Minimizing and
Mitigating Cyber Fraud in the Workplace
Setting up an internal control structure to mitigate fraud is nothing new to most companies. The introduction in 2002 of the Sarbanes-Oxley Act (SOX) and the Statement on Accounting Standards No. 99, Consideration of Fraud in a Financial Statement Audit, significantly increased the amount and depth of internal control testing required as part of a financial statement audit. While the theories behind the testing is sound, the types of tests performed must evolve to minimize and mitigate the newer risks from cyber fraud.
In October 2018 the Securities and Exchange Commission issued a report stating that inadequate prevention of cyber-related fraud may violate the internal accounting control provisions of the Exchange Act of 1934. The report was issued after the SEC came to the conclusion that in 2018 there was millions of dollars in lost revenues across all industry sectors as a direct result of cyber-related crimes. The main purpose of the report was to strongly remind companies of their control requirements and encourage them to reassess their current internal control structure to see how it addresses cyber-related risks.
Moving forward with the idea of reassessing a company’s internal control structure in light of the increase of cyber fraud, here are some general ideas to consider when starting the assessment process:
Review email system controls:
● Flag as ‘external’ all email addresses for emails from third-parties.
● Set up blocks in the company’s email system for any common misspellings and similarities to the company’s domain name.
● Set up blocks in the company’s email system for addresses containing key employee names with a different email provider such as Gmail or Yahoo.
● Establish strong password requirements for email users and set up the system so employees must meet the criteria for the password to be accepted. Passwords should be changed on a mandated recurring basis.
● Encourage employees to use the same strict password criteria on any personal email account that may be connecting to the company’s network.
Verify that external access points are secured:
● Implement virtual private network (VPN) technology for mobile laptop users to increase network security.
● Implement two-factor authentication (2FA) technology for access points including VPN and remote email access.
Educate employees:
● Start training employees on the importance of cybersecurity during the onboarding process.
● Emphasize employees’ significant role in mitigating risk as well as making the organization more vulnerable to threats.
● Conduct employee security awareness training on a quarterly basis so employees are reminded of the threats and risks in opening emails without viewing the address.
● Provide written updates to employees regarding any changes in threats between regularly scheduled meetings.
● Provide targeted training to employees based on their role in the company.
● Stress the organization’s seriousness in minimizing the risk created by employees.
Being proactive is a company’s best bet when managing cyber fraud risks. Reviewing the email system and external access points are great places to begin an internal control review. Employees can be the biggest risk for threats to enter a business but with proper engagement, they can function as a vital mitigating factor in the minimizing of cyber fraud in a company.