By Bishop Norris, CPA, Partner
Vawter, Gammon, Norris & Company, PC
This article was inspired after a client experienced one of the new tricks that hackers are using to misappropriate funds…
The controller in a dealership received a legitimate looking email requesting that funds be transferred to a new personal bank account for the dealer. The reason given was that he was opening an account with a bank where he had just purchased a vacation home. So, on the surface, this made sense to the controller. As it turned out, a hacker had embedded himself in the dealership emails, learned the positions and habits of the key players, then sent a legitimate looking email from the dealer to the controller making the request. Fortunately, the funds were never released.
One only needs to read the daily news to realize that hackers are getting better and cybersecurity is more important than ever for dealerships. The story above describes a potential theft of dealership property, but customer privacy and your reputation are also at stake.
In light of this, here are some questions for consideration:
General IT Environment - Dealerships have IT support of some sort. The question is how much are you really getting? Does the support include anti-virus and malware protection updates, reliable back-up procedures, limited employee access to customer information? Are there restrictions on websites that can be visited? Do you employ “white hat” hacking to test security? If the dealership is hacked, do you have a response team and plan, and insurance to cover potential damages? Are you releasing customer information to outside vendors? If so, how well protected are they from cyber-attacks?
Employee Training- Do your employees understand that you expect them to use best practices when using your IT resources; including not opening links from unknown senders, not storing customer information on desktops, password diligence and not responding to information requests from unsolicited emails? Have you instructed them to report viruses or computer performance issues?
Online Banking- Circling back to the opening story of this article, what safeguards are in place for internet banking? Is there dual control for online payments, meaning someone creates the transaction and another approves it (like co-signers on checks)? Are emails not accepted as approval for online payments by your employees without oral or text confirmation? Are bank accounts reconciled daily? If not, is banking activity reviewed daily for potential misappropriation? Are you familiar with the safeguards that your bank provides to detect and prevent unauthorized payments?
If you have not visited these questions with your management team recently, you may want to. While having discussions with our clients about cybersecurity, it is not unusual for questions or weaknesses to emerge that require follow up. Cyber-attack threats are constantly changing, and your cash and customer information are desirable targets. That means it is more important than ever to be proactive with cybersecurity measures.