remote worker webinar

Strengthening Financial Controls for Remote Workers

9 Ways to Strengthen Financial Controls in a Remote Work Environment

Employing remote workers presents additional challenges related to financial controls.

Managers and employees may not believe they are at risk but studies by the Association of Certified Fraud Examiners show companies with fewer than 100 employees are more likely to lose money to fraud.

Business owners need to demonstrate the importance of improving financial security and minimising risk. Here are measures to take.

1. Clear Policies and Procedures

The starting point is to develop comprehensive policies and processes for financial transactions, expense reimbursements and approvals. Each business is different, but these policies may:

  • Eliminate or minimise the need for in-person interaction, which is obviously a challenge for remote workers
  • Require proper documentation and validation of expenses incurred by remote workers, like submitting invoices and confirmation of payments made
  • Provide banks with a list of payees so that payments to a recipient NOT on the list require additional approval
  • Limit the number of authorised signers and lower their approval thresholds, especially where there may be reduced oversight of remote workers.

2. Virtual Training, Education and Teamwork

A heightened risk involving remote workers occurs when a “bad actor” sends an email that appears to come from a senior employee requesting that a payment is processed, along with a false justification. Remote employees are more prone to these scams, partly because there is no easy way to ‘gut check’ these situations. To reduce risk:

  • Train remote workers on financial controls, fraud prevention, and cybersecurity
  • Provide access to a contact person for questions or concerns regarding financial matters
  • Consider additional rules like requiring remote employees to call someone who makes a payment request and/or limiting the number of people who can process payments.

3. Use of Secure Technology

Pay particular attention to the technology used by remote workers, for example:

  • Update spam filters, firewalls and security applications that protect against malware
  • Utilise secure and encrypted software for financial transactions, online banking, and data storage
  • Require a unique login AND multi-factor authentication (MFA) for any portal or system that allows employees to approve or process payments
  • Ensure digital payments create an audit trail: Who approved which payments and when?
  • Consider email encryption for sensitive information such as sales or financial data so only the intended recipient can see the message and attachments
  • Implement a data backup and recovery plan to safeguard financial data in case of a system crash or cybersecurity incident.

4. Segregation of Duties

Implement checks and balances by separating responsibilities among different remote workers. For example, a person handling financial transactions should not also approve them.

5. Limit Access to Financial Systems

Grant remote workers access to financial systems and data only where absolutely required and regularly review and update access permissions as responsibilities change. Create roles with various permission levels in systems, then build supporting workflows to manage the necessary approvals.

6. Revise Processes Frequently When There is High Employee Turnover

High Employee Turnover usually means a change in responsibilities that could impair or break a key control. Pay close attention if the business has eliminated positions, because disgruntled former employees may be more likely to commit fraud or otherwise harm your business.

7. Mandatory Reporting

Encourage remote workers to report any suspicious activities they come across, providing an anonymous reporting mechanism if needed.

8. Conduct Background Checks

Perform thorough background checks during the hiring process to verify the credentials and integrity of remote workers.

9. Make Adherence to Financial Controls Part of Performance Reviews

Build financial responsibility and compliance into the culture by making it a part of remote workers’ performance evaluations.

Financial controls are not new in business… but increased remote work presents new challenges. Assess the risk in your business and take decisive measures to improve financial security.

Need bookkeeping or payroll help for your business?

Notch Above Bookkeeping are Certified Xero bookkeepers offering agreed-price monthly fees so you know exactly where you stand. No hidden extras and no ticking clock. Browse our range of Xero payroll services and get in touch on 1300 015 130 to discuss the plan which best suits the needs of your business.

QR code

QR Quishing Scams

Banks warn of Christmas QR code scams

Financial institutions and consumer advocates are sounding the alarm on the surge of Christmas-related scams, cautioning that criminals are employing a novel tactic by exploiting COVID-era QR codes to pilfer personal information.

What is Quishing?

Quishing is a form of phishing attack that uses QR codes instead of text-based links in emails, digital platforms or on physical items. Quishing is a social engineering technique used by scammers and cybercriminals to trick you into providing personal information or downloading malware onto your device — cyber.gov.au

A recent Westpac report highlighted that over half of reported scams related to purchases and sales in November and December last year. They emphasised that scammers often capitalise on the increased spending and potential distractions during the holiday season.

To illustrate the heightened risk, Westpac experienced a 5 per cent uptick in fraud-related calls following the facilitation of over 31 million point-of-sale transactions during the recent Black Friday and Cyber Monday sales.

Westpac’s research uncovered that 38 per cent of Australians fell victim to scams originating from fake websites, online retailers and marketplaces.

QR codes, once considered outdated by 2019, regained popularity during the COVID-19 pandemic due to the demand for contactless services. However, the Federal Trade Commission (FTC) in the United States has cautioned that scammers are now concealing harmful links in QR codes found at locations such as parking meters, cafes and bars.

The FTC outlined various deceptive tactics employed by scammers, including false claims of undelivered packages, account issues and fraudulent activities requiring immediate password changes. Young stressed the importance of verifying payment details before transferring funds and warned against clicking on links in SMS or email communications.

In the aftermath of clicking on deceptive links, individuals risk having their information stolen or malware installed on their devices.

Westpac identified several other prevalent Christmas scams, including enticing individuals to fake websites through social media advertisements, exploiting parcel-related anxieties with fake updates via SMS or email, and promoting seemingly lucrative fake investments.

Westpac also highlighted that investment scams pose a significant challenge, constituting half of all reported losses. These scams often promise substantial returns and involve scammers investing considerable time in grooming victims, making them difficult to identify.

In Australia, reported losses to Scamwatch on social media platforms have surged to over $66 million in 2023, marking a 40 per cent increase from the previous year. Consumer group Choice, along with 20 other organisations globally, is urging governments to mandate social media and technology companies to implement measures protecting consumers from scams.

Choice criticised tech giants such as Facebook, Instagram and Google for their failure to prevent scammers from exploiting their platforms, arguing that these companies possess the resources and technology to enhance consumer protection but are reluctant to do so without legal requirements.

The Notch Above Bookkeeping Team would like to wish you and your family a wonderful festive season and a prosperous 2024. This year we’re taking a break over Christmas / New Year and will be closed from 2PM on Friday 22 December, reopening on Monday 8 January 2024.

Source: cyber.gov.au

keyboard

7 Ways Businesses can avoid Cyber Fraud

What is cyber fraud?

In a world of digital financial networks and online commerce, the risks of cyber fraud are greatly increased.

Cyber fraud is criminal activity that either targets or uses a computer, a computer network or a networked device. Usually cybercriminals or hackers set out to make money… but some have political or personal motivations.

Businesses face increased financial risk as criminals get more sophisticated. Often criminals target the finance team, especially the accounts payable function which influences critical payment processes.

What can businesses do to protect themselves against this financial fraud? Here are some guidelines.

1. Consider this a people and process challenge, not an IT challenge

It’s important to acknowledge that humans are generally the weakest point in any process (NOT Information Technology). For example, a firewall which is not monitored has no value. And antivirus software alone can’t prevent infection.

2. Update authentication and review processes

Robust payment processes help team members act wisely and consistently. An example is setting rules on how payments are approved to prevent unauthorized, fraudulent payments as well as mistakes. This may involve designating an ‘approver’ for certain types of transactions AND requiring them to follow a validation process. For example, perhaps they should match an invoice with a purchase order. Or – even safer – perhaps they should match the invoice and purchase order with the received goods or services.

3. Review password policies

Longer, complex passwords increase security  BUT can also cause password reuse, people writing them down and storing them in vulnerable places. The best policies will mandate complex passwords AND use of a reputable password manager that stores encrypted passwords. Multi-factor authentication should also be used for all applications, including email.

4. Spam filters and anti-virus software

These tools have an important role but, remember, they cannot protect against insider scams or social engineering scams.

5. Segregation of Duties

Segregation of duties means that no single employee can control multiple stages of any accounting process such as reconciliation, custody of assets, authorisation and record-keeping or bookkeeping. Acknowledge that EVEN long-term, trusted employees can be perpetrators of fraud.

6. Create awareness of social engineering scams

A common example of fraud involves criminals impersonating trusted parties to create fraudulent payments. For example, a Finance Director may be impersonated to request certain actions, like initiating a payment or altering banking information. Some of these scams lack credibility… but their prevalence shows that they work in a disturbingly high number of cases.

7. Develop a counter-fraud culture

You cannot completely eliminate human error (or criminal behaviour) but raising the profile of the conversation and providing continuing education is a start. Management buy-in will help cyber fraud get the attention it requires. Keep in mind that the absence of fraud doesn’t mean it isn’t happening… because there is usually a lag between fraudulent actions and the impact of those actions. Ideally, the culture should inspire people to report suspicious incidents. There should be a commitment to ongoing fraud awareness, social engineering training, and implementing proper policies and procedures.

Notch Above Bookkeeping are Xero business bookkeepers and Certified Xero Platinum Partners Australia-wide, specialising in cloud bookkeeping setup, training and ongoing support. Contact us on 1300 015 130.

digital business

QLD Digital Solutions Program

Helping Small Businesses take the Digital Leap

In today’s rapidly evolving digital landscape, it is crucial for businesses of all sizes to adapt to stay competitive.

Get up to four hours of mentoring support, including the development of a tailored Digital Action Plan for your business, for just $110 inc. GST, subsidised through the Digital Solutions program to receive one-on-one support in up to five key areas:

  1. Intro to Digitising Your Business
  2. Using Small Business Software
  3. Online Security and Data Privacy
  4. Websites and Selling Online
  5. Social Media and Digital Marketing

Click here to get started»

Notch Above Bookkeeping are Xero business bookkeepers and Certified Xero Platinum Partners Australia-wide, specialising in cloud bookkeeping setup, training and ongoing support. Contact us on 1300 015 130.

break and enter via door

Cybersecurity strategy — patching operating systems

Why it’s risky to delay system updates

Imagine coming home from a long day at work to find that the lock on your front door is broken.

Your house is now vulnerable to intruders, and you have a choice to make: do you ignore the issue and hope for the best, remind yourself to fix it later, or get it fixed right away?

Most of us would choose to get it fixed immediately, as leaving it broken could lead to serious consequences. The same principle applies to your device’s operating system. It is responsible for managing your apps, software, and hardware and it is crucial that you keep it up to date and secure.

In a previous blog post, we discussed the importance of patching apps downloaded to your device. However, it’s equally important to patch your operating system. Cybercriminals are constantly searching for vulnerabilities in outdated systems and can create malware to exploit them within 48 hours. By neglecting to update your operating system, you not only put your own information at risk but also that of your clients.

To ensure that your systems remain secure, here are three ways to keep them updated:

  1. Turn on automatic updates: This takes the stress out of manually updating your systems and ensures that the patch is applied as soon as it becomes available.
  2. Replace unsupported software: If your operating system is no longer being updated by the vendor, your data is more vulnerable to a cyber attack. It’s important to replace unsupported software with a more secure option.
  3. Apply vulnerability scanning software: This can help identify holes in your system that need patching, making it easier to stay on top of updates and keep your systems secure.

By implementing these strategies alongside the previous strategies we’ve shared, you can keep your systems secure and protected from cybercriminals who are constantly looking for ways to exploit unsecure doors. Remember, just like fixing a broken lock, updating your operating system is a small but critical step in keeping your digital environment secure.

woman working at laptop

Cybersafety and configuring macro settings

Macros can be useful for streamlining day-to-day tasks…

But they can pose a security risk if they are not properly maintained.

The Australian Cyber Security Centre (ACSC) has observed an increase in attempts to compromise businesses by embedding malware in macros.

Microsoft Office macros are created by recording a series of commands, such as mouse clicks and keystrokes, to create a shortcut for repetitive tasks.

Malicious macros can be shared by cybercriminals and, if used, may grant unauthorised access to devices.

To minimise risks, it is recommended to ask three questions before using a macro:

  1. Is there a business requirement for the macro?
  2. Has the macro been developed or provided by a trusted party?
  3. Has it been validated by a trustworthy and technically skilled party?

To further safeguard your business systems and customer data, it is important to disable macros for users who do not require them — only enable macros from trusted locations, and only enable digitally signed macros created by trusted individuals on a case-by-case basis.

Related reading

Source: ATO

woman cheering at desk

Cybersafety strategy for user application hardening

9 steps to hardening your apps and operating system

Protecting your operating system from cyber-attacks involves hardening it and testing its security.

As the backbone of a device, the operating system manages apps, hardware and software to ensure the proper functioning of the device.

One way to harden the operating system and its apps is to add layers of security that make it harder for cybercriminals to breach the system. This can be achieved by following these steps:

  1. Installing all software updates: Using outdated software versions can make the system vulnerable to cyber-attacks
  2. Using a standard operating environment: All computers should run on the same software to reduce the setup changes that users can make to their own computers
  3. Controlling the types of apps that are installed and used in the operating system
  4. Reviewing the apps and functions enabled on the system to ensure that they are all necessary and removing any that are no longer used or required
  5. Managing who can make system changes like installing or uninstalling software
  6. Using software firewalls to limit inbound and outbound network connections to approved apps and services
  7. Having anti-virus software in place
  8. Considering the need for software that can prevent particular devices from being connected to workstations and servers
  9. Logging and storing actions or occurrences that can be recognized by the device’s software, such as an app being updated.

By implementing these extra steps, users can harden their operating system and apps, making it more difficult for cybercriminals to exploit vulnerabilities and launch attacks.

Source: ATO

cybersecurity

CSIRO aids SMEs in advancing cybersecurity and digital tech R&D

CSIRO program to help SMEs advance cybersecurity and digital technology R&D

The CSIRO is helping small to medium enterprises (SMEs) enhance their research and development (R&D) knowledge with a free 10-week online program focused on cybersecurity and digital technologies.

Eligible companies can be working directly in cybersecurity, digital technologies or adjacent industries and want to improve the cybersecurity and digital technologies aspect of their offering.

The CSIRO’s Innovate to Grow: Cyber Security and Digital Technologies program commences 8 June 2023 and is available for 20-25 SMEs.

Expressions of interest to participate close 15 May.

Source: CSIRO

cybersecurity

ATO Make cyber security a priority for 2023

It’s critical to safeguard your business and client information from cyber incidents.

Recent cyber attacks have shown how important it is to have robust cyber security practices in place to protect both your business and customer information.

Business owners hold the keys to their customers’ lives on their devices and are responsible for keeping that information safe from cybercriminals.

Application control

Put simply, application control involves you putting together a list of computer apps and/or downloadable programs that are ‘authorised’ as being legitimate and safe to use. You then add these authorised apps to your computer’s application control feature. These features act as your computer’s security guard, ensuring that you can only download and use the approved list of apps can be on your computer.

Doing this can minimise the risk of malicious code (also known as malware) being downloaded onto your systems, which can then disrupt, damage, or even gain unauthorised access to your computer systems.

It’s important that you regularly review the list of approved apps and remove any you no longer need. It’s also crucial that you test the application control to make sure it works. Simply try and download an app that isn’t on your authorised list and make sure your system blocks the download.

Source: ATO