Where the Money Is, and the Security Isn’t

Technorati Tags: Security,hackers,identity,cyber attacks

 

Yesterday’ s hackers, whose exploits were often designed to earn bragging rights within the hacker community, have given way to far more sophisticated cyber criminals in pursuit of cold, hard cash. Some penetrated databases to steal the personally identifiable information (PID) of employees and customers. Others steal intellectual property and business data. Some use it, while others sell it to other criminals.

Which companies are hackers targeting? “The main focus of hackers seeking PID is midsize companies,” says Paul Voillis, CEO of Risk Control Strategies (RCS), a security of investigative firm. Why? “They’re perceived as the path of least resistance.”

Midsize organizations with up to 100 employees and $100 million a year in revenue “lack the security budgets of their big business peers,” explains Tim Mathews, director of product marketing at Symantec, a leading security systems provider.

A recent Symantec survey of more than 2,000 small and midsize enterprises found that 73% had been victimized by cyber attacks, and the cost cannot be measured by dollars alone. “There always the risk of customers no longer conducting business with you,” Matthew says. “Once your reputation is tarnished, shutting down becomes a very real possibility.”

Midsize enterprises are vulnerable to a variety of exploits, including “phishing,” in which employees are lured to phony Websites through email or IM; SQL injection attacks that invade operating systems to gut the contents of poorly designed websites; bots that take over machines, turning them into “zombies” that criminals can control – the list is long. Legacy systems that haven’t been diligently patched or upgraded to guard against new threats are particularly vulnerable.

Social engineering – the art of tricking people – has caused more security breaches than all external attacks combined, according to 403 Web Security, a web-application development company.

Social engineering was behind a March 2011 data breach at security firm RSA. Employees received an email and an attached spreadsheet with the subject line, “2011 Recruitment Plan.xls.” Once opened, the spreadsheet installed a backdoor in RSA’s system that compromised the code of RSA’s SecurID token. Estimates of what RSA’s parent, EMC, spent to clean up the fallout have run north of $66 million.

“We’ve estimated that a data breach sots companies an average of $214 per compromised record, and this excludes litigation and reputation-related issues that are difficult to measure,” says Larry Ponemon, founder of the Ponemon Institute, which focuses on data-protection practices.

Poneman agrees that today midsize enterprises are in the crosshairs. “Why hack into a major retail bank that has topnotch security when you can hack into a much smaller enterprise that has access to the bank’s data?” Ponemon asks. “It’s easier to break into the side door than the front door.”

And those side doors aren’t locked at many midsize organizations. Of the 761 data breaches investigated in 2010 by the US Secret Service and Verizon Communications’ forensics analysis unit. 63% occurred at companies with 100 or fewer employees.

Most of those breaches were not as sophisticated as the RSA hack. A recent Ponemon survey cites lost or stolen mobile devices as the greatest trending security risk. The risk doesn’t necessarily decline when the focus shifts. “Companies think because they outsource services or security they also outsource liability,” says Toby Merrill, vice president at insurer ACE Professional Risk. “They’re wrong.”

Forty-six states have data breach laws that require organizations to notify anyone whose personal data may have been compromised. Massachusetts is the toughest, stipulating penalties of up to $5,000 per violation. Multiply that by thousands of affected customers, and the potential cost to the enterprise is staggering. These laws make it clear that responsibility lies with the company that collected and stored the data. “That’s who will be sued,” Merrill says.

But many midsize businesses believe the cloud offers greater security. Boloco, a $20 million chain of 18 burrito restaurants stores customer information in the cloud via NetPOS, a point-of-sale systems provider. “No credit-card swipe lives in our system,” says Boloco CFO Patrick Renna. “Our philosophy is to leverage the security expertise of much larger companies that have resources we don’t.”

Boloco requires its various software-as-a-service providers to comply with the payment-card industry’s data-security standard and with the SAS 70 auditing standard, which permits an independent auditor to evaluate and issue an opinion on the provider’s security controls. Boloco also assesses its providers’ finances. That’s smart, says Tracey Vispoli, global cyber solutions manager for the Chubb group of Insurance Cos. If you’re suing, you want your provider to be solvent.

What else can midsize companies do? If they had the cash, they could hire a security guru, and implement encryption, firewalls, intrusion detection, and other security tools. But today, as RCS’s Viollis notes, “how many midsize enterprises have cash to spare?”

There are, however, measures that won’t break the bank, notes Alan Wlasuk, CEO of 403 Web Security. He suggests starting with a relatively inexpensive scan of your IT system to determine its vulnerabilities, educating your staff about the threat of social engineering, and keeping up with security fixes.

And, since hackers aren’t the only ones breaking into databases (disgruntled employees and those experiencing tough financial times are other threats), it’s smart for CFOs to insist upon background checks for new employees and the implementation of strict data-access rules, such as making sure HR can’t access employee data.

Other relatively low-cost measures include mandating strong passwords (at least eight characters, a mix of numerals and upper- and lower-case letters). Customer data should be kept off of laptops, smart phones, and USB drives unless encrypted or, at least, password protected. Also, it’s not smart to store unneeded data; erase it.

Finally, consider buying cyber insurance. The cost has come down by more than 20% from five years ago,” according to Robert Parisi, senior vice president of insurance broker Marsh. Plus, he says, insurers are tossing in freebies such as security assessments, victim breach notification, and credit monitoring.

“In an era where a lot of companies have cut into IT resources, insurance can be as important as the firewall,” Ponemon says. “With cyber insurance,” ACE’s Merrill adds, sounding like a salesman, “you’re buying more than coverage; you’re buying peach of mind.”

 

Share this post :

Get Your Prior Years Tax Information from the IRS

Technorati Tags: taxes,information,prior years,IRS

 

Sometimes taxpayers need a copy of an old tax return, but can’t find or don’t have their own records. There are three easy and convenient options for getting tax return transcripts and tax account transcripts from the IRS: on the web, by phone or by mail. There are eight things you need to know about getting federal tax return information from a previously filed tax return.

1. You can order transcripts online or by phone for the current tax year as well as the past three tax years. Earlier tax years must be requested with Form 4506T-EZ, Short Form Request for Individual Tax Return Transcript.
2. A tax return transcript shows most line items from your tax return as it was originally filed, including any accompanying forms and schedules. It does not reflect any changes made after the return was filed.
3. A tax account transcript shows any later adjustments either you or the IRS made after the tax return was filed. This transcript shows basic data, including marital status, type of return filed, adjusted gross income and taxable income.
4. To request either transcript online from this website use our online tool called Order a Transcript. To order by phone, call 800-908-9946 and follow the prompts in the recorded message. When you use these automated self-service options, the selected transcript will be mailed to your current address of record. To have your transcript mailed to a different address, complete and mail Form 4506-T, Request for Transcript of Tax Return. The IRS does not charge a fee for transcripts.
5. To request a 1040, 1040A or 1040EZ tax return transcript through the mail, complete IRS Form 4506T-EZ. Businesses, partnerships and individuals who need transcript information from other forms or need a tax account transcript must use the Form 4506T.
6. If you order online or by phone, you should receive your tax return transcript within five to 10 calendar days from the time the IRS receives your request. Allow 30 calendar days for delivery of a tax account transcript if you order by mail using Form 4506T or Form 4506T-EZ.
7. If you still need an actual copy of a previously processed tax return, it will cost $57 for each tax year you order. Complete Form 4506, Request for Copy of Tax Return, and mail it to the IRS address listed on the form for your area.  Copies are generally available for the current year as well as the past six years. Please allow 60 days for actual copies of your return.
8. Visit this website to determine which form will meet your needs. Forms 4506, 4506T and 4506T-EZ can be downloaded here or by calling the IRS forms and publications order line at 800-TAX-FORM (800-829-3676).

Links:

• Order a Transcript online tool
• Form 4506T-EZ, Short Form Request for Individual Tax Return Transcript
• Form 4506-T, Request for Transcript of Tax Return
• Form 4506, Request for Copy of Tax Form

YouTube Videos:

How to Request a Copy of Your Tax Return English | Spanish | ASL

 

Share this post :

Federal Tax Information Aplenty Through Social Media

Technorati Tags: Taxes,social media,information

 

Using the latest technologies, the IRS offers multiple avenues for you to get tax information. If you have a smartphone, we have an app! If you like to watch videos from your phone or computer, we have dozens of helpful YouTube videos…and, of course, follow us on Twitter.

Check out how the IRS delivers the latest tax information, initiatives, products and services through social media.

1. IRS2Go The IRS recently launched a smartphone application that allows you interact with the IRS using your mobile device. Our app can help you get your refund status and tax updates. IRS2Go is available for the iPhone or iTouch and the Android.

2. YouTube The IRS offers short, informative videos on an assortment of tax-related topics through our YouTube Video channel. The videos are offered in English, American Sign Language and a variety of foreign languages.

3. Twitter IRS tweets include tax-related announcements, news for tax professionals and updates for job seekers. Follow us @IRSnews.

4. Audio files for podcasts These short audio recordings provide useful information on one tax-related topic per podcast. They are available on iTunes or through the Multimedia Center on IRS.gov (along with their transcripts).

5. Widgets These tools, which can be placed on websites, blogs or social media networks, direct others to IRS.gov for information. The widgets feature the latest tax initiatives and programs and can be found on Marketing Express, the marketing site that allows IRS partners and tax preparers to customize their IRS communications products.

6. RSS Really Simple Syndication, or RSS, is an easy way to gather a wide variety of content in one place on your computer. The IRS now offers RSS feeds. RSS, is an easy way to get the news you want whenever it is updated, even if you are not on our website.

Keep in mind that the IRS uses these tools to share information with you. Do not post any confidential information on new or social media sites, especially your Social Security number. The IRS will not be able to answer personal tax or account questions through any of these services.

To find links to all of IRS’s social media tools, visit www.irs.gov and click on “Social Media.”

Links:

• IRS New Media
• IRS Multimedia Center

YouTube Videos:

Connect with IRS: English | Spanish | ASL

Share this post :

Don’t be Scammed by Cyber Criminals

Technorati Tags: Fraud,scams,cyber criminals,taxes,five tips

 

The Internal Revenue Service receives thousands of reports each year from taxpayers who receive suspicious emails, phone calls, faxes or notices claiming to be from the IRS. Many of these scams fraudulently use the IRS name or logo as a lure to make the communication appear more authentic and enticing. The goal of these scams – known as phishing – is to trick you into revealing your personal and financial information. The scammers can then use your information – like your Social Security number, bank account or credit card numbers – to commit identity theft or steal your money.

Here are five things the IRS wants you to know about phishing scams.

1. The IRS never asks for detailed personal and financial information like PIN numbers, passwords or similar secret access information for credit card, bank or other financial accounts.

2. The IRS does not initiate contact with taxpayers by email to request personal or financial information. If you receive an e-mail from someone claiming to be the IRS or directing you to an IRS site:

• Do not reply to the message.
• Do not open any attachments. Attachments may contain malicious code that will infect your computer.
• Do not click on any links. If you clicked on links in a suspicious e-mail or phishing website and entered confidential information, visit the IRS website and enter the search term ‘identity theft’ for more information and resources to help.

3. The address of the official IRS website is www.irs.gov. Do not be confused or misled by sites claiming to be the IRS but ending in .com, .net, .org or other designations instead of .gov. If you discover a website that claims to be the IRS but you suspect it is bogus, do not provide any personal information on the suspicious site and report it to the IRS.

4. If you receive a phone call, fax or letter in the mail from an individual claiming to be from the IRS but you suspect they are not an IRS employee, contact the IRS at 1-800-829-1040 to determine if the IRS has a legitimate need to contact you. Report any bogus correspondence.  You can forward a suspicious email to phishing@irs.gov.

5. You can help shut down these schemes and prevent others from being victimized. Details on how to report specific types of scams and what to do if you’ve been victimized are available at www.irs.gov. Click on "phishing" on the home page.

Links:

• Protect your personal information! The IRS does not initiate taxpayer communications through e-mail
• Suspicious e-Mails and Identity Theft

YouTube Videos:  Phishing Scams – English | Spanish | ASL

 

 

Share this post :

CRM Analytics: Shifting the Balance

Technorati Tags: Business,CRM,analytics,transformation,global,tools

 

In a market transformed by globalization, technology advances, and economic volatility, companies must better differentiate their customer value propositions.

The priority is to build an understanding of which products and services customers value – and what they are willing to pay for them. But, with up to 95 percent of products failing to launch, most companies struggle.

At the heart of the problem is a disconnect between how well companies think they serve the market and how highly customers rate their experiences. Accenture puts this disparity into context. Across blue-chip organizations surveyed in our 2011 Customer Analytics Survey, 55 percent of executive respondents believe their methods for segmenting customers and delivering relevant experiences are either “ideal” or “very good.”

Those findings contradict consumer research. Just 21 percent of respondents to Accenture’s Global Consumer Survey believe they receive tailored, relevant experiences from service providers; indeed, two out of every three consumers changed providers in the past year.

Many organizations perform statistical and quantitative analysis to segment customers. A huge opportunity exists to extend these capabilities ultimately to heighten customer experiences. Those that capitalize will be able to improve their bottom lines.

The tools to make this happen are available, but a wider emphasis is needed. Research shows that instead of using analytics to hone customer value propositions, the most commonly used metrics for analyzing customers remain internally driven. The emphasis is on understanding profit per customer, lifetime value, and share of wallet – all relevant, but they address only half the equation.

Indicators of customer requirements, such as consumer preferences, are often the least used. Just 14 percent of respondents use analytics to customize pricing. Seventy-seven percent are overlooking the potential for data-driven insights in product delivery. And 59 percent fail to apply analytics to their product development.

Bombarded with marketing messages, consumers are now selective. They trust peer reviews on products and brands more than they do ads. When their value expectations are not met, they switch providers and share their customer experiences via social media.

The opportunity for companies to seize a competitive edge is enormous. More than half of those surveyed are not taking advantage of analytics to help them target, service, or interact with customers.

Less analytically mature organizations are more likely to perceive their data sources as accurate than organizations with more developed analytics capabilities.

Corporate culture also poses challenges. Though almost 70 percent of respondents said their senior management was highly committed to analytics and fact-based decision-making, less mature organizations struggle with a lack of ownership for this vital capability. Even among more mature analytical organizations, budget limitations, departmental culture, and a lack of senior management support were cited as obstacles.

Sales and marketing teams have better data, and more of it, at their disposal than ever. But how should they integrate analytics? For one thing, these teams can attract analytics experts through stimulating work environments. They can focus their analytics capabilities for maximum business impact, creating centralized analytics “engine rooms” that can underpin fact-based decision-making.

Quality of data is key; key information on customer needs, pricing, and product performance is critical. Accountability and education also are vital. Leaders must shepherd the application of analytical insights.

It’s critical that organizations remain persistent and accept that changes in decision-making, processes, systems, and cultures cannot happen overnight.

 

Share this post :

Creating a Culture of Compliance

Technorati Tags: Regulations,Sarbanes-Oxley,enforcement,CFO,compliance

 

Cell-phone markets in Central America and Southeast Asia were booming early in the decade, and Alcatel SA paid dearly to get in on the action, in more ways than one.

The Paris telecommunications giant doled out $8 million in bribes to “consultants” (including a well-connected perfume distributor in Honduras) to gain access to key government officials awarding lucrative contracts in four countries. When its actions came to light, subsequent prosecution under the Foreign corrupt Practices Act (FCPA) led to fines estimated to exceed $130 million.

In December, the federal government cited a “lax corporate control environment” at Alcatel, which extended right up to the CEO and CFO, as a primary cause of the scandal. It was a finding that more companies should take to heart.

Nearly a decade after the passage of the Sarbanes-Oxley Act, and amid heightened FCPA enforcement, the responsibility for shaping what is often called a “culture of compliance” inside US corporations falls heavily on the C-suite – and, more than ever, on the CFO.

A culture in which employees feel they can report illegal activities or abuses can prevent problems from becoming disasters. This pertains not only to financial controls under the CFO’s purview but also to a broad range of operational risks, which can result in costly disasters like last year’s oil-rig explosions in the Gulf of Mexico and the implosion of Enron. In both cases, employees accused top management of ignoring their concerns about dangerous internal practices.

Who to warn, and how, remain open questions at most firms, but “if a CFO says, ‘That’s not my department,’ he or she should be fired,” says David Gebler, president of corporate-ethics consultancy Skout Group.

Last December, on the very day that Alcatel-Lucent (the companies merged in 2006, after the events in question were said to have taken place) settled the criminal case, CEO Ben Verwaayen, who joined the company after the violations had occurred, broadcast a message reemphasizing the importance of the company’s zero-tolerance policy for bribery. In an e-mail sent to 78,000 employees deployed in 130 countries, he said that Alcatel-Lucent’s hardware and software sales are “based entirely on the value they bring to our customers. We cannot afford or tolerate any compliance violations, both financially and in terms of our reputation.”

Clear communication from the CEO is a critical first step, but it’s hardly the only step needed. Changing a company’s culture is extremely difficult, and often requires senior executives to untangle delicate in-house politics, agitate profitable operations overseas, and relentlessly police the entire organization’s compliance program. No single e-mail or ethics training course will achieve that.

CFO interviewed more than a dozen experts and examined several notable legal cases and compliance failures to determine the five most effective things finance executives can do to prevent risky or illegal activities.

Acknowledge That You Are Responsible

While the actions of a salesperson on the other side of the globe may seem well outside a CFO’s purview, Sarbox says otherwise. When CFOs sign off on financial statements, as they must do under the act, they are also verifying he accuracy of all corporate records, says Marie Hollein, president and CEO of Financial Executives International.

Adding to the pressure, the federal government recently gave whistle-blowers a powerful incentive to snitch. The Dodd-Frank Act awards bonuses of up to 30% of enforcement penalties to individuals who provide “original information” about illegal activity by their employer. Understanding the implications of the new incentives and crafting a policy that encourages employees to speak up is essential.

Make the Corporate Counsel Your Ally

As every finance chief knows, there is a crackling tension between compliance and the company’s or business unit’s mandate to perform. CFOs who tackle compliance issues may feel they are entering a political minefield. In such cases, don’t go it alone.

Stephen Pedneault, founder of Forensic Accounting Services, cites a common example: the salesperson who posts big numbers yet puts tens of thousands of dollars in personal expenses on the company credit card. Every month, the CFO approves the expenses, which aren’t tax deductible and should be reported to the Internal Revenue Service on the salesperson’s W-2.

If a CFO questions this, the CEO or the head of the salesperson’s business unit may offer the kind of non-response that Pedneault characterizes as, “Thank you for pointing it out; if it gets abusive we’ll take care of it.” That kind of see-no-evil culture has serious ramifications; if employees know such abuse is taking place, it sends a signal that they can abuse the system, too. An employee might say to himself, “If that guy can do it, why can’t I?” says Pedneault.

Thomas Quilty, head of BD Consulting and Investigations, recommends that CFOs establish a strong relationship with the general counsel, who typically has the credibility to make a strong case that a problem is serious and must be addressed. “The corporate counsel wields enormous power within any corporation,” Quilty says. “Any CFO who is not listening to the corporate counsel has got to be crazy.”

Really Deliver the Message

“I am sick of the phrase ‘tone at the top,’” says Tracy Coenen, a Chicago investigator. Sending a message from on high is far more effective, she says, when it’s coupled with some face time. Making the effort to deliver this important message in person shows that “you’re a real person, and [your employees] can hear you say that it’s important to have an ethical company.”

The definition of “the top” is also changing. Regulators are demanding that boards of directors assume greater responsibility for shaping a company’s culture. The US Justice Department’s recent bribery case against Panalpina blamed “a culture of corruption,” which “trickled down” from the board and senior executives to “employees who accepted bribery as a part of Panalpina’s standard business practice.”

Employees even adopted a nickname – “apples” – for bribes, according to the November settlement by the global oil-industry logistics firm. Panalpina pleaded guilty to two violations of the FCPA regarding $49 million in cash bribes paid to customs and government officials in Anglola, Azerbaijan, Brazil, Nigeria, Russia, and Turkmenistan.

Bill Pollard, a Deloitte Financial Advisory Services partner in Chicago says companies often make the mistake of putting responsibility for various compliance matters into various separate “silos.” Compliance should be “woven throughout the fabric of the organization,” including the board Pollard adds that executives responsible for compliance should have “unfettered access to the board.”

At DuPont, employees in 90 countries receive ethics and compliance training, often from the senior-most executive in each country. As a result, the culture is shaped “not just by someone saying this is important, but by demonstrating it,” says Donna Grier, general auditor and chief ethics and compliance officer at DuPont headquarters in Wilmington, Delaware.

DuPont’s message and values are constantly reiterated, she adds. During Chinese New Year, for example, the company highlights employees in China who refuse to accept customers’ traditional offers of cash gifts.

Educate Front-Line Managers

While senior executives must set the tone, it is critical that front-line employees feel comfortable in the role of watchdog. When these employees raise potential issues, midlevel bosses and front-line supervisors should know how to respond. Otherwise, employees who know about illegal activities may not tell anyone, out of a fear of being retaliated against or fired. A raft of research has shown that an employee’s behavior is far more influenced by his or her direct supervisor or operating-unit head, versus a C-level executive.

Many companies offer anonymous hotlines as a sort of workaround to that reality, yet only 5% of reports of misconduct come through such hotlines, says Patricia Harned, president of the Ethics Resource Center, a research nonprofit. “If supervisors aren’t supportive” of compliance, she says, “it’s likely employees will keep quiet when problems come up – or leave.”

Consultant Pat Gnazzo has experience with turning a corporate culture around from the inside. He was recruited as chief compliance officer at CA after a $2 billion accounting scandal at the software company in 2004. He says employees who know they are welcome to come forward can prevent systemic failures or scandals. “You may [still] have one person who does something bad in a vacuum. But you will never, ever have [systemic] organizational fraud,” he says.

Simulate A Crisis

When a crisis occurs, consultants say that it can be extremely difficult for C-suite executives to subsume their type-A personalities and develop a consensus-driven plan that can minimize further damage. For top managers who want to learn how politics and personalities can lead to a cover-up that worsens a crisis, consultants recommend they walk through who would be in charge if a crisis occurred.

Deloitte’s Pollard sometimes puts executives in a room and asks them to put on a fraudster’s hat: Could someone manipulate company records or processes to perpetrate a fraud, and if so, how? Who in the room has the knowledge and ability to commit fraud?

After one such series of brain-storming sessions, Deloitte catalogued more than 150 initial fraud risks for one public company. “When the CEO and the CFO saw that,” Pollard says, “it opened their eyes to things they had never considered.”

 

Share this post :

Spies Like You?

Technorati Tags: Social Media,employees,monitoring,security

 

The days when a company could simply un-friend social media – hiding it behind a firewall so employees couldn’t access it – are disappearing faster than yesterday’s “Trending Now” topics on Twitter.

With an estimated 70% of social media use coming from mobile devices like smartphones, and new online communities popping up all the time, executives now have to decide whether, and how, to monitor employees’ social-media activity. “The time to completely block this activity has passed,” says social media strategist Mike Dwyer. “The only way to stop it would be to shut down the Internet.”

Tools for monitoring social-media activity come in different varieties. For instance, there is software that sits on the corporate network, continually scanning it for signs of social-media activity and catching any inappropriate or noncompliant activity. There is also professional monitoring software, which requires employees to access social-media via company-controlled technology.

But before investing in any enforcement tools, which can cost as much as $20 a month per employee, companies need to determine what their policy on social-media use will be.

“Social media is here to stay, so companies that block it are just removing themselves from the conversation,” says Dan Romine, co-founder and CEO of start-up SocialLogix, a producer of SocialSentry 2.0 (software that can monitor any public posts made by employees). But the potential consequences of a single social-media blunder can be disproportionate. Remember when a Burger King employee got the brand in hot water by posting a video of his soapy bath in a restaurant sink? “The results can be damaging to a company,” says Max Drucker, co-founder and CEO of start-up social-media screener Social Intelligence. “If a company hasn’t made its best efforts to protect itself, shareholders could potentially become very upset.”

A viable first step for employers is to warn workers that their social-media activity will be monitored during work hours. “It took the world a long time to understand that employees don’t own their company e-mail,” says Damian LaPlaca, a partner with Boston law firm Donovan Hatem who specializes in IP litigation. “People thought social media was different, but it really isn’t.”

Still, the decision to use monitoring tools is far from simple. Tom Goodmanson, president and CEO of software maker Clabrio, has tried such software but says, “I’m still struggling with how I want to use it. I’m interested in how people do their jobs. But culture is also incredibly important to me.”

For some, even purchasing such tools signals a larger problem. “I have enough faith and trust that I’ve got the right people in the right roles that they aren’t going to go out and damage the company,” says Tim Wissner, CFO of Windermere Real Estate. “If you don’t feel that way, then Facebook is not your biggest problem.”

 

Share this post :