May 18, 2017
Cybersecurity Made Simple: Start With Your People and Processes
Posted by Jeremy Sucharski
The hack known as WannaCry that began on May 12th locked up at least 200,000 machines and wreaked havoc across the globe. While the U.S. fortunately escaped major impact from this particular cyberattack, many businesses and nonprofits are fearful that similar attacks could impact their operations soon.
Cybersecurity can seem overwhelming when you first start to consider it, but creating a data security program is much less complicated than you may think. In a nutshell, it’s about making fundamentally simple organizational changes in three areas―people, processes and technology―by assessing your risks, then defining and implementing controls to address them.
There is a widespread misconception about those three areas, however. Many businesses make the mistake of assuming that digital security is all about finding a technology solution, when in reality, your cybersecurity efforts should start with your processes and people. Implementing sophisticated technology is generally one of the last steps you should take. It can cost hundreds of thousands of dollars, and you may go down that path and find that it makes no sense for your business.
On the other hand, you can identify and address your people and process weaknesses―which is where most of your digital risks reside―and define cybersecurity controls for a relatively low level of investment. Here’s a simple overview of the steps to take.
Assess your risks
To assess your risk from a cyber perspective, you first need to choose an information security framework. This provides an objective measure that defines what you should be doing and allows you to compare that against what you are doing.
The frameworks we focus on are the International Organization for Standardization (ISO) 27000 standards and the National Institute of Standards and Technology (NIST) 800-53 standards. The two have a lot of overlap, and you can use whichever is best suited to your needs. ISO may be better for some global companies, for example, because it is an international standard, while NIST is widely used by U.S. businesses, because the SEC has pointed to it as their suggested framework.
Whichever you use, a framework is a great starting point to benchmark yourself. You can determine which parts of the standards apply to you, based on your organization, and see how your processes stack up against what you should have in place.
For example, let’s say you are a nonprofit organization and all of your data is in the cloud―you’re using Intacct for accounting, Blackbaud for fundraising, etc. Since you don’t have physical security risks around things like servers, you can basically ignore those areas of the framework. But on people-related issues ―do you have a cybersecurity training program, how frequent is it, how often do you update your team on emerging threats, etc.―you may realize that you’re not doing anything, which elevates those risks.
Define your processes
After you’ve identified your risks, based on your framework, you need to define and implement controls. This can also seem overwhelming, but it’s really just about defining your processes.
If your risk assessment reveals that you have no program for people security, for example, you first have to consider what your processes will be, before you implement any controls. What is the best way to address the need for employee training? Do you build your own program, or do you outsource it? And what will the program look like?
You define what you want to do and how that process is going to operate. For instance, for step one of your program, you may take everyone through the training and benchmark the entire company. Then going forward, new hires will do the program as part of onboarding, and everyone in the company will retake the training once a year.
From there, the controls are simply the pieces of the process that are going to mitigate risk on an ongoing basis. An example would be testing everyone at the end of their security awareness training to make sure they absorbed the information. This produces auditable evidence, and someone independent of the process can review the results. If you have 100 people in the company, but the test shows that only 20% successfully learned the material, you know you need to go back and identify changes to improve the process so that people learn more. For example, an online self-service format may work better than the in-person classroom training you are currently using.
Keep evaluating your controls
Finally, it’s important to note that controls are not a one-and-done thing. You have to verify that they are working, and you should be continually evaluating, refining and improving your processes, based on your control feedback.
So how often should you review your controls? The frequency depends on the relative risk―you need to look at higher risk controls more often. But as a general rule of thumb, if you are not evaluating all of your controls at least once a year, you are not getting value for the time and money spent on your cybersecurity program. You’re doing all the implementation, all the building, and you’re not reaping the benefit from making sure your controls are actually protecting your organization.
Contact Armanino and our Cybersecurity Services team to learn more about building a cybersecurity program to protect your business.
December 16, 2015
Cybersecurity: How to Keep Your Data Safe in the Cloud
Posted by Armanino Financial Advisory Team
During the September EVOLUTION conference by Armanino, cybersecurity consultant and former White House cybersecurity advisor Rand Morimoto discussed the growing need rethink how companies are defending against digital threats. According to research firm Gartner, 60% of business users will be running cloud-based office system by 2020. As the cloud has become increasingly prevalent and beneficial for a more connected and mobile workforce, the security risks have changed significantly. Cybercriminals are becoming more sophisticated while the general population is shirking simple security procedures like using different login credentials for various accounts.
The recent article Cybersecurity: Cloud Users Need to Re-examine Their Digital Defenses shares insights from Morimoto’s keynote address at Armanino’s EVOLUTION around evolving digital risks and how companies can defend themselves. Morimoto discusses why “single sign-on” can prevent data breaches and how to simply classify your business data for better security.
As Morimoto comments, “The cloud is going to improve our business if we adopt it…but on the flip side, we have to be able to maintain control and manage our information.”
July 22, 2015
Top 5 Cybersecurity Threats to Your Business
Posted by Sean Batchelor
Companies are currently investing more in measures to respond to inevitable cybersecurity attacks — monitoring, preventive policies, training and staffing – than in preventative infrastructure. According to a CEO at a financial technology company, “It’s a constant battle that won’t go away and we are now spending more to protect ourselves from when we are hacked than to try and keep from being hacked.” These are some of the top cybersecurity threats for business leaders.
- Social Media Hacking: The hacking of Facebook, Twitter, Instagram and other media outlets poses a threat to company image. Just as recently as this year, the Burger King Twitter account was hacked, and the account logo was changed to a McDonald’s sign. BK wasn’t the only company hacked, NBC, Jeep, and others had their image tarnished by the work of hackers.
- Governmental Agency Data Breaches: Agencies within the government sector saw major data breaches in 2012 & 2013. The significance of the breached data is not limited to governmental information. Since government databases house information on both public and private company financial and tax information, the breaches of government databases affect all entities which share information the government. Other security issues related to governmental breaches include bank account numbers, usernames, passwords, and personal identities.
- Company Data Breaches: Perhaps the most damaging threat of a data breach is the fragile customer-company relationship built on trust. Yahoo, Verizon, Google, Comcast, and other well-known companies have had confidential information leaked due to data breaches. The largest breach from Yahoo! saw over 400,000 user names and passwords exposed.
- Malware: Malicious software can be used to phish information such as account passwords & usernames, company financials, or bank account data. The rise in mobile malware has now increased the likelihood of phones being hacked six-fold over the risk of your PC or network being hacked. Android users especially should download the latest patch to keep their information protected.
- Inter-Company Server Mishaps: Company website hacking has created a need for IT personnel specializing in the field of protective services. Companies are obligated to keep customer data safe and have a seamlessly running website.
November 13, 2019
Professional Services Firms: 8 Accounting Pain Points You Must Avoid
Posted by Armanino Financial Advisory Team
Professional services firms provide their clients with the convenience of outsourced workflows and the clarity of expert insights. So it’s somewhat ironic that the internal operations at many firms are anything but efficient and insightful. Too often, organizations that excel at what they do for others struggle to do the same for themselves, particularly when it comes to finance and accounting.
This is, in part, a consequence of ambition. Firms that are eager to hit the ground running set up rudimentary accounting processes to start – the kind of introductory system that all new businesses need. However, as they grow, the same methods that once seemed adequate quickly become an obstacle at best and a liability at worst.
Most troubling, firms may be suffering from bad accounting without realizing the full extent of the problem. It’s easy to commit to the status quo, especially when it’s been in place since day one. Without another example for comparison, finance teams can start to accept that inefficiency, uncertainty and lack of functionality are par for the course. But they’re not, especially at the most successful firms.
Resolving these issues starts by acknowledging where and why they exist. Watch out for these common (but preventable) professional services accounting pain points that could be holding your firm back:
- Lack of automation – Ubiquitous accounting tools like Excel lack sophisticated automation, forcing the accounting team to invest significant amounts of time and resources into data-heavy workflows like reporting and consolidations.
- Underwhelming accounting software – A products like Quickbooks is fine for small firms just starting out, but the software’s linear configuration doesn’t allow for the dimensional, detailed accounting that established firms need to sustain their growth.
- Overwhelming manual inputs – Manipulating data by hand wastes time and creates the risk of human errors, which both contribute to the problem of missed deadlines and untrustworthy insights leading to disorganized decision making.
- Unmanageable data – Growing firms want and need to leverage ever-expanding amounts of data, yet turning that data into value proves challenging when accounting tools can’t scale and do little to expedite data management.
- Inconsistent cybersecurity – Service providers who work closely with clients’ data must make an intense effort to secure that data, but keeping it in outdated or underwhelming systems creates more risks than it resolves.
- Liability from BYOD – Smart devices that are widely considered to be essential for work also raise concerns about cybersecurity and regulatory compliance, meaning that a critical tool is also a constant source of risk.
- Ongoing integration issues – Legacy accounting systems can be difficult (or impossible) to integrate with new technologies firms introduce, creating a problematic gap between the firm’s finances and the rest of their operation.
- Unreliable compliance management – Compliance is becoming more complex and costly all the time, and those changes are difficult to keep up with using older systems that are not built to be agile or in-depth.
By recognizing and addressing these professional services accounting pain points, you can help ensure that your firm has the finance infrastructure it needs for its long-term success.
If these challenges sound familiar, Armanino can help. We offer a comprehensive solution including outsourced accounting workflows, expert advisory services and best-in-class software. Contact us to discuss how we can work with you to address your own pain points.
June 21, 2019
Operational Planning for Startups: What You Need to Do Now
Posted by Jenn McCabe
Operational Planning – For your business to grow, it needs to run efficiently. You also need to avoid regulatory and legal pitfalls in murky areas such as overtime (and there are lots).
An accounting system is central to your operations and success. And as workflow is established, there are peripheral and critical workflows you need to integrate right away.
There are just too many options out there. Here’s what to focus on.
- You need accounting/enterprise resource planning (ERP) software. It’s central to your operations and allows you to track accounts receivable, accounts payable, general ledger, billing and other crucial data efficiently and accurately.
- You also need something for file protection and storage that scales, is easy to search, and can allow varying levels of security access. You don’t want all your staff to have access to all your stuff.
- Take a look at a project management/resource planning tool. This is a program that helps map out where you’ll put bodies, and when work assignments will require you to get more bodies.
- A customer relationship management (CRM) system is key if you have a lot of business development going on, you have staff in multiple locations, or you are trying to stay organized and manage prospective clients and contacts.
- You need a payroll service and platform. Doing your own payroll by hand or with inside accounting software that “makes it easy” is a Black Diamond skill level, and it’s prohibitively expensive if you mess it up. Time tracking tools work for payroll and/or for job profitability management. But select the right payroll platform and service early on. If you don’t plan well, people will have to enter time in two systems, and that makes them angry.
- Invoicing tools can be created in the accounting system directly, inside the CRM, or within the project management system. Of course, you also have to have client billing in the accounting software, so mapping is key or you’ll end up entering everything twice. That’s annoying.
Your different tools must work together, or you’ll be stuck manually transferring data. Build a roadmap for a technology stack before implementing disconnected technologies that don’t talk to each other.
How are you going to bill your clients?
This is the big number on your income statement. There are numerous technological, cash flow and tax ramifications to the decisions made for this workflow. You’ll save yourself hassles and money by setting it up right at inception.
- Start with excellent contracts with your clients and excellent sales agreements (see the legal section below). If you’re a retailer, make sure clients know exactly what they are getting and what they won’t get unless they pay for it.
- Do you also need to bill sales tax? Excise tax? Find out before you sell a single item! This is an expensive mistake and now extends beyond the state in which your company functions. If you use e-commerce, before you sell anything, it’s critical that you understand what your obligations are in each jurisdiction that you sell into.
- Set up your technology stack so that your selling process leads smoothly into billing and collecting. It makes no sense to sell something and never invoice correctly for it.
People: Can’t live with ‘em and can’t live without ‘em.
- As mentioned earlier, you need a payroll service and platform. Mistakes will cost you (and don’t even think of paying someone under the table). Do it right, and know the rules on things like employee classification (around here we call “freelancer” the F-word…)
- Once you’ve got one employee, you need workers’ compensation insurance (see below).
- The minute you have two employees or more, you need a basic handbook with some simple and clear policies regarding fringe benefits, holidays and paid time off.
Being an employer is risky business. Avoid trouble — get advice from a labor attorney or a certified HR professional.
Don’t groan or shirk here. Someday, you’ll be happy you have it.
- You must have workers comp coverage, as per the above. Note that most states will also insist you have it for any contractors who can’t prove they have their own coverage.
- You need general liability coverage, known as “trip and fall” in some circles. This protects you in the most basic way from claims made by persons who say they were damaged or hurt in connection with your business.
- Cyber insurance covers you in the event your data is breached. This can be crucial if you keep customer data on file.
- Errors and omissions insurance covers all kinds of sins. It’s a customized policy that addresses your specific industry risks. There are subsets of E&O that may be necessary, too, such as directors and officers coverage.
- Umbrella policies bump the amount of coverage on underlying policies in an affordable way. This is a good strategy for avoiding a catastrophic claim, or simply for getting more coverage on top of all your other policies.
This is not a comprehensive list! So find a high-touch broker who knows your industry. Ask them to review your client contracts and the way you work so they can recommend the right coverage.
They’re a necessary evil (apologies to all our attorney pals). If you’ve got partners, clients or employees, you’ll need to document your relationships. Legal documents help prescribe the way the company owners will relate to each other, and what the company will do for clients (and won’t do). This comes in very handy when it’s time to break up…
Find a lawyer who knows your industry. Use specialists when you need them.
- Corporate attorneys are invaluable when setting up operating agreements and determining how you’ll govern your entity.
- There’s nothing like a real estate attorney when you’re signing a scary lease commitment and you need options.
- A labor attorney is good to have on speed dial, especially if you don’t have HR staff or a qualified HR consultant. Labor work is an extreme sport in some states!
By planning now, you can keep yourself out of trouble and set your company up for success.
Need some help? Contact our Outsourced Finance and Accounting experts.
June 4, 2019
The Storm You Can’t Ignore in Planning for CCPA Compliance
Posted by Pippa Akem
A Quick Glance at Recent Privacy Regulations
Companies are taking notice of the bevy of new regulations that establish new privacy obligations and grant consumers greater insight into and control over personal information that is collected on them and who can access it.
First was the European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018 and monumentally changed how companies process and share the personal data of EU consumers and profile their online activity. In the same year, California enacted the California Consumer Privacy Act (CCPA), which gives additional privacy rights to California residents and impacts businesses serving or providing services to them and accessing their personal information.
Below is an analysis of the CCPA statutory fines and their implications for businesses.
Entities Within the Scope of the CCPA
The CCPA goes into effect on January 1, 2020. Entities must comply with the new law if they:
- Are for-profit;
- Have annual gross revenue exceeding $25 million;
- Annually receive/buy/sell/share the personal information of 50,000 or more California consumers, households, or devices; or
- Derive 50% or more revenue from the sale of personal information sourced from California consumers.
What Fines and Penalties Could Mean for Your Business
Much has been written and said about the set of new rights the CCPA triggers for California consumers, among them rights to access, delete and opt out of the sale of their personal information. Setting this aside, one could make a case that information security presents an even greater risk exposure.
Why? Because it can potentially lead to substantial statutory fines and penalties for breaches or noncompliance that results in measured loss to a California consumer. An entity could find itself dealing with legal costs and fines from a private action brought by an aggrieved consumer, and also a proceeding initiated by the state attorney general.
Unintentional Fines: Consumer Action
For the first time, a private right of action can be maintained by a consumer if companies fail to implement more robust data-handling practices for data that should be encrypted or redacted, but isn’t (e.g. unauthorized access to unencrypted personal information, or theft or disclosure due to lack of effective access controls). A company unable to manage these risks — to implement and maintain reasonable security procedures and practices — could find themselves subject to penalties of $100 to $750 per consumer per offense (violation), plus additional actual damages, and injunctive relief could follow.
30-Day Cure Period
The new law allows for a 30-day cure period following a complaint filed with the state attorney general, the details of which is covered in the statute. Keep in mind that the grace period is effective for a consumer seeking only statutory damages. Thus, following the filing of the complaint with the state attorney general, a company must address/cure issues identified in the complaint to stall further action by the consumer or state attorney general. However, it is worth noting that the law allows a consumer to recover for actual damages, bypassing the written notice process.
Intentional Fines – State Attorney General Action
In addition to the private consumer action, the state attorney general may impose fines up to $7,500 per intentional violation.
Key Points to Consider
Keep the following issues in mind when you consider the CCPA’s implications for your organization.
Worrying Point #1: For the purposes of calculating the CCPA levies, there remains to be clear guidance on how we interpret “per violation.” Should “per violation” refer to a single breach incident, or a series of occurrences forming part of a single reported privacy incident?
Worrying Point #2: Companies could potentially face extremely high penalties per offense (violation) under the separate actions pursued by a consumer and the state attorney general. This should also be measured against the number of people impacted.
Worrying Point #3: Also related to the violation issue is the fact that companies must contend with ambiguity in defining what “reasonable” security is or should mean when evaluating procedures and practices. Some guidance is given outside the statute (industry frameworks – e.g. NIST, ISO 27001 series) and the state attorney general has endorsed some security frameworks (see the 2014 Cybersecurity in the Golden State report).
Roadmap to Compliance
Begin your compliance efforts by documenting the data that lives in your environment. Know the data your company collects, uses, discloses or shares with third parties and sells to/buys from third parties.
Next, make sure you complete a full review of your business processes and data strategies. You will need to maintain the accuracy of your privacy policies and notices, test the current mechanism or solution in place to respond to consumer requests/complaints, embed privacy into your day-to-day operations, update your training and awareness initiatives, and watch for emerging risks.
If you are struggling or doubtful about your controls and require support for managing your privacy risks, Armanino’s Risk Assurance & Advisory team can help. We offer a full range of services, including gap assessments and process development, program enhancement, privacy risk management, technology solutions, and ongoing managed services support.
For more information on Armanino’s data privacy solutions visit Risk Assurance & Advisory Privacy Services.
September 19, 2016
EVOLUTION 2016 – Growth Through Innovation: Register to Attend
Posted by Armanino Financial Advisory Team
Back for the second year on November 10, Armanino will host EVOLUTION 2016 —a free, one-day event for business leaders that offers education and networking around today’s leading business practices, as well as the opportunity to earn continuing education (CE) credits. Here is everything you need to know about this must-attend conference.
This year we’re focusing on growth through innovation. The conference is dedicated to providing education, best practices and real world examples of the most innovative ways finance leaders are adding value to their companies.
Attendees can choose to attend sessions from three main tracks: People, Expansion and Analytics. The tracks are described below.
People: Attendees will discover how to attract and retain top talent with the right skill sets, diversity and impact to support their organizations now and into the future. Sessions include:
- Building the Team of the Future
- Women’s Leadership Panel: Recruitment, Retention & Promotion
- Top 10 Pitfalls to Avoid as a Finance Leadeer
Expansion: Attendees will identify how to build the right infrastructure to impact and support growth as their companies grow by market, by geography and by new product lines. Sessions include:
- Local, State & International Expansion Considerations
- Investing in Growth: Expansion, M&A and IPO Best Practices
- Preparing for Growth: Cybersecurity & IT Controls
Analytics: Businesses are investing more in top technologies to maintain a competitive edge in the market. Attendees will have the opportunity to examine resources to enable smarter, data-driven decision making. Sessions include:
- Roadmap for 2017: Insights for Strategic Planning
- Analyzing Year-End Compliance Needs
- Budgeting, Planning & Rolling Forecasts: Financial Revolution
Introducing The Technology Experience Hub
In addition to our sessions and new this year, the Technology Experience Hub will be open for the duration of the event. Attendees can visit the Tech Hub to enjoy a one-on-one learning environment about the latest technologies driving the finance industry. You can hone your personal tech skills through tips and tricks, ask the experts for technical advice, request a demo or key in on the technology solutions important to your specific business needs. Uncover details on solutions such as :
- Adaptive Insights
- Microsoft Dynamics GP, AX and CRM
- Power BI
At last year’s event, we had some of the biggest thought leaders in the industry on stage sharing their experiences and insights. This year is no different, as we’re bringing you top speakers with innovative business ideas.
We are excited to have futurist Rebecca Ryan as our keynote. Rebecca is one of America’s most influential thought leaders, helping cities and companies think around the corner to what’s next. She has been named a “Top 100 Most Influent People” by Accounting Today, “Communicator of the Year” by Women in Communication, “Woman of Influence” by Business Journal of Greater Milwaukee and “Entrepreneur of the Year” by the U.S. Association for Small Business and Entrepreneurship. She will take attendees on a journey into the future of business, look ahead at what’s next and suggest ideas for growth.
We’ll also be featuring some of Armanino’s own experts including Matt Armanino, Theresa Brown, Chris Siegfried, Yunna Weinzerl, Jeremy Sucharski, Dean Quiambao, Lori Colvin and more.
EVOLUTION 2016 will take place on November 10th at the Hyatt Regency San Francisco. See you there!
If you have questions about the event, contact Callie Baumgartner, Events Coordinator, at Callie.Baumgartner@armaninoLLP.com.
July 30, 2015
EVOLUTION Conference Early Bird Deadline TOMORROW!
Posted by Armanino Financial Advisory Team
In the past, Armanino has hosted user days and our Technology Forum focused on solution-specific updates. This year our team has revamped those events into the much-expanded, robust EVOLUTION conference. The conference is dedicated to showcasing superior professional development alongside technology tips, tricks, and updates.
Early bird discount pricing ends this week on July 31st, so be sure to register soon to secure the best option.
EVOLUTION’s educational tracks include Financial Planning & Analysis (FP&A), Enterprise Resource Planning (ERP), IPO Readiness, Cloud & Data Security, Technology Toolkit, and a Solution Showcase. Sessions will span high level views on the Realities of Migrating from On-Premise to the Cloud, insights into SEC Filing Hot Buttons & Gotchas: Tax, Audit, & Stock Options, and best practices in Rolling Forecasts – Evolve Beyond Annual Budgets. We have also maintained the solution-specific tips, tricks, and updates from past conferences as well.
The keynote address will be presented by Rand Morimoto, former White House cybersecurity advisor and best-selling author, discussing cybersecurity insights for businesses. Other featured speakers include Peter Bardwick, CFO of Nitro, Thomas Peff, Finance Director for Adaptive Insights, and numerous industry panelists.
Additionally, both California CE and business certifications will be available for conference attendees. Armanino has partnered with Saint Mary’s College of California School of Economics and Business Administration to deliver business certifications for the ERP, IPO Readiness, and FP&A tracks.
Learn more and register today to secure your spot at the EVOLUTION conference – early bird pricing ends this week on July 31st!