Archive for the ‘Security’ Category

Fraud & Embezzlement 2.0

Tuesday, February 16th, 2016

As Certified Fraud Examiner Bryant Truitt, CEO of Brytan & Associates, Inc., tells audiences and clients, you can’t prevent fraud and embezzlement from happening.

Why do people steal from you? Look at the triangle above: pressure, opportunity, and rationalization. You can slow it down and better protect your non-profit if you know where to look and what to do.

Join Mr. Truitt to find out how you can stay ahead of this constant threat to your organization’s financial well being from individuals and gangs. Learn the who, what, when, and where your vulnerabilities are, why non-profits are easy targets, and how you can be better prepared and stay on guard without losing the essence of why you are a nonprofit serving others.

Those of you who got to hear Mr. Truitt two years ago will appreciate the new information he brings as well as reminders of those things that are easy to forget when fighting fraud, embezzlement, waste, and abuse.

CPE credit available upon request. Hosted by TeamNFP with support from your Abila MIP & your TeamNFP Business Partner.

Originally presented: Feb. 2016

Slides: Fraud 2.0 Webinar Feb 2016


Disaster Recovery Should Be Top Of Mind

Friday, April 11th, 2014

Have you given any thought to how long it would take to recover from a server disaster?  Have you actually exercised your recovery plan?  You do have a recovery plan, right?

I have had the misfortune to be involved with two MIP customers who have had such disasters only to discover that there was no backup from which their MIP data could be restored.

In one case, the user had just never tested the usefulness of the backups being made by trying to restore from one of them. When the time came that they were needed, the backups were found to be corrupted beyond repair.

In the other case, the IT staff in charge of backup management incorrectly believed that the MIP data was on the server drive on which they concentrated all their other program data (so that they could focus their back up efforts there and ignore the C: drive). They believed that only system files resided on their server’s C: drive. They were sure that they would always simply recover their C: drive by installing Windows and SQL Server and all would be well. But as you know (or should know), your MIP Organization database is managed in a folder about four levels deep from SQL Server in the Program Files folder tree on the server’s C: drive. At install time, the user has control of where the MIP Share folder will be stored, but none over where the actual database files (.mdf and .ldf) are stored.

Now the IT folks could certainly take the time to detach those files, move them to an appropriate location of their choice, and then reattach them there. But almost no one knows this is necessary.

Does your IT staff know this?

Why not put this down and pick up the phone and find out?

Disaster stats should encourage you to focus on your own disaster recovery plan

  • 6% of all PCs will suffer an episode of data loss in any given year.
  • 31% of PC users have lost all of their files due to events beyond their control.
  • 34% of companies fail to test their backups, and of those that do, 77% have found tape back-up failures.
  • Companies that aren’t able to resume operations within ten days (of a disaster hit) are not likely to survive. (Strategic Research Institute)
  • Every week 140,000 hard drives crash in the United States. (Mozy Online Backup)
  • Simple drive recovery can cost upwards of $7,500 and success is not guaranteed.

Excuses for not conducting a disaster recovery test and having a plan are inexcusable when you have the facts.

There are a lot of reasons a nonprofit doesn’t have a disaster recovery plan or even test. Time or fear of failure or lack of knowledge or money shouldn’t stop you.

Maybe you hadn’t thought about how many ways data loss can occur. Wikipedia lists five major causes and over fourteen different examples:

  • Intentional Action
    • Intentional deletion of a file or program
  • Unintentional Action
    • Accidental deletion of a file or program
    • Misplacement of CDs or Memory sticks
    • Administration errors
    • Inability to read unknown file format
  • Failure
    • Power failure, resulting in data in volatile memory not being saved to permanent memory.
    • Hardware failure, such as a head crash in a hard disk.
    • A software crash or freeze, resulting in data not being saved.
    • Software bugs or poor usability, such as not confirming a file delete command.
    • Business failure (vendor bankruptcy), where data is stored with a software vendor using Software-as-a-service and SaaS data escrow has not been provisioned.
    • Data corruption, such as file system corruption or database corruption.
  • Disaster
    • Natural disaster, earthquake, flood, tornado, etc.
    • Fire
  • Crime
    • Theft, hacking, sabotage, etc.
    • A malicious act, such as a worm, virus, hacker or theft of physical media.

The cost of a data loss event is directly related to the value of the data and the length of time that it is needed, but unavailable. These costs include:

  • The cost of continuing without the data
  • The cost of recreating the data
  • The cost of notifying users in the event of a compromise

You really must be vigilant.

Do you have a disaster recovery plan for multiple disasters?

It’s spring (hopefully) and the winds and weather are still a big problem. Do you have a plan for disaster recovery if you lose your data because of hail or tornado or flood or another act of God? This article by Lindsey Farber in Forbes gives you some great ways to stay ahead of good ole Mother Nature. According to Farber,there are three big benefits to disaster recovery testing that may inspire you to take action:

  1. Clarity of Expectations
  2. Clarity of Assumptions
  3. Clarity of Ramifications

I encourage you to read the article at http://www.forbes.com/sites/sungardas/2014/04/10/how-to-multiply-the-effectiveness-of-your-disaster-recovery-testing/. Then test to find your weaknesses and fix the problems or have an offsite, maybe in the cloud, contingency.

You can’t afford (nor can those you serve afford) to have your nonprofit dead in the water! So, go take care of this before it’s too late.


LEIE Exclusions: Make Sure You Don’t Hire Them!

Wednesday, March 5th, 2014

Office of Inspector General expects you to be careful in who you hire.

LEIE? (no, not the dreaded highway in NYC)

Since fraud was the topic of our recent webinar, it seems natural to turn our attention in this month’s blog topic to one of  importance to all our clients in the health care sector.  The folks at HHS maintain a list of “excluded” people and entities who have distinguished themselves for this treatment by such actions as having been convicted of Medicaid fraud.

From the Office of Inspector General, US Dept of Health & Human Services on their “Background Information” page: (http://oig.hhs.gov/exclusions/background.asp):

“OIG has the authority to exclude individuals and entities from Federally funded health care programs pursuant to sections  1128 and 1156 of the Social Security Act and maintains a list of all currently excluded individuals and entities called the List of Excluded Individuals and Entities (LEIE). Anyone who hires an individual or entity on the LEIE may be subject to civil monetary penalties (CMP).”

“To avoid CMP liability, health care entities need to routinely check the LEIE to ensure that new hires and current employees are not on the excluded list.”

The current list (updated monthly, most recently in January at time of this writing) contains more than 50,000 entries. If you only have a dozen or fewer names to compare to this list, there is a facility on their web site in which you can manually input the names you want to check. (See the link in the right margin of their site titled “Online Searchable Database.”) But if you have a much larger list, this is prohibitively time-consuming and error-prone.

Fortunately, the entire LEIE is made available through the “LEIE Downloadable Databases” link.

On that page you you will find, under the heading LEIE Database, the most recently updated list of excluded individuals and organizations. This month, for example, it is call “01-2014 Updated LEIE Database: EXE|ZIP.” By clicking on the letters “ZIP” at the end, you can download that list.

Unfortunately there is no guidance on how to compare the names on that huge list to your own list to find the matches. So users may be challenged if their spreadsheet and/or database skill aren’t up to the task of making this relatively easy.

The short story is that we have helped with this and can offer assistance to you, as well.

In the case of our most recent client, a user of MIP Payroll, the longer story is that we were able to make them self-sufficient at the task of finding all the matches in their list of more than 300 employees. We left them with instructions that take them through opening the database in excel and eventually populating a table in their MIP database. Then they run a query we saved for them that pulls all the matching names from their employee table (along with the dates of birth and Social Security Numbers they’ll need for the REAL matching exercise on the website).

If you are spending hours at this task each month, ask your Business Partner or call us for some assistance. Lots of them have the skills needed to give you this same level of service.

This needn’t be a task that consumes much more than half an hour or so. And it should be a great relief to your CEO, General Counsel, and Board to know that you are taking the necessary steps to eliminate the risk of being subject to those civil monetary penalties!


Non-traditional Device Security

Sunday, December 1st, 2013

Cisco, the networking giant, estimates there will be 50 billion Internet-connected devices by 2020. These include currently non-connected devices such as cardiac implant monitors, household and industrial appliances, mechanical sensors, and many others that are expected to come online in the next decade. For nonprofits that provide medical services or monitoring systems keeping them secure can seem daunting. For their clients or patients, it can be scary.

Something is beginning to be in use that may be useful for your nonprofit to consider. It’s the creation of  digital management certificates such as those offered by Verizon Enterprise Solutions. This cloud-based platform enables the management of these digital certificates for a wide range of Internet-connected devices, commonly referred to as the “Internet of Things.” The certificates allow organizations to make sure devices aren’t spoofed and that the data received from devices is legitimate. It also allows them to  ensure that the integrity of sensitive data sent to and from such devices is kept intact.

Regulatory bodies governing various segments of the Internet of Things have also weighed in on security issues. They have worked proactively to improve data protection. In the U.S., several regulatory bodies, including National Institute of Standards and Technology (NIST) and the Food and Drug Administration (FDA), have published mandatory security controls for certain device types, and those controls rely on digital certificates for security assurance.

Though various regulations will have specific requirements for securing Internet-connected devices, digital certificates are  considered the first line of defense.

We encourage you to read more about the solutions and regulations.


Q’s Tips: Protect Your SA Password

Wednesday, November 13th, 2013

Q Recommends MIP’s SafeKey Feature to Help Protect Your SA Account from Fraud & Embezzlement

The SQL Server on which you host your MIP database needs to be secure from those who seek to make unauthorized changes in pursuit of various fraud strategies.

For most of you, this isn’t a major concern. Your IT staff installed the SQL Server and the MIP software and the related system credentalslare under their safe protection.

But many of you may have performed the installation yourselves, or delegated it to the “techie” on your accounting staff.  When the SQL Server was installed, it required the set-up of the “sa” (system administrator) account and the creation of the password for it. That user account name and password must be stored safely. If you aren’t sure where it is, ask your IT staff (if you have one and your business partner if you don’t) to be sure and change that password and to secure it carefully so that none of the accounting staff have access to it. This should reduce any worries you have about fraud or embezzlement and it will definitely please your auditors.

If you’ve been using that account to gain access to the MIP data with SQL Management Studio, Access, or any other external software, have no fear. You can still use those tools, but DO NOT use your sa account for such access. Using  this account gives you “WRITE” access that can result in unintended changes to the data you view!!

Instead, use the MIP SafeKey feature. It will provide you with credentials that will allow you to connect to that data with only READ authority; no WRITING. If you have any questions about SafeKey, give your Business Partner a call.

Final Word

Passwords are precious don’t let just anyone have them. Remember, your computers don’t really recognize the person who puts them in and gains access to your accounts. Make sure it’s just you or authorized personnel only!

(TeamNFP Founder Robert Q Johnson was one of the early developers of MIP and has long been famous for his “Q’s Tips”. We share them with our Certified Business Partners and now are sharing them with everyone. We hope you find them helpful.)


Protecting Your NonProfit Name in New Domain Game

Wednesday, October 30th, 2013

Guard your nonprofit brand. Photo by CarbonNYC

Our posts are about productivity, reducing waste, and preventing fraud. But we just ran across this initiative of the Better Business Bureau on brand security and we wanted to share it.

There is a potential threat to your nonprofit from the imminent release of over one thousand generic top level domain names (gTDLs). The Nonprofit Committee of the International Trademark Association (INTA) presented a webinar on these topics on September 10, 2013. It talked about the threats, brand protection measures your non profit should take, and brand protection measures that are available.

We encourage you to hear the recorded webinar by going here. Then take action. Don’t leave yourself open to imitators and brand thieves.

We also encourage you to keep up to date on the Better Business Bureau’s advice for nonprofits and donors.