On Thursday, November 2, 2017, 60 winery owners and key industry stakeholders attended MNP’s 8th annual workshop for the B.C. wine industry, hosted by MNP’s Geoff McIntyre. This year, attendees heard timely presentations from Asha Hingorani from the Canadian Vintners Association regarding recent trade negotiations as well as an update on the Comeau Supreme Court case from Shea Coulson. MNP’s presentation focused on Risk in the Workplace.
The following article was co-authored by MNP’s Mark Jordan, CPA, CA, CFE, CFF, Investigative & Forensic Services and Ron Borsholm, CISSP, PMP, PCI, QSA, Cyber Security Services, and serves a summary of our presentation.
Defending Your Winery: Preventing Fraud and Cyber Attacks
This article was previous published with Canadian Grapes to Wine Magazine and has been reproduced with permission.
The possibility of open trade between provinces and direct-to-consumer presents great opportunity for Canadian wineries. Taking advantage of these opportunities may mean working with new business partners (agents and central warehouses) and leveraging new technologies, especially in the online retail space. But, with opportunity comes greater risk and a need to ensure that adequate protections are in place to prevent or mitigate the impact of fraud and cyber attacks.
Unfortunately, fraud and cyber attacks are regularly reported in the local, national and international news. Most people are aware of the recent Equifax breach and it doesn’t take long to find articles relating to security breaches at hotels and even wineries. Sadly, this is only the tip of the iceberg. Fraudsters and hackers do not discriminate and organizations of all sizes are at risk. Although it may not always make the news, we regularly see fraud and cyber attacks in small businesses, not-for-profits and even minor hockey clubs.
For many organizations, fraud and cyber attacks can be devastating with the impact being one or more of the following:
- Time spent addressing the impact and remediation of the incident, all to the detriment of the day-to-day operation of the organization.
- Money spent on third-party advisors such as lawyers, accountants and communication specialists who help navigate the recovery process. And of course, the money lost as a result of the fraud or cyber attack that is not recoverable.
- Impact to your winery’s reputation. Customers and vendors may be reluctant to deal with an organization who has experienced a fraud or cyber attack as they are uncertain that product can be delivered on time, or payment will be received for their services.
It shouldn’t come as a surprise that the right amount of one or more of the above may be a fatal blow to an organization.
In terms of fraud, one of the biggest threats is a lack of segregation of duties. When it comes to cyber attacks, two common threats are spear phishing and ransomware.
Segregation of duties is all about the need to share tasks; no one person in an organization should be doing two or more tasks which expose the organization to the risk of fraud. For instance, one person should not be responsible for reviewing timesheets, preparing payroll, signing cheques and recording transactions in the organization’s books. This leads to an opportunity to falsify records and ultimately overpay themselves. Due to few staff in the organization, small organizations often have limited segregation of duties, however, this should not prevent a business owner from running their finger down the bank statements on a monthly basis, a task which takes relatively little time. This task can help identify unusual payments or missing bank deposits which require further investigation.
Spear phishing is an email-spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information. In one recent case, an organization lost significant money when the accounts payable clerk was targeted and asked by email to change a vendor’s banking information. The criminals then sent fake invoices to the organization, which were paid using the altered banking information.
In another case, the chief financial officer at a not-for-profit received an email that looked like it was from a bank the organization used. It asked her to update her user ID and password and, in the rush of a busy day, she quickly complied. A few days later, it was discovered that hundreds of thousands of dollars had been stolen and wired out of their account.
Ransomware is a type of malware that prevents users from accessing their computer system unless a ransom is paid. In most cases, users either click an attachment in an email or a link on a webpage which leads to their systems being compromised.
A recent incident reported in the news related to a wine store that fell victim to ransomware. While the company was only asked for a ransom of $500 in bitcoin (which they paid), it cost more than 10 times the ransom amount to fully restore their computers to a secure state. To add insult to injury, the perpetrator sent the business owner an unofficial receipt thanking them for their “involuntary purchase.”
Commonly, many organizations do not have sufficient internal controls in place such as policies, procedures and training to prevent fraud or cyber attacks. Other organizations put controls in place, but then fail to test them to ensure they are working correctly. So how can a winery defend against these risks and minimize the impact of fraud and cyber attacks?
Build a Fraud and Cyber Security Risk Management Program
- Know your risks. Undertake a fraud and cybersecurity health check. Speak with your team and, as necessary, third-party advisors to identify where you are at greatest risk of loss.
- Design policies and procedures that prevent or limit the impact of the risks you have identified. The policies and procedures do not need to be complex or time consuming, for instance, always make sure your data is backed up, never leave the back-up hard drive attached to your computer and never leave blank signed cheques for your employees to complete.
- Educate your employees about cybersecurity and fraud. Training should include how to recognise a phishing email, how to ensure data is not taken out of the organization and how to report concerns if fraud or cyber breaches are suspected.
- Have a plan. For small organizations, it doesn’t have to complicated; it can simply be a list of people to call within and external to your organization who can immediately work together to address a fraud or cybersecurity incident. For larger organizations, the plan can be more detailed.
- Repeat. As your organization grows and changes, so do your risks. Review this process annually to ensure that your policies and procedures, training and response plan are commensurate to the risks in your winery.
Finally, what does all this really mean to you? With the right internal controls in place such as policies, procedures and training, you can focus on growing your winery business.
For more information on how to protect your winery, contact Geoff McIntyre, CPA, CA, Business Advisor and Partner in MNP’s Kelowna office. As the Food & Ag Processing Leader for the Okanagan Region, Geoff specializes in serving the British Columbia wine industry and can be reached at [email protected] or 1.877.766.9735.