The coronavirus pandemic has nearly impacted every business in some way or another, and few industries understand this better than manufacturers. At our Manufacturing CFO Summit we held virtually, our own Joan Bell, Project Management Office Director, Joe Morris, former CFO of an oil and gas company and Sikich senior consultant, and Kevin Bong, Cybersecurity Director, discussed how to protect your financial stability by preventing financial risk and fraud.
Biggest risk factors
Joe explained that the big risk factors right now are not solely the pandemic, because what the pandemic has done, business-wise, is expose weakness. He points specifically to weaknesses in risk management strategies, business strategies, and overall internal infrastructure. With the infrastructure, he says that as businesses are becoming more visible online through e-commerce transactions, “fraud just continues to grow.”
“Additionally, because users are working remote, it exposes the weaknesses in overall infrastructure to be able to manage that security risk,” he added. “We’ve had probably half a dozen very disturbing cases that I personally have seen because of that.”
Kevin concurred with Joe’s assessment when it comes to fraud. “We’re seeing a lot of takeover fraud, where customers are receiving fraud alerts regarding wire transfers for different bank accounts,” he said. “Attackers are getting very sophisticated with their phishing attacks. They start with a compromised mailbox of maybe a business partner you work with or something like that. So now you are getting emails from a trusted person and they look like what you would expect from that person. If it’s something critical, like wire transfer instructions or a balance you should change or something like that, you need to pick up a phone and verify it.”
Kevin also mentioned that another uptrend he’s seeing with cybersecurity is ransomware, especially with manufacturers.
Risk Factors Surrounding Customers, Credit, and the Supply Chain
Joe also pointed out that it has been an “unusual year” when it comes to customers and credit, not to mention the supply chain. He has seen situations where customers who have always paid bills on time suddenly have outstanding invoices. Customers that were never a credit risk suddenly are credit risks.
Joan Bell explained that some of this is due to the new remote workforce, especially when it comes to the supply chain. “There might not be that opportunity to stand up and look over their cubicle and say, ‘Hey, what’s going on with this shipment?’ They have no idea that the quality on a shipment was bad. That’s why an invoice is out there waiting to be paid. So just that opportunity to ask questions as their workforce is growing remote, we’re seeing more and more of an emphasis of putting a stop on the things that people can do that normally when they worked in an office side-by-side, there might’ve been a little bit more leniency,” she said.
In other words, sending everyone remote has inadvertently created communication problems, especially with the emphasis upon security roles and a “segregation of duties.”
To combat these risk factors, more clients have requested security setup services as well as help with compliance. Fortunately, Microsoft Dynamics 365 for Finance and Operations (D365FO) already has that ability baked in. In addition, Joan said she’s been emphasizing to her clients to employ Power BI, strategic analyses, and predictive capabilities of the platform to stay on top of credit risks before they happen.
Forecasting to Hedge Risks
There has never been a forecasting model for a pandemic, which has forced many companies to restructure how they forecast on the fly. Because things are moving so quickly, there is so much change, and there are so many risks, forecasting models must be more on demand. Accumulating data over weeks’ time is no longer accurate and does not portray an accurate picture in these times. D365FO, however, has better predictive elements of forecasting.
As a result, companies still dealing with older infrastructures and technologies do not have the on-demand forecasting capabilities needed to stay on top of potential risks.
Remote Workforce Security Risks
These newer technologies, like D365FO, also help keep company data secure. One main reason is because by running D365FO in the cloud, the organization is relatively safe from ransomware. Ransomware only works when attackers can break into the organization’s internal network and encrypt critical servers and workstations. When everything is in the cloud, it does not matter if the internal network is encrypted, because recovering files from the cloud is relatively simple.
Moving to the cloud is one way to prevent ransomware attacks, but with businesses moving to a remote workforce, the cloud is not enough. Companies must stop attackers from getting in at all, especially with remote access services that are easier for attackers to break into.
Secure configurations for remote workers
The best way to prevent attackers from accessing remote services is first make sure the services are configured securely. By this we mean giving employees a work laptop they can use at home, configuring that laptop with a software firewall, allowing the user to only VPN or remote in from that laptop, and setting up two-factor authentication for the laptop and access. Allowing employees to use home computers to access the VPN is an incredibly high security risk. Basically, companies need to make sure that how remote workers are accessing the business network is just as secure as it would be if the workers were in the office.
Next, make sure that all remote services require two-factor authentication. In addition, strong, 16-character passwords that require both special characters and complexity are a must.
“We’re seeing a lot of organizations that are buying anti-virus and think that it’s working well and deployed everywhere, but then during the breach, they find out that it was missing on a lot of machines, it wasn’t up to date, all the cool features weren’t turned on, and that all let the attack happen,” Kevin said. “Backing up to the cloud, backing up to discs or tape that go offline so an attacker can’t delete them, looking at solutions so an attacker was steals all your passwords can’t also delete all your backups are probably the key things that everybody regrets after they have one of these ransomware attacks.”
Managing Risk and Fraud with D365FO
So why rely upon D365FO to manage your business’s risk and fraud? Joe Morris ticks off that it provides a lot of automation, a lot of predictive analytics, real-time predictive analytics for starters. It is also hosted in the cloud, so it’s protected by Microsoft and Microsoft even handles all of the updates. By having all that security in place, it is a huge cost savings from the beginning.
What about cyber liability insurance?
From Kevin Bong’s perspective, cyber liability insurance is a worthwhile investment.
“When someone has one of these ransomware breaches or any kind of security incident, the costs start stacking up very quickly between having an investigation to figure out how they got in, between stopping and repairing, etc.,” he explained. “One of the things we’re seeing these attackers do is in addition to encrypting your data is also posting in what they call malware shaming sites. Within a day or two of you getting the attack, they have disclosed out to the general internet that you’ve been attacked and here’s a bit of your data and more of it is coming.
“So in addition to dealing with the hack, you’re dealing with public notifications, dealing with attorneys. Again, all that adds up and the cyber liability insurance makes that process a lot easier to know that you have that. A lot of them will provide a breach coach to help you through a lot of that. So if you aren’t really ready and prepared, they’re holding your hand a bit through it.”
Of course, he also points out that with Sikich as your security and D365 partner, we can help you through breaches and preventing breaches as well. If you have any questions about how we can help you avoid risk with D365FO, please contact us at any time.