Recently, some of our government clients have asked us how to tell if their financial software offers good internal controls and protects their data adequately. They further wondered if their existing financial software needed to be upgraded and, if so, what the exposures could be if they did.
Their concerns are valid—and universal. Few organizations of any kind (public or private) can afford the financial loss or reputation damage that can occur if the “bad guys” break into your financial accounting system or any system, for that matter. For accounting departments everywhere, a breach can be disastrous. Here’s the hard part: The villain may not always be someone outside one’s organization.
Improper internal controls can tempt people inside an organization to funnel tax collections (or receivables) into the wrong hands or maybe change prices or edit rates—without detection.
Bottom line: It is critical to use your existing financial software correctly, upgrade when necessary, and know where and how the black hats operate. Upgrades can open you to new threats, but it’s important to be as up-to-date as possible. No one wants to get hacked.
ANSWERS TO YOUR CYBER-SECURITY QUESTIONS
- What do I risk if I ignore this issue?
For government agencies, the risk is losing the public’s trust. If the residents within an agency’s purview suspect that data has been breached, they will wonder what else is done incorrectly. They might question if the services their taxes support are being priced appropriately or performed to standards. Once trust is compromised in one area, other areas become suspect. And not acting preventively can be like not plugging a slow, undetected leak before the “tire” blows up in your face.
- What are the primary causes of cyber-security breaches?
It’s up to an organization’s management team, from the chief executive down, to be responsible for understanding and enforcing sound internal control policies surrounding cyber-security. They keep up-to-date with newer software offering better protection because legacy software also contributes to breaches. The older financial programs have fewer safeguards built into their systems.
Another cause of breaches relates to how passwords are handled, as described in the next section
- How can our management team ensure the security of our data?
Start with passwords. For the best results with proper password protocols, the City Manager, or other chief executive, will first decide who (what department or team) should be responsible for security overall. The City Manager or this designee would also determine who should not have access to all the passwords. Too much access by one person is dangerous.
For larger agencies, it could help to research and invest in a Privileged Access Management (PAM) initiative. PAM consists of the cybersecurity technologies and strategies aimed at controlling elevated (“privileged”) access and authorizations for processes, users, accounts, and systems throughout an IT ecosystem. PAM helps governments and corporations reduce their organization’s attack surfaces by discerning the appropriate level of privileged access controls. The idea is to prevent, or mitigate, the damage that external attacks and insider negligence or wrongdoing can deliver. Even so, audits must be included in the mix at regular intervals.
- When should audits of our software and cyber-security practices be performed?
In small-to-medium-sized organizations, the information director should be able to run spot checks and audits to discern unusual activities. Particularly after an employee leaves the agency or is promoted or demoted out of a work area, the passwords must be changed. Access to systems will be altered, upgraded, and downgraded as per the “privileges” matching each position and each data set. The privileges need to be audited/reviewed periodically (at least yearly) to ensure the agency has given the correct access to the appropriate levels within and outside the agency.
- What are the Red Flags that there’s a problem?
Sometimes, errors are caught during an internal audit of payables. Things are not matching, or rate changes have no documentation, perhaps. Another red flag is that certain people never seem to take their vacations. What are they hiding? Is one of your contractors getting a disproportionate share of the business? Is someone leaking the RFQ results so their buddy can always be lowest by “just enough” to get the bid? There’s always the “sniff test.” What doesn’t seem right? Smell right?
Oh…and workstations with people’s passwords on sticky notes? Those are huge Red Flags of loose internal controls.
Final Recommendations and Thoughts
Passwords are the “gateway drug” for data smugglers inside and outside your organization. Passwords must be changed regularly, particularly after an employee has left the agency, been promoted, demoted, or moved laterally within the government organization. This practice should also extend to outside agencies and contractors (for governments) and vendors (for corporations) who have been given access to certain parts of the organization to facilitate transacting business. It’s okay to do so, but access and privileges must be monitored regularly.
Internal audits by your information systems director need to be performed annually at a minimum. In the meantime, the HR department must be vigilant in their cooperation with the information systems team to ensure that people in the organization are still working there. Matching the job description and the employees’ roles to their access level and passwords is ongoing. It’s not a “once-and-done.”
Privileged Access Management (PAM) initiatives may be considered for larger organizations as a higher-level tool in your arsenal. PAMs create a view of the controls, threats, and risks across the organization. They are designed to track “privilege” activities and require strong buy-in by management.
Software updates and upgrades are almost a given. Many of our government clients use, or are switching to, modern ERP systems, such as Tyler Technologies’ Munis and Incode programs. These modern ERP financial software programs come with built-in safeguards, but they are only as strong as the culture for keeping data safe—at the organization’s top, middle, and bottom.
Outside auditors can evaluate your security systems, the internal controls to support those systems, and your training processes for all employees relating to cyber security workflows and proper safeguards. Your CPA (LSL, for instance) can perform this type of audit.
FINALLY
Stand up. Right now. Look across the cubicles or desks around you. Do you see any sticky notes? Hopefully, they say things like, “Don’t forget to buy milk.” As we’ve said, passwords posted on sticky notes at workstations are a bad sign. Be safe.