By ANTHONY HODGKINSON, Director — Forensic, Protiviti Australia
The festive season is a time for fun and good cheer. Your business is celebrating the end of the calendar year and staff are counting down the days before their extended holidays begin. But be warned — the holidays are also a peak season for cybercriminals and fraudsters looking to exploit your vulnerabilities at a time of skeleton staffing and “go slow” activity.
Protiviti has found that a significant number of frauds come to light in the new year and the last thing you want is for your business to become a casualty to an enterprising fraudster. We suggest the tips below to help you achieve a fraud-free holiday season.
1. Arrange for key staff to be available or on call over the holiday period to cope with unforeseen circumstances. Produce a schedule showing which members of staff are expected to work and give it to the security team. Ask the security team to report any unexpected people visiting the office, as well as any late night or weekend work.
2. If you employ temporary staff over the holiday period, particularly
in key areas such as security or IT, try to ensure that at least one permanent member of staff is always present.
3. Make sure temporary staff references and details are thoroughly examined and verified prior to commencement.
4. Prepare a fraud response plan, with details of key advisers and other parties such as accountants, lawyers, police, insurers and bankers, so that you know what to do and who to contact if the worst happens. Produce a list for key personnel that includes their whereabouts during the holiday period including dates of availability and contact details so that they can be contacted in an emergency.
5. Ensure all key documents are adequately secured, with duplicated copies offsite.
6. Let local police know if your offices and other buildings are to be closed and unattended during the holidays. Do not solely rely on alarm systems.
7. Make sure any IT and security devices, such as server back-ups and video security have sufficient storage media to last the whole holiday period. Ensure back-up tapes of critical IT systems are duplicated, with copies being maintained offsite.
8. Consider limiting access rights to key computer systems to essential personnel only. Consider disabling remote access to your IT systems over the holiday period, especially if you have no permanent staff monitoring access. If remote access is necessary, implement multifactor authentication for remote users and devices to enhance security.
9. Assess the most common or trending cyber exploitation techniques and ensure your systems can withstand them. Ensure all recommended vendor patches are integrated and up to date and that all firewalls, intrusion detection and anti-virus systems are working effectively.
10. Remind staff of their important role in data security. Caution them about lost laptops, the integrity of PINs and passwords, and recognising malware scams and suspicious (phishing) emails. Ask them to keep their eyes open for any unusual activity and to report anything suspicious immediately.
11. Ensure you have a comprehensive and up-to-date cybersecurity response and communication plan that is ready to be deployed should a data breach occur. Make sure key members of your cyber response team are aware of their responsibilities and can be contacted even while on leave.
12. Ensure your bank will not process transactions over a given amount without first obtaining authority from a senior member of staff. You may need to give your bank manager your personal contact details.
13. Ensure someone with the appropriate authority level is always present to approve transactions. Don’t let standards drop just because it’s the festive season.
14. Do NOT pre-sign blank cheques or authorisation forms to cover the holiday period.
15. Scrutinise any requests for “urgent” transactions. Query requests for unusual actions such as manual cheques and miscellaneous account coding.
16. Meet with the security team to learn of any unusual events and attendances.
17. Review telephone logs for details of calls that took place at unusual times. Follow up on any unexplained absences from work. Fraudsters can often make themselves scarce immediately after committing the fraud.
18. Review any journal entries that have been processed in the previous month.
19. Review changes to all master files to ensure they are bona fide. Scrutinise system access logs for unusual patterns.
20. Review all bank statements and perform bank reconciliations as soon as possible after your return. Ensure all reconciling items are valid.
21. Look out for severe changes in behavior, personality and working practices of any staff members. Concealing a fraud is stressful and the red flags will soon appear.
22. Before all security settings are returned to normal, consider reviewing them for appropriateness with respect to the levels of access granted to staff.
23. Carry out a review of all security measures — both physical and IT. Identify and investigate all breaches.
24. Listen to the grapevine. There’s often an element of truth in office rumor. All allegations and suspicions should be thoroughly investigated.