  There isn’t much time to act, either, because the changes go live in 3 days (February 22, 2016).

Impacted services are QuickBooks Online Payroll and QuickBooks Full Service Payroll, so it is pretty important to address.  Nobody wants their business payroll processes interrupted, and this could easily do just that.

Intuit has added some new ACH ID numbers for use with direct deposit and other processes which work with the bank, so customers using a fraud-prevention method known as “debit filtering” will need to contact their banks to add the new IDs or their bank transactions will fail.

Debit filtering allows customers to tell their banks which ACH IDs are allowed to perform transactions with the bank account, like removing or depositing funds.  It is an extra level of fraud security that protects the bank account from unauthorized access, but it is also something that can work against the business if it is not managed.  In this case, contacting the bank to add the new IDs is critical to keeping things processing and flowing smoothly.  It is also important that the old IDs not be removed yet, as they may be tied to historic transactions that must be tracked and reported on for tax and other purposes.

“Is this really from Intuit? It seems like Intuit would have a better way to make such changes than to ask millions of subscribers to contact their bank”

Source: Is this email legitimate? ACH ID Changes; – QuickBooks Learn & Support

QuickBooks users don’t have much time to reach their banks and supply the new IDs, so pull the email out of the SPAM folder and call the bank right away. Intuit won’t be sending notices to the banks, and they have no authority to add different IDs to your approved list, anyway… which is a good thing.  If just anyone could add an approved ACH ID on your account, then just anyone could get to your funds.  Better to make the phone call yourself.

jmbunnyfeetMake Sense?

J

Posted on

Report Right or It’ll Cost You (double)

Report Right or It’ll Cost You (double)

paper-stackReporting requirements for business just keep growing, and so do the penalties for doing it wrong.  New this year and just in time for the annual reporting season (makes it sound almost fun, huh?) are new forms to file and an increase in penalties for not making an effort to get the information correct and into the hands of the proper recipient. Failure to file by the due date can cost businesses $250 per item, up to $3,000,000 in penalties ($1,000,000 for small businesses).  Add to that the warning about intentionally not filing or having an “intentional disregard of the requirements to furnish a correct payee statement”, which carries a penalty of at least $500 per payee statement and has no maximum penalty. Clearly, the cost of making sure the information is correct and filed in a timely manner is far less than the cost of not getting it done – or done right.

Growing problems around wage and revenue reporting have caused the IRS to pursue a variety of measures over the years to try to improve information reporting.  The Affordable Care Act has also had quite an impact on wage and benefit reporting, increasing reporting requirements substantially.  From the introduction of health plan reporting on W2s to the new mandatory forms 1095-C and 1094-C (for applicable large employers), businesses of all sizes are feeling the pressure.

February 2016 marks the date when employers and healthcare providers are required to file those shiny new IRS information returns regarding employer-provided healthcare coverage, providing a copy of the return to each employee much like a W2. The information would then enable the IRS to enforce rules established under the Affordable Care Act by revealing whether an individual might be eligible for a premium tax credit, or if an employer may be subject to non-compliance penalties. Penalties for failing to comply essentially double in 2016.  And the IRS suggests that a “good faith effort” standard will be applied to information reporting, offering no relief for employers that fail to make the effort to file timely and correctly.

It wasn’t very long ago that 1099 filing requirements expanded substantially, forcing businesses to get far more detailed in their production of information to the IRS and to payment recipients.  While this filing requirement impacted businesses both large and small, most lived through it (with the help of their trusted accounting professional!) and were able to comply.  That effort informed the IRS on a wide variety of business payments and expenses not previously tracked, in particular payments made for services and non-employee compensation.

The increasing scrutiny of wage and earning information may also help in efforts to curtail tax refund fraud.  Identity thieves use stolen (or borrowed) social security numbers to file false tax returns early in the year. Unfortunately, with the IRS motto of “pay first, prove later” the cross checking won’t likely be done until after the refund check has been sent. Once the task is performed, however, the taxpayer could end up getting a letter from the IRS stating that more than one tax return was filed using the social security number, they owe for a tax year for which they did not file a return, or the IRS indicates that wages were reported from an employer the taxpayer doesn’t know.

The IRS expects tax refund fraud to top $21 billion by 2016, which is an increase of 223% from 2013 numbers. Tax refund fraud costs every taxpayer.  No wonder the IRS is getting tougher with the penalties for not filing information returns accurately or on time.

jmbunnyfeetMake Sense?

J

Following is the text from the IRS, which outlines the “Increase in Penalties for Failure to File Correct Information Returns and to Provide Correct Payee Statements — 31-JUL-2015

L. 114-27, section 806, increased penalties for failure to file correct information returns and provide correct payee statements for information returns required to be filed after December 31, 2015.

Penalties are discussed in Section O in the General Instructions for Certain Information Returns. The penalties in the bulleted list under “Failure To File Correct Information Returns by the Due Date (Section 6721)” are revised as follows.

  • $50 per information return if you correctly file within 30 days (by March 30 if the due date is February 28); maximum penalty $500,000 per year ($175,000 for small businesses).
  • $100 per information return if you correctly file more than 30 days after the due date but by August 1; maximum penalty $1,500,000 per year ($500,000 for small businesses).
  • $250 per information return if you file after August 1 or you do not file required information returns; maximum penalty $3,000,000 per year ($1,000,000 for small businesses).
Posted on

Payment Card Roll Call: “Not Present” fraud likely to increase as EMV takes hold

Payment Card Roll Call: “Not Present” fraud likely to increase as EMV takes hold

rollingballNo retailer wants to become the next Target (pun intended).  Payment card fraud costs businesses and consumers billions of dollars every year.  What’s even more frightening, many of the breaches in the news are the result of innocent participants inadvertently granting access to the bad guys.  The Target breach in 2013 exposed the data of 110 million payment cards.  Hackers got into the network using perfectly good credentials of the HVAC company.  Sometimes password security just isn’t enough, which might bring in to question the security of all those SaaS subscriptions and online shopping sites folks use these days.

EMV chip technology, the standard around the world which has just recently become a standard in the United States, has done a lot to stem the tide of credit card fraud in other countries.  As it was implemented in various countries, guess where it pushed the fraudsters?  Where the anti-fraud technology wasn’t, of course! The United States was among the laggards in requiring EMV chip technology for payment cards, opening the door for bad guys and turning the US into a veritable haven for credit card fraud, “accounting for nearly 50% of global fraud losses, according to the Nilson Report[1]”.

EMV chip (or chip and pin) technology will go a long way to prevent credit card fraud for businesses accepting payment cards… in-person and counterfeit card fraud, anyway. Online retail, on the other hand, not so much.  A chip on the card doesn’t really help when the transaction is completed with the card not present (CNP).  Some industry analysts suggest that CNP fraud losses will exceed $6 billion within the next few years, making e-commerce and online payment security a high stakes game for even the smallest of retailers.  As it gets more difficult to hack the payment system when the card is presented, bad guys will fall back in even greater numbers to the card-not-present model to find their victims.

Online retailers and service providers must take additional steps to secure their systems and protect customers and business partners, and face the challenge with the understanding that effort must be ongoing as new threats emerge. Tokenization is a prime method of layering the system with security, making the merchant system somewhat less of a worthy target by not storing the card data in the system.  Even if the system becomes compromised, the bad guys wouldn’t find customer payment card information.  There are numerous other steps a business can take to secure the CNP sales, including applying behavioral analytics which might identify rogue activities, or using 3D Secure to authenticate a cardholder’s identity at the time of purchase.   The point is that CNP fraud is likely to spike as EMV technology takes a firm hold in the US.

Card fraud is already escalating rapidly for ecommerce retailers and other card not present channels – it didn’t take EMV to start on that roll but it will surely give it a push.  Paperless payment systems, SaaS subscription services and online application service usage are increasing dramatically and there’s no chip to get in the way of these transactions.  Sellers of any and every service utilizing online payments need to now pay particular attention to system and information security.  The risk has always been there, and EMV chips and other shifts in pay card technology simply give it a push.

jmbunnyfeetMake Sense?

J

 

[1] Chipping away at Credit Card Fraud with EMV; Information Week Tech Digest powered by Dark Reading, Nov 2015; NilsonReport http://www.nilsonreport.com/publication_newsletter_archive_issue.php?issue=1071