The importance of implementing controls in the face of digital risks is paramount. Cyber-attacks and economic crimes don’t just happen to other people… they’re increasingly present and frequent. In 2022, according to the Canadian Anti-Fraud Centre’s annual report, reported financial losses amounted to $530.4 million, compared with $383 million in 2021[1].
The question is no longer whether it will happen to us, but rather when. These attacks can be carried out in batches in an attempt to phish a few people or companies. Who hasn’t received a text message from a bank, the government or some other entity asking for an unsolicited refund? It can also be a targeted, personalized attack.
The means available to criminals are increasingly numerous and sophisticated. Your organization needs to ensure that it has the right security in place, with the right controls and reflexes. Here are a few real-life examples to equip you better.
Changing a supplier’s bank details
Have you received an e-mail from your supplier asking you to change the bank account number for your next Internet bill payment?
Contact them directly by phone, using the contact information in your system and not the one in the e-mail, to confirm that this is the case. Failure to do so could result in funds being sent to fraudsters rather than to your legitimate suppliers.
Bank reconciliation, a control of choice
Bank reconciliation remains an important control for comparing transactions between the accounting books and the bank statement. Many of our customers have been able to identify transactions that their organization had not carried out. It’s important to be up to date in order to detect fraud in good time, and to contact your financial institution as quickly as possible.
Backup copy and backup plan
You should make sure that you back up your data periodically, and that you can recover it quickly if necessary. For example, if you fall victim to ransomware, i.e. a hacker blocks access to your data and demands a sum of money to gain access, this could save you a lot of trouble[2]. Especially as there’s no guarantee that the person will give you back access to the data even if you decide to pay the ransom demanded.
A succession plan, or business continuity plan, is also an invaluable tool for companies to ensure rapid resumption of operations.
Passwords for greater security
A password must be complex, i.e. it should include at least 12 characters, including upper and lower case letters, numbers and special characters. It should not be linked to any of your personal information. Many tricks are available online, such as replacing an “S” with a dollar sign. The more complex the password, the longer it will take to discover it. If you only use a word with letters, your password can be detected almost instantly.
There are programs like 1Password that can help you create complex passwords and remember them for you.
You should also change your password periodically, but not too often, to avoid having to write it down on a piece of paper that someone could steal.
Finally, make sure there is a maximum number of password attempts.
Multifactor authentication
In addition to the password, multi-factor authentication should be implemented. This requires a request for authorization after the password has been entered. This way, if someone finds out your password, it doesn’t give them access to the data. Several solutions are available, including Microsoft Authentificator. It’s important that your employees don’t approve the login request if they didn’t make it themselves.
Email testing and in-house training
In order to test users’ vigilance, some entities send test e-mails to their employees (simulated phishing tests). If they click on the suspicious link, training is offered to raise awareness.
Insurance – Cybersecurity
When it comes to cybersecurity, insurance companies offer products to insure organizations against risks. This can be even more important when business continuity and the amount of sensitive information depend on technology.
In conclusion
Computer security is everyone’s business within an organization. There are many ways of doing this, but the most important control is the vigilance of your system’s users. At the same time, it is they who represent the best point of entry for hackers, who will then take advantage of any error on their part. So never hesitate to contact one of your partners if you have any doubts about a communication you’ve received.
Reminder: In September 2021, the Quebec government adopted Bill 25 (An Act to modernize legislative provisions respecting the protection of personal information in the private sector). In Quebec, all private companies that collect, process or communicate personal information are covered by this law. Bill 25 imposes responsibilities on companies. In the event of hacking, you would be doubly impacted, with penalties for non-compliance applying.
If you’re not sure whether your internal controls are up to scratch, don’t hesitate to contact a member of our certification team.
An article by Élyse Langevin, CPA auditor
Senior Director – Certification
