• Internal controls, especially around fraud prevention, are essential for limiting losses, driving efficiency, improving accountability, and boosting company value during investments or M&A deals.
• The “tone at the top” from leadership in fostering an ethical environment, along with proper segregation of duties, are key elements for fraud prevention and strong internal controls.
• Well-established policies and procedures, like Delegation of Authority rules and restricted system access protocols, are also vital for maintaining adequate controls to enable company growth.

~

As the economy stands on shaky legs, private equity and venture capital firms are necessarily careful and strategic when assessing potential investment opportunities. Whether your long-term plan includes acquiring another company, selling your business, or seeking new capital, strengthening your internal control environment — with a focus on preventing fraud — is a powerful way to increase actual and perceived value.

In the following, we will lay out the reasons why fraud prevention is an essential element to proper corporate governance and illustrate key areas to examine whether your internal control environment is built to help your operation succeed.

The Importance of Internal Controls in Fraud Prevention

A robust internal control system is the first step toward managing, mitigating, and uncovering fraud. A strong internal control environment will:

Protect your company’s assets by reducing the risk of theft or misappropriation of cash, inventory, equipment, and intellectual property.

Detect fraudulent activities or irregularities early on and deter employees from attempting fraud in the first place.

Provide cost savings by limiting opportunities for financial losses, costly investigations, and legal expenses associated with fraud.

Drive operational efficiency by providing clear processes and guidelines that reduce the risk of errors or inefficiencies in day-to-day operations.

Improve employee accountability by implementing checks and balances that discourage unethical behavior.

When seeking an investment or undertaking a significant M&A deal, you should have a firm grasp of the strength and quality of your internal control environment. Not only will you reduce the risk of fraud in the near term, but you will also cultivate confidence with potential investors and M&A partners.

Fraud Prevention Starts with the “Tone at the Top”

The first key element to look for in measuring the strength of your internal controls is ensuring a clear and proactive “tone at the top”, meaning an ethical environment fostered by the board of directors, audit committee, and senior management. A good tone at the top encourages positive behavior and helps prevent fraud and other unethical practices.

There are four elements to fraud: pressure, rationalization, opportunity and capability.

Pressure motivates crime. This could be triggered by debt, greed, or illegal deeds. Individuals who have financial problems and commit financial crimes tend to rationalize their actions. Criminals may feel that they are entitled to the money they are stealing, because they believe they are underpaid. In some cases, they simply rationalize to themselves that they are only “borrowing” the money and have every intention of paying it back.

Criminals who can commit fraud and believe they will get away with it may just do it. Capability means the criminal has the expertise as well as the intelligence to coerce others into committing fraud. The board of directors is responsible for selecting and monitoring executive management to ensure best practices are in place to limit the motivations of all four elements of fraud.

Proper Segregation of Duties for Internal Controls

The second key element to look for in your internal controls is a well-established segregation of duties. The idea is to establish controls so that no single person has the ability that would allow them the opportunity to commit fraud. Companies must make it extremely difficult for any single employee to have the opportunity to perpetrate a crime and subsequently cover it up.  

Fraud Controls 

There are three types of controls that help manage the risks of fraud: preventative, detective, and corrective.

• Preventative controls seek to avoid undesirable events, errors, and other occurrences that an enterprise has determined could have a negative material effect on a process or end product. Preventative controls are the best of the three as they are the first line of defense and a backstop to fraud. If designed correctly, preventative controls stop an undesirable event from even happening.  
• Detective controls exist to detect and report when errors, omission, and unauthorized uses or entries have already occurred. Although it is important to identify these adverse events, you are doing so after the fraud has already been committed.  
• Corrective (also referred to as compensating) controls are designed to correct errors, omissions, and unauthorized uses and intrusions once they are detected.  

Preventing Misappropriation of Assets 

An important component of segregation of duties is to prevent the misappropriation of assets and reduce fraud risk. Below are some examples of best practices for various types of assets: 

• Cash Receipt: segregate the receipt of cash/checks and the recording of the journal entry in the accounting system into two roles.
• Accounts Receivable: segregate the responsibilities of recording cash received from customers and providing credit memos to customers. (If one person performs both functions, it creates the opportunity to divert payments from the customer to the employee and then cover the theft with a matching credit to the customer’s account).
• Cash Reconciliation: the individuals who authorize, process, or record cash should not perform the bank reconciliation to the general ledger.
• Inventory: individuals who order goods from the suppliers should not have the ability to log the goods received in the accounting system.
• Payroll: segregate the responsibilities of compiling gross and net pay for payroll, with the responsibilities of verifying the calculation. (If a single individual performs both functions, it allows for the opportunity to increase personal compensation and the compensation of others without authorization. It also provides an opportunity to create a fictitious payee and make corresponding payroll checks).

The Importance of Policies and Procedures

The third key element to look for in your investees is well-established policies and procedures. Make sure that any company you consider acquiring has basic policies and procedures in place, such as Delegation of Authority (DOA).

The DOA is a policy where the executive team delegates authority to the management of the company. Individuals should be considered appropriate to fulfill delegated roles and responsibilities. The DOA should be reviewed at least annually. Subsequently, it is important to ensure that the DOA is being followed, and that approvals do not deviate from it. Any such anomalies should be rare and, when they do occur, they need to be reviewed and approved. Constant deviations from the DOA may be a sign that the DOA needs to be restructured.

A second essential policy and procedure is restricted computer and application access. This is to protect sensitive company financials and proprietary data. The company should have a robust control environment and maintain computer logins and password access on a need-to-know basis. Access should only be granted by the owner of the application or system and subsequently logged by the administrator. Now more than ever companies are hiring remote employees. This shift in the dynamic workspace further emphasizes the need for a quality IT controls environment.

How We Can Help

As you prepare your company for future growth, getting an impartial third-party opinion on your internal control environment can be a powerful tool for finding gaps and inefficiencies, and implementing value-added changes.

Our dedicated Public Company teams offer a deep level of industry experience and technical skills. We can help prepare your company for a major capital raise, including going public via an IPO or RTO. Or we can help optimize value for an M&A deal, whether you are buying or selling. Contact us today to access an external, holistic vision focused on helping you grow and succeed

Proactive planning is vital

State and local governments are frequently constrained by their budgets. Proactive planning spreads both effort and budget into a longer timeframe, which allows investments to be made incrementally and resources to be consistently allocated.

Because cyberattacks are nothing new, many organizations have already prepared some sort of response plan. However, because the pace of cyberattacks and the sophistication of hackers is constantly increasing, your plan should be updated at least annually. A robust plan is a living document that involves cross functional teams that include IT professionals and leadership.

Risks should be identified and prioritized so that urgent needs can be addressed with immediate investments. Although, the complete (or updated) plan may never be complete, the prioritized pieces of it will form a framework through which cybersecurity becomes an ongoing conversation, and a lens through which daily work is viewed.

Have a contingency plan: know who to contact and how

A contingency plan should be in writing. The process of drafting a detailed plan that addresses many different scenarios is time consuming, and it is also necessary. The thought process and discussions that go into thinking through a robust response to a cybersecurity plan are valuable to the whole organization. When a cyberattack occurs, one of the greatest concerns is to stop the loss of sensitive information. Part of contingency planning will involve creating an information classification policy, so your information systems protect the highest value information with the highest level of security.

Contingency planning also involves a communication plan. In what order do you make phone calls to your incident response team, legal counsel, board of directors, insurance agent, or law enforcement? Who needs to know what, when? How do you document your actions?

If you think having these discussions is overwhelming and stressful in the planning stage, imagine what it would be like to try to make critical decisions when your firewall is open, your information systems are locked, and your daily work has come to a halt.

Update your system to reduce risk

State and local governments often have older IT systems, some of which have been in use for 20 years. These systems require patches to prevent cybercrime, and in most cases, the various information systems do not “talk” to each other.

One of the first steps you can take is to update your information systems. Part of this may involve a discussion of a policy manual and potentially some training so that people are aware of the risks that are constantly evolving. A standing IT governance committee may initially be dedicated to the upgrade, and later take on the ongoing task of mitigating cyber risks throughout your organization.

Mitigating some of these risks might include reviewing your cyber insurance policies to ensure that you have adequate coverage for overall data recovery and the cost of business interruption. This committee should also review your backup policies and services to ensure reliable storage in a separate location that is tested periodically to ensure compliance with your contracts.

Prepare to respond to cyberattacks

State and local governments should expect to be targeted — they have access to large amounts of personal information and data. Thus, it is crucial to have a plan that can be immediately put into action to protect this sensitive information for the people and communities you serve. Your response within the first 24 hours of the breach is critical to minimizing damage. With proper planning, even an aggressive attack can be survived with minimal losses.

If your organization is not yet prepared for a cyberattack, or you are interested in proactive planning against a breach, schedule a consultation with the MGO Technology Group or learn more about the services we provide here.

With the onset of the COVID-19 pandemic, traditional business practices for most organizations shifted nearly overnight. Whether that means companies have switched to remote-work strategies, increased their reliance on virtual applications, or even changed their product mix to stay relevant, the transition has been swift. While some of these shifts have demonstrated the adaptability and resilience of the business world, there are new and increased risks that must not be overlooked during this time, some of which include insurance and disaster relief fraud.

Additionally, we have seen major economic impacts since the virus’s spread. In the past weeks there have been record-breaking unemployment filings, including over 3 million initial claims for the week ended March 21, 2020 and over 6.6 million initial claims for the week ended March 28, 2020. Economists at the Federal Reserve district project total employment reductions of 47 million, or a 32.1 percent unemployment rate. US stock markets remain volatile and the Dow was down approximately 37% during the week of March 23, 2020. The economic losses are significant and will put extreme financial pressure on companies and individuals.

Given the above considerations, we’ve entered an era with the potential for a “perfect storm” of conditions and motivations that increase the risk of fraud, in its various forms, as a direct result of the global COVID-19 pandemic.

Types of fraud to be aware of

Fraud is generally defined as “wrongful or criminal deception intended to result in financial or personal gain.” Oftentimes we see this in the form of theft, which can be tangible goods and materials, or intangible assets, including private data or intellectual property.

A second form of fraud to consider is related to the intentional misrepresentation of company financial information. This often presents in the form of inaccurate profit and loss numbers, increased assets on a balance sheet, or under-reporting of major liabilities. This type of fraud is committed in order to attract investment, financing, or to avoid penalties for poor performance.

Why do we see the increased risk?

In almost every instance of identified fraud, there are three components involved which we generally refer to as the Fraud Triangle:

1. Incentive and Pressure
2. Rationalizing
3. Opportunity

Given the major losses in the stock markets, unprecedented job losses, change in both consumer and B2B buying habits, and a general feeling of uncertainty, there are several emerging pressures and incentives to commit a fraudulent act.

When these pressures start to have to real impact on individuals and companies, that’s when the rationalizing begins. Individuals may think, “I need to this to survive and the company has so much money they will be fine.”

Company executives may think, “So many people’s jobs depend on this company’s survival, we have to do what we have to do to stay afloat.”

Lastly, as layoffs continue and remote work increases, the ability to follow internal controls will become more challenging and there will be less employee oversight. Employees may obtain increased authority as well. As such, the opportunities to commit fraudulent activities will increase.

Who are the potential perpetrators?

From a theft perspective, employees, vendors, and customers are the riskier population. Employees have access, knowledge, and are likely feeling the economic and personal impacts of the COVID-19 pandemic the most. Vendors can potentially be struggling during these times as well, which will increase their need to sell as much product and collect as much cash as possible. Lastly, customers, like the rest of the group, are feeling the pressure and when situations begin to look desperate, they will look to reduce their costs as much as possible.

What your organization can do about it

First, start with a common sense approach: pay attention and don’t forgo your standard risk mitigation procedures. Next, consider undertaking the following solutions:

1. Fraud Risk Assessment: Have you done a fraud risk assessment over your organization in the COVID-19 era? Have you done one recently at all? Whether this is done throughout the organization, or within a specific group of individuals or transactions, an updated fraud risk assessment can identify the risky areas in your business where you are most exposed to financial loss.

2. Respond to Identified Fraud: If you already suspect fraudulent activity is taking place, a forensic investigation can uncover much of these occurrences and help to resolve the issue by identifying the perpetrators and putting a stop to the activity.

3. Policies and Procedures Update: Have your policies and procedures been updated as a result of the changes to your business operations in the COVID-19 environment? Changes should be reflected in your controls as soon as possible. These need to be evaluated to ensure key controls are in place and functioning effectively in consideration of the changes to the way your business runs.

If you are unsure whether your controls are designed in a way that will prevent or detect fraud, we recommend consulting with professionals who can review your procedures and assist in implementing appropriate and efficient checks and oversight to reduce your risk of fraud.

4. Staff Re-Alignment: Current staffing models are changing. Whether you are short-staffed due to the outbreak, or concerned about cash flow related to fixed salaries, you might need some help. This is a time to consider innovative and affordable solutions that can be provided on an as-needed or periodic basis that relieves some of the fixed costs of hiring full-time employees, without losing any risk control or mitigation capabilities.

For example, you might want to consider outsourcing your internal audit function and hire consultants to perform these duties quarterly to avoid the annual internal audit salary expenses.

5. IT Risk Assessment: In these uncertain times, with nearly all business operations being handled online, there are additional risks to consider. A comprehensive risk assessment can be extremely valuable in avoiding financial or data losses. Additionally, there are some questions you should consider under the following categories:
a. Software – When was the last time you evaluated your systems, updated software, or performed an access and authorization review? Are you appropriately managing costs related to licenses for software?
b. Hardware – Are your hardware systems adequate to handle this level of remote work and online transacting? How strong are your physical safeguards to these assets?
c. People – Are your staff appropriately trained for this fully digital environment? Have policies and procedures for remote-work been implemented? Are individuals following these? Do you have the appropriate level of IT support staff to assist in the event of application failure and business interruption?

Final Thoughts

As described above, due to the economic impacts of the COVID-19 virus, it is anticipated that an increase in fraud will occur and it is important to note that this increased risk can have a significant impact on your operating cash flows if left ignored. It is important to update your fraud risk assessment, put a stop to any potential fraud, update your policies and procedures given the transition to virtual offices, evaluate your staffing needs, and consider increased IT risks.

The MGO Advisory Services Practice can help your organization with these activities, so please reach out with any questions.

In recent weeks, the global economy has entered uncharted territory. For the first time ever, many workers are under strict orders by state and local governments to ‘work from home if possible.’ For some firms this has not presented any issues, as they’ve had some employees work from home for years and mobile work capabilities are baked into the foundation of day to day activities. But many enterprises that did not previously have robust technology solutions to support a remote workforce, are now scrambling to establish adequate capabilities and protocols.

The silver-lining here is that any investments in remote capability are not only stop-gap measures. They represent a useful, long-term addition as employees are likely to expect remote capabilities moving forward – and are an essential disaster preparedness measure, in the event of another office site disruption.

To continue supporting firms navigating the trials of establishing remote capabilities, this piece of thought leadership examines one of the most common tools employed by companies to allow their staff to work remotely, the Virtual Private Network (VPN).

What is a VPN?

A VPN is a device that allows you to create a secure connection to another network over the Internet. In laymen’s terms, it will allow your employees to securely connect to your company resources over the open and unsecure internet. So this begs the question, how do you put a VPN into action to allow for remote access? In most cases it can be done by installing a simple device into your company’s server rack and then making sure all outside internet traffic is routed through the VPN. Setup of the device within your server room or closet requires technical knowledge of server wiring and network engineering.

If you do not have staff that meet the technical requirements, it is recommended that you reach out to an organization like MGO Technology Group, which has the expertise and technical staff needed to get a VPN racked and running in no time.

Identifying the “right fit’ VPN

Know that not all VPNs are created equally. While the market will provide any number of products that can meet your firm’s needs, not every product will be a fit. This is especially true in terms of capacity. When most companies consider a VPN solution, they typically look at how many staff members may need to work remotely on a regular basis. In the wake of a natural disaster such as the COVID-19 outbreak, your entire staff may need to work remotely for a sustained period of time. As such, it is important to factor the capacity of your VPN device into your decision making process. You may not need 100% of the VPN’s capacity most of the time, but you’ll be glad you have it when disaster hits.

It is also important that the outside internet connection you have into the VPN is adequate to handle the incoming traffic. You will need to work with your internet service provider to make sure the plan you choose has adequate bandwidth to handle the regular work activities of your staff. As with choosing and setting up the VPN, you are not alone in this endeavor. MGO Technology Group is ready to step in and help you make the choices you need for the uptime you desire.

Establishing VPN access

Once a VPN is installed, the next step is having your staff login into it in order to access company resources such as Exchange or FileShares. There are many different configurations a firm can employ to accomplish this task, but for now we’ll look at one of the more popular setups, VPN client software that is installed on company-owned laptops. Many VPN providers, such as CISCO or Check Point, offer VPN client endpoint software that you, your team, or your service provider can pre install into company laptops. This client endpoint software will automate the process of having your users connect to the VPN when they are outside of your office location. When installed and configured, an employee will only have to connect to the internet and then login to the client software to connect to the VPN.

The client software will also allow the user to connect to the VPN suing the same credentials that they use to login to their laptop thus eliminating the need to remember an additional password. By using client endpoint software the process of activating, using, and monitoring the VPN is simplified.

Understanding VPN vulnerabilities

As stated previously, the VPN will create a secure connection over the open internet back to your company resources. However, the VPN will not make everything secure. Like any device or setup, it has its vulnerabilities that must be acknowledged and mitigated. First and foremost, a VPN will not compensate for human error. While providing protection for the open and unsecure internet connection that an employee might use, it will not protect your employees from falling victim to a phishing scheme or downloading suspect software from a less than reputable website. Most VPNs are nothing more than a secure gateway into your company resources. Once that gateway is opened by a legitimate user, or a bad actor that has managed to steal legitimate credentials, anything can get through. Though a VPN secures the connection, it’s important that your employees still maintain good cyber hygiene by not sharing credentials, regularly changing passwords, and following the instructions of either your technical staff or managed service provider.

Though not as forward facing, but just as much of a threat are the vulnerabilities of the VPN device and software itself. Much like your company laptops and servers, VPN devices need to be properly maintained and updated less they become susceptible to newly discovered threats and vulnerabilities. This is where expertise comes into play. No matter how the VPN is deployed, you will need a technical team handling three distinct tasks after the VPN and associated software is put into place:

1. They will need to train your users on how to properly use the VPN.
2. They will need to make sure the both the VPN software and physical device remains secure.
3. Finally, they will need to troubleshoot any issues that may come up from day to day operations. Even the most robust devices will require troubleshooting at some point.

Ready to talk VPNs and remote connectivity? MGO Technology Group is here to help. Let’s talk today.

Emerging industries are prime candidates for cyberattacks and criminal hacking. That’s because as an industry matures companies quickly scale operations to meet the rising demand. With the focus on generating revenue, the implementation of appropriate security protocols is too often overlooked. A hallmark of a sophisticated and successful organization is robust cyber and information systems and processes that protect intellectual property, customer information, and other valuable data, or risk losing the market share you’ve fought so hard to win.

Cannabis faces nearly all of the same cyber security challenges of other industries of equivalent size and maturity. This includes, but is far from limited to, service disruptions through natural disasters, regulatory compliance, online based attacks, and especially offline based attacked such as phishing.

Understanding phishing attacks

Phishing holds a unique place in the cyber security sphere as unlike active attacks against a company’s information technology infrastructure, phishing seeks to gain access via user vulnerability. No matter how good your electronic defenses may be, a single well placed phishing scheme can compromise your data. This is why user education must be a part of any cybersecurity program and cannabis is no different. It does not matter if your cannabis operation is involved in cultivation, distribution, or retail. If your employees handle information that is important to your business they must be educated on best practices regarding phishing. The data your business holds is a valuable commodity and must be treated accordingly.

The emerging threat of ransomware

While phishing is the most common culprit of data breaches, ransomware has emerged as a less common, but just as threatening cyber risk. Ransomware is a type of attack that, rather than attempt to steal your data, will deny you access to it typically by encrypting your files. This will render your businesses inoperable until, in theory, you pay the ransom to your attacker to regain access to your data. Ransomware was prominent in the news in 2019 for various high profile attacks on mid-tier cites that simply did not have the financial resources to combat and undo the consequences of ransomware. Such a patterns is crucial for the cannabis industry to recognize. A result of these trends in 2019 shows us that ransomware attackers will often chose their victims carefully in the hope that the victim not have the willpower or resources to combat the attacker.

Since cannabis is a relatively new industry, with most resources dedicated to production development and company growth, most companies will not have the resources available to dedicate to combating ransomware attacks. Industry players should be aware of a simple fact of life when it comes to cyber security: prevention is always more cost-effective than recovery. Resources may be tight, but even a basic offsite data backup strategy could go a long way towards mitigating an attack that compromises data access.

IT asset inventory is a strong first step

This period of early growth is the perfect time for industry leaders and business owners to cultivate cyber security strategies. The relatively early-stage of the cannabis industry provides an opportunity in that companies are not unencumbered by legacy software and processes. Cyber security software and processes may not need to be stacked on or integrated into existing operations. Rather, it can be ‘backed into’ the company at an early stage. This will make the inevitable need to scale up cyber security operations within your company that much easier. It is also a good time to start your IT asset inventory processes, which will allow for a more robust IT security posture down the road. There are companies that have been around for decades that still do not have a handle on what equipment they actually have. In this regard, the cannabis industry has an advantage.

Smalls steps produce big results

The examples of phishing, ransomware, and asset management are just three core topics within the broader world of cyber security. While cyber security may seem to be a large, complex, and costly endeavor, even small and recently founded companies can effectively tackle the problems at hand. For example, as phishing constitutes the vast majority of data breach starting points, instituting a phishing awareness campaign at your company could go a long way towards reducing vulnerability to potential threats. Secondly, a small firm need not pay for real time data replication. Even a simple and cost-effective off-site backup can go a long way towards mitigating the effects of a ransomware attack. Sure, it might take longer to restore your data in the event of an emergency, but a slow restoration is better than none at all.

Today’s world is more connected than ever. Not only are users sharing more information across the Internet than at any other time in history, they are doing so with a variety of devices available to the public. That’s hundreds of devices available for a user to connect and conduct various facets of their lives in a convenient and productive way. It also means thousands of potential vulnerabilities that nefarious actors can exploit. Mobile devices represent the newest threat to user security as more and more of our digital lives are accessed via these handheld computers. Given the popularity of these devices, it’s not surprising that hackers have turned their attention to how they can exploit vulnerabilities for personal gain.

Because mobile devices are often used outside of a regulated environment, such as an office or private network, they can be susceptible to attacks over public networks that purposely do not restrict access. Despite these inherent vulnerabilities, there are several steps you can take on your handset to help ensure that your device remains secure. Though this list is not all-encompassing, it will provide a handy guide to make sure your mobile environment remains a safe and reliable tool for you to use.

1. Keep your apps and operating system up-to-date

Updates will apply the most recent security patches to both your apps and operating system which is why you should apply the updates as soon as you see the notification from your phone. For an extra layer of protection you should consider allowing your apps to auto-update while the device is connected to WiFi.

2. Keep access secure

Always use a PIN, Passcode, or some form of Biometric Authentication to access your phone. No one, not even you, should be able to pick up your phone and access it without some form of verification. Though passcodes are still the strongest form of a security on a mobile device, you can provide an adequate layer of security by applying both Biometrics, such as a fingerprint or eye scan, and a backup pattern or PIN.

3. Limit points of access

When you are not using these features, you should turn off WiFi, Bluetooth, and the Near Field Communication (NFC) receiver. The less active access points available on your phone, the less likely someone will be able to exploit them. This doesn’t mean you should never use them. However, shutting them off when you are not using them not only lowers your attack surface, it’s healthier for the device’s battery. Many headsets also now include software that allows you automate turning these settings on and off with a single voice command. Try to make use of these tools to find the most efficient balance for your own lifestyle.

4. Mind your connections

Much like you would think twice about going to places where you may have doubts about safety, so should you be mindful about who and what you allow your phone to connect with. ONLY allow connections and access to devices, individuals, and apps you know you can trust. his includes only downloading apps from a trusted source such as the Google Play or Apple Apps Store. Additionally, be wary of any apps that request admin level permissions in order to function. Is having that one face filter really worth giving an app access to ALL of your friend’s contact information?

5. Keep the device tidy

Occasionally you should inventory the apps on your device and decide if you still actively use them. Deleting unused apps has an array of benefits, which include freeing up storage and processing power, reducing background usage, and reducing possible attack vectors from apps that are no longer updated by the developer. Most handsets now come with tools to allow you to list your apps based on the last time they were used. This can help you narrow down those that should be removed first.

6. NEVER jailbreak your phone

As temping as some might make it sound you should never ‘root’ or ‘jailbreak’ your phone if you wish to keep it secure. Doing so removes many of the protections that handset makers often put in place to prevent incompatible programs from interfering with the phone’s basic functions. Jailbreaking your phone removes these protections while also taking your operating system out of the regular update cycle. Jailbreaking your phone may also have the effect of voiding it for many Bring Your Own Device (BYOD) programs run by professional organizations.

To learn more about cyber and information security, for you and your organization, schedule a consultation with the experts at MGO Technology Group.

Every organization needs a mobile device strategy for its employees. There is no way around it and there is no way to avoid it. Your organization must develop a clear policy for how your employees will use mobile devices to interact with your IT environment. Having no policy is no longer an option as it will open up your firm to exposure from so-called ‘Shadow IT’ as users will circumnavigate your IT infrastructure and e-mail documents over non-sanctioned channels so they can continue to work on their own mobile devices. Granted, a fully implemented mobile device policy may not eliminate these risks entirely, but it will go a long way toward reducing your organization’s overall risk exposure to a potential data breach. The first step of developing this policy is to answer a not so simple question; will your firm issue it’s own devices to employees or allow them to Bring Their Own Device (BYOD)?

Upsides and downsides of mobile device programs

There are two potential mobile devices programs; BYOD and Corporate Owned Devices (COD). Since every organization is unique, we do not intend to make a recommendation as to which strategy might be better. Our intent is to examine both polices and help you identify if one might be a better fit for your organization.

Before either of these programs is implemented, your organization will need Mobile Device Management (MDM) software. MDM is a crucial element to centrally manage and monitor any mobile devices that interact with your infrastructure. Your MDM must be in place before any device is allowed access to your network.

Examining a corporate-owned device policy

With COD your firm issues devices to your employees for corporate use and completely disallows the use of non-corporate device within your corporate infrastructure. Your firm takes responsibility for the devices’ setup, maintenance, and troubleshooting. While this policy does increase the setup time to make an employee fully ‘active’ within your IT setup, it allows for complete control of the hardware and associated software that is allowed within your firewall.

This setup has the advantage of having the lower overall security concerns of the two polices. You can chose every feature that is allowed on the device, right down to personal logons, and the actual applications allowed on the device. Since your organization owns the devices, they will already fall under any established guidelines the firm may have for governance of IT assets and thus minimize or eliminate the need for any extra work from your legal department to govern employee behavior.

While COD does allow for increased security and governance, it also has an overall higher price tag as your organization will be required to own every part of the mobile devices’ lifecycle — right down to maintaining a relationship with a cell phone provider to provide data services for the devices. As a result, the COD approach has the highest cost outlay between the two polices. COD will also have a higher cost to internal IT resources as they will be called upon to maintain the device inventory, train the users if needed, troubleshoot, reclaim the devices from departing employees, and repurpose them for the next user as you would with any other end user IT assets. This is time that your IT department could be dedicating to other activities so you will have to decide if you want to add this responsibility to their overall work load.

The benefits and downsides of “Bring Your Own Device” policies

BYOD, as the name states, allows your employees to add their own devices to your corporate infrastructure. This approach eliminates many of the costs listed above, such as the outlay needed to procure and maintain devices of your own along with the need to maintain data plans for the devices. However, given the variety of handsets available to users in today’s market your organization will have to spend more time setting up the actual policy to ensure your firm maintains a secure environment before actually rolling it out to your employees.

Beyond setting up the MDM, you will need to decide which devices, operating systems, and setups you will allow in your BYOD program. For example, you may be willing to allow iPhones and Samsung handsets into the program without additional security enhancements, but may require other Android based handsets to be encrypted before allowing them onto your BYOD program. You will have to designate a team to continuously evaluate new handsets as they reach the market to see what setup changes might be needed to allow these devices onto your program.

In addition to researching and choosing the allowed hardware policy, your firm will also have to establish the BYOD onboarding policy for each individual device operating system to be distributed to the users once they agree to join the BYOD policy. Your IT department will have to assist the users in onboarding the device and will have to continue to troubleshoot issues such as connectivity to corporate services such as e-mail. Finally, it will be necessary to establish a legal framework beyond your regular IT policy to define the parameters in which your company can monitor and administer the personal devices allowed onto your BYOD policy. Most companies accomplish this by working with their legal department to draw up an agreement to be signed by the user that establishes the rights of the company to monitor, administer, and if need be, completely wipe the device using the MDM.

The most prominent argument in favor of BYOD is that all the costs for resources listed above are up front. Once the MDM, policies, and procedures are in place you need only worry about updating them rather than activity implementing them as you would with a COD policy. All of the other associated costs with the device are still the responsibility of the employee. However, this is also the most prevalent argument against BYOD from a security standpoint. While the MDM and legal agreement will allow your IT department to monitor the device for any potential vulnerabilities, you will generally not be allowed to actively manage it. The onus will still be on the employee to ensure the device is properly updated and that no suspicious software is added to it. While your IT department would be able to inform the employee of suspicious software or activity within the device itself, the only true recourse you would have to protect your environment would be to remove the device from the MDM and thus from the BYOD program.

Making the right choice for your organization

Both programs have their advantages and drawbacks. Both allow for mobile access to various company resources such as e-mail and file sharing. However, there are differences to consider within each program regarding cost outlay, day to day maintenance, and overall security posture. Of course, neither of these polices are set in stone. Many companies are experimenting with a hybrid option that would allow employees to choose between a company device and joining a BYOD program in an attempt to fill the gaps present in both standalone programs. Each policy can be tailored to fit your company’s needs, but your IT department must make sure the proper back end work is done on both the MDM and the devices themselves to ensure that a proper IT security postured is maintained throughout your organization.

Contact the MGO Technology Group to learn more.

The most interesting results from this survey indicate the majority of government agencies have NOT received Cyber Security Awareness training in the last year. This highlights an overwhelming need for the implementation of strong cyber security awareness programs in the government sector.

The results went on to show that barely half of the organizations have a cybersecurity awareness program in place at all, and of those that do, 58% haven’t received awareness training in over a year.

When asked to rate their top three risks agencies face today, your peers are mostly concerned about phishing and ransomware attacks at a combined percentage of 51.72%. It’s worth noting these risks can be significantly reduced when an awareness program is implemented. A lack of awareness is also evident with only half of those surveyed stating they would be able to recognize a security incident.

We’ve saved the most intriguing results for last. There’s actually enormous uncertainty about whether there is an Incident Response Plan, let alone any plan, in place to recover, should a breach occur. Communication across departments isn’t occurring.

Moreover, the majority of those polled tell us that senior leadership isn’t actively involved in agency cyber security programs.

As we welcome in the New Year why not commit some time on your calendar for more conversations and increased awareness about the business risks that face your city? Engage with the city leadership in identifying additional ways to increase the level of awareness for everyone.

We have a dedicated team of cyber and information security experts that can help you by creating a custom program – whatever the size of your organization – that will greatly improve your security posture. We can assist with security awareness programs, conduct threat assessments, review 3rd party vendor risks, or even create detailed Business Continuity and Incident Response Plans to transform your city into a cyber secure one. Let us partner with you in minimizing your vulnerabilities. What we can’t do is stop a cyber attack once it’s already been launched.

MGO Technology Group has leveraged contacts from the dark web, conversations with federal authorities, and other proprietary research and insight to provide an overview of the leading cyber threats cannabis enterprises face.

Who is targeting cannabis and where are they attacking?

Information gathered by MGO Technology Group from underground assets and federal investigations indicates that, to date, there is no specific group actively targeting the cannabis industry. But there are hackers focusing on three areas within the seed-to-sale lifecycle:

• Research and extraction
• Cultivation
• Consumption and retail operations.

Investigations revealed two incidents where intellectual property was stolen by a former employee due to partial or ineffective security practices. In addition to potential malicious insiders, external threat actors are expected to attack the research portion of the industry in order to steal intellectual property. Potential targets of hackers include strains being developed, marketing strategies, and technology practices related to cultivation.

Potential impact on hacked cultivators 

The loss or modification of proprietary information, such as strain development and cultivation methodology, could severely impact the production of future products, result in a tampered or inferior product, or the loss of competitive advantage within the industry. While an increased timeline for a future product or loss of IP to a competitor would result in a negative financial impact, the release of a tampered product could also cause a negative reputational impact as well.

Risks presented by cannabis payment systems

The search for payment solutions in the notoriously cash-heavy cannabis industry has led to the emergence of a number of payment systems. While they may be convenient, they are a high-risk target for hackers. Mobile applications that are not securely developed or have appropriate oversight are at risk and provide an attack vector for malicious actors. The success breaching of an application could provide access to customer financial information, leading to mistrust of the application author and discontinued usage.

Protecting medical and customer information

As the legalization of medical and adult-use cannabis spreads across North America, the customer base will continue to expand making retailers increasingly high-priority targets of malicious actors. Medical information and Protected Health Information (PHI) are already highly valued assets for cyber-criminals.

Similar to other small businesses and early stages of a new industry, the protection and security of computers and networks involved with customer information is minimal or inefficient. Specifically, this involves the Point-of-Sale system and supporting infrastructure, two of the most targeted assets, a breach of which would result in the theft of customer information. Once again, a breach of customer information, especially PHI, will not only have a negative impact to the reputation of the retailer and industry overall, but could result in HIPAA violations resulting in millions of dollars’ worth of fines.

THE AMCA breach and its impact on clients and patients

It is most likely you have not heard of AMCA. However, if you have had any form of medical test in the past few years, there is a very good chance you know some of their largest clients: LabCorp and Quest Diagnostics, two of the largest medical laboratories in the United States.

AMCA was a third party debt collector for LabCorp, Quest Diagnostics, and several other medical companies. As a result AMCA had a deep data sharing relationship with these firms, which included the exchange of patient health and financial information. At the time of this posting, the initial cause of the breach at AMCA is unknown. Early indicators point to an intrusion on their payments website, but it is unclear how that intrusion actually took place. We’re sure the investigation will turn up more details on the nature of the attack, but it’s already too late for AMCA. The company has filed for Chapter 11 bankruptcy protection due to the astronomical costs of notifying their clients’ patients of the breach, and the termination of client relationships with AMCA. This result doesn’t even begin to cover the costs that LabCorp and Quest could incur due to possible HIPAA violations.

Understanding the risk posed by third party vendors

No matter what industry you work in, it is likely that your company uses a third party vendor, even in a limited capacity, for day to day operations. Are you sharing critical, sensitive or proprietary information with your vendor? If so, do you know the nature of the data sharing relationship between your company and theirs? If the answer is along the lines of ‘probably not’ then you have some work to do.

Though the rules of every industry are different, on the whole, you are still responsible for your customer data no matter who you may turn it over to. If there is a breach, it doesn’t matter if it was caused by something that was out of your company’s control, your customers are going to come to you first for explanations and redress. As such, you need to work to mitigate as much outside risk as possible and short of cutting off all third party vendor contact and taking all operations internal, the best way to do this is with a standardized and transparent Third Party Risk Management Program (TPRMP).

The fundamentals of an effective third party risk management program

TPRMPs are going to look different for every company across every industry, but on the whole they should include these three parts:

An introspective review – Before signing on the dotted line with your potential vendor, you need to have discussions with your business owners and IT and cybersecurity experts to assess your company and determine what information and data needs protecting and why. It’s too easy to say ‘everything’ so your company really needs to dive down and understand what assets, intangible or otherwise, are most important.

Once you make that determination, when you share this data with your trusted vendors, you will be in a position to explain what is important and why. It is incumbent on you to inform your vendor about the criticality of the data you are sharing and ensure they have the proper level of protection. Once you complete the internal assessment and determine what information and data is critical to your company, you need to create and embrace a third party risk management program. One tool within this program is a questionnaire that you can share with your vendor so they can perform a self-assessment on their cyber and IT controls to ensure your data remains secure.

Risk Assessment – With the questionnaire in hand, your company needs to explain to the vendor that the information you are sharing is critical and why. You will ask them to complete the questionnaire so you can gain an understanding of their control environment. In some circumstances, you may go beyond the self-assessment questionnaire and perform an onsite assessment to validate that what they have in place is accurate. Once you have gathered the information on the vendor you will need to have a qualified professional, either internal to your company or a trusted partner, review the responses and determine if the control environment at the vendor is adequate to protect your data.

One major area to consider will be to evaluate how your own company will be exchanging information and resources with the vendor. Remember that not all data is shared via email or electronically and people sometimes forget that physical items such as prototypes are sensitive and critical. You also must remember that the kind of data you share may change over time, along with the mechanisms for sharing. Your relationship with the vendor is ongoing and the risk assessments that you perform on your vendor should evolve and align over time. Once you have a qualified person make a final determination of your risk by engaging with a vendor you are then able to make an informed business decision.

Continuous Updating – TPRMPs are not one and done once you sign on the dotted line. Threats evolve every day and your TPRMP needs to evolve with it. Before you engage with your vendor you should have asked them not only what their plans are to continuously improve their security, but how will they inform you about it. Beyond the initial questionnaire or assessment, a carefully written contract with your vendor regarding the responsibilities of each party in maintaining the confidentiality, integrity, and availability of the entrusted data is critical to a successful and secure relationship and partnership. Clear communication to the vendor and continuous attention to the control environment will help ensure that the data entrusted will remain secure and private and that the “B” word, bankrupt, does not happen to your company.

It is possible, and likely, that Quest and LabCorp had a TPRMP in place with AMCA when they engaged them as a vendor. However something went wrong, and now a large corporation is going under and millions of people are exposed to fraud.  The cause of this major security and data breach will come out over time and lessons learned will hopefully strengthen other TPRMPs to help ensure similar breaches are not experienced. All good Cyber Security programs, including TPRMPs, must evolve and get stronger with time and the lessons learned from various breaches.