One year into the pandemic, an unprecedented 42 percent of the U.S. labor force is working from home full-time, according to the Institute for Economic Policy Research.
Prior to the global upheaval, only about seven percent of U.S. workers had the option to do so. These numbers present a staggering change in the way Americans work, and, importantly, how U.S. businesses operate.
Even more staggering is the increased risk of cybercrime due to the mass work-from-home scenarios many businesses face — scenarios that don’t seem likely to go away any time soon. Cybercrime has increased 600 percent as a result of the COVID-19 pandemic. This sort of attack on a business can have major financial implications if not properly addressed. The bottom line is: Your company’s information and reputation are at risk when employees work from home.
As a business leader, you may be asking, “How do we best protect our company from cybercrime” and “If we haven’t done anything differently over the past year, is it too late?”
Working from home is a radical change for many organizations. The good news is, it’s not too late to protect your company.
Gaining Control Over Your Internal Controls
The first critical step is identifying risks and evaluating internal controls. Imagine your 50-person office as a safe “cocoon.” Those 50 people are now working from home and you suddenly have 50 extra “cocoons,” which multiplies your risk. Hackers see a significant opportunity in the current remote working situation, and often target smaller businesses because they often simply don’t have adequate cybersecurity systems and controls in place.
There are three key areas to consider as you create or revise your internal control model to address cyber risks:
- Make sure the message is coming from top management, reminding personnel of proper business practices and the need to adhere to high-quality security policies and standards.
- Ensure people have the information they need to maintain policies and standards so business information and assets remain secure.
- Monitor activities. This is important. Review who has access to your systems and who is accessing them. Check your permissions. Who is allowed to access what? Some permissions may need to be modified when employees work remotely.
In conjunction with addressing cyber risks, it’s also important to review risks associated with significant transaction classes and consider if change is necessary. Critical procedural areas to review include revenue and cash receipts, accounts payable and cash disbursements, bank reconciliations, inventory purchasing, payroll and financial reporting.
Taking Technology to Task
Secondly, look closely at your technology controls. With a remote workforce, pay close attention to these specific areas:
- Does your accounting software provide sufficient functionality to segregate duties?
- Do any accounting software users have the ability to modify the overall functionality that could significantly impact financials?
- Are your accounting software’s passwords parameters and lockout policies appropriately configured?
- Are key spreadsheets located on secured drives?
- Are backups being periodically performed, actively monitored for completion and accurately restricted to authorized personnel?
- Are employees regularly educated regarding cybersecurity risks?
- Is system access appropriately restricted and regularly monitored and reviewed?
- Are you setting the proper “tone at the top” to ensure compliance with critical policies and procedures?
Cybersecurity fraud can cause many problems, including reputational damage, stolen trade secrets, and, let’s face it, some hackers just want to cause harm. But if proper controls are in place and enforced, you run a much better chance of avoiding cybercrimes or at least minimizing the damage.
Remote life has its rewards and challenges, and it’s highly likely the work-from-home trend will stick around even after the pandemic clears. Use the COVID-19 crisis as the catalyst to evaluate your company’s internal controls; but, like much about this crisis, also use it as an opportunity to strengthen your controls and better protect yourself in the future.
Steve Guarini, CPA, is a Partner, Assurance at Cohen & Company of St. Clair Shores.
