Alacriti Blog |

IT Security

Coders didn’t think consciously about IT security when writing for mainframe computers or even early PCs. The common thinking was that they were secure by default.

Two developments turned this on its head over the last 15 years. Web quickly became the principal conduit for applications, and software was suddenly visible to almost anyone anywhere in the world. This was great for businesses, especially the good guys that businesses wanted to work with, and even better for the bad guys who recognized the potential to profit with almost no risk or barriers. In response to these threats, governments and industry bodies jumped in. With good intent, they wrote many regulations and best practices to improve security and make the world a safer place.

While no one denies the good intentions behind these regulations, they can also be difficult for businesses to navigate. Regulations are made by different departments of the federal government, as well as state and local governments. Add to this mosaic the regulations required by foreign governments and self-regulation by industry bodies, and the landscape can become quite complicated.

Here’s a shortlist of major regulations to consider. There are many more, but this list provides a snapshot of the complexity and effort required to comply:

The Sarbanes-Oxley Act of 2002 (SOX)
The Financial Services Modernization Act of 1999, aka the Gramm-Leach-Bliley Act (GLBA)
The Health Insurance Portability and Accountability Act (HIPAA)
The Bank Secrecy Act (BSA)
The USA PATRIOT Act
The Federal Information Security Management Act of 2002 (FISMA)
The Payment Card Industry Data Security Standard (PCI DSS)
The California Senate Bill 1386 (CA SB 1386)
The Personal Information Protection and Electronic Documents Act (PIPEDA)

Alacriti’s customers hail from some of the most heavily regulated industries including financial services, insurance, healthcare, and utilities. As their partner in information capture, processing, storage, and transmission, our clients expect us to build systems and services that are in full compliance with these regulations. We are often a party to their internal/external audits and examinations, and we are committed to staying at the forefront as the regulatory landscape continues to evolve.

Information Security and Information Privacy

As organizations develop responses to risk and security challenges, as well as regulatory compliance, they and their clients/partners sometimes face ambiguity over information security and information privacy. After all, if you have secured information it should automatically be private too, right?

Well, yes and no. Let’s look at common scenarios that unfold in every organization.

Say you have the credit card details or social security numbers of your employees or customers lying on a table or open on a computer screen, but no one looks at it. Is this a security problem or a privacy problem?

Then say that someone looks at it but doesn’t misuse it. Is this a security problem or a privacy problem?

Now say that an employee copies this information and walks away without detection but doesn’t misuse it. Is this a security breach or a privacy breach?

And then say an employee finds a buyer for this information but we don’t know what the buyer does with that data. Is this a security breach or a privacy breach?

And finally, say that professional hackers break into your system and steal data. This is what we most easily understand as both a security breach and a privacy breach.

A security breach may or may not result in a privacy breach. Say someone steals data from your system but you had taken precautions like encrypting crucial data (credit card numbers, social security numbers, etc.) or storing data in multiple pieces that hackers can’t put back together. Due to these measures, the hacker may have your data but they may not be able to use it. This scenario would represent a security breach but not a privacy breach.

A privacy breach can be more difficult to grasp. If an employee casually looks at a piece of paper lying on a desk or an open document on a computer screen and sees sensitive information, then you have a privacy breach.

It’s imperative to make employees aware of what constitutes private, personally identifiable, or protected information. It’s also imperative to create a culture where employees are continuously aware of the data an organization stores, what is expected of them, and what constitutes a breach.

Security can be centralized in the hands of a few, but privacy is everyone’s concern.

Pandemic Preparedness for Business Organizations

Every few years, a global health-related event brings pandemic preparedness to the forefront. And after some time, it recedes from peoples’ memories only to be revived by a future episode. In response, Alacriti developed a robust preparedness capability in the event of a pandemic. Here are four parameters of our framework to help other organizations build their approach.

Pandemic Event Definition

Which events do you declare a pandemic? For example, you may determine that if 40% of your employees are not available to work (whether physically on-site or remote) for more than nine consecutive workdays, it is a pandemic event. Of course, you can tweak the parameters to specific situations, but all stakeholders must have a common understanding of what constitutes a pandemic.

Incorporation with Incident Management Policy

A pandemic event could logically be considered an extension of incident management. Your typical incident management policy identifies people on various teams that respond to an incident. A pandemic event may mean that the people you identified are not available, so a wider circle may need to be identified for effective incident management.

Multi-Location Approach

A pandemic typically means that many people lose access to work simultaneously. Establishing multiple work locations that are geographically diversified is a critical component of pandemic preparedness.

Integration with BCP and DR

Pandemic preparedness should integrate with business continuity plans (BCP) and disaster recovery (DR) and should not be a stand-alone effort. It could be beneficial to add pandemic preparedness to DR exercises like switching over from production facilities to DR facilities and then switching back. This can establish that one single location has the ability to run the entire operation and become an automatic protection against a pandemic event that disables one physical location.

Each organization’s unique situation will require its own considerations, but an integrated approach can be an efficient and cost-effective way of achieving pandemic preparedness.

*This blog was compiled and edited for clarity in 2019.

Improving working capital seems to be a primary focus for corporations. Building a process to ensure more cash is coming into the business rather than going out, has a direct impact on the sustainability and success of the organization. A high number of companies fail because they were not mindful of tracking their revenues and expenses. A business can have a solid product or service but if solid financial processes are not in place, the business can evaporate. Automating the Account Receivables processes is one building block to improve cash flow.

In general, the Account Receivable process consists of the following key components:

Document

Develop a process to record the sales incurred
Ensure a consistent account system will be used to post sales

Produce

Generate invoices and build controls to ensure they are sent on a regular basis
Build controls and procedures to ensure invoices are consistently produced

Monitor

Make sure someone is monitoring open invoices since this has a direct impact on cash flow
Expand customer collection channels in order to meet their payment preferences

Automate

Process the cash received and apply to the open receivables
Reconcile the cash received to ensure the receivables are accurately stated

Most business must follow these steps to determine if they are winning or losing the battle of maintaining positive cash flow. The steps outlined above are key, however, it is important to remember that any financial process has many moving parts. Whether the company is a large multi-state utility or a county electric coop with only a few hundred consumers, these steps must be followed in building an Account Receivable process.

Currently, most financial professionals continue to identify a number of pain points in processing Account Receivables. The top pain points are indicated below:

Inefficient paper posting process
Re-keying of data in various places
Manual processes create inefficiencies and posting errors
Pressure to lower costs
Challenges faced to improve internal controls
Challenges in automating the ERP process for multiple receivable channels
No remittance information received with the payment
Late payments and unauthorized discounts
Customer demand for additional payment channels resulting in dissatisfaction and attrition

In view of this, there are opportunities to build a process to improve working capital. An effective process will include the following three steps:

Evaluate

Build processes to optimize working capital
Quantify the optimization
Realize that any adjustment will take time, so be patient
Run comparisons against companies in your peer group

Go Digital

Eliminate process and expand digital channels
Leverage core ERP functionality
Examine the process of posting the cash

Expand

Investigate other areas for “electronification”
Build Electronic Presentment and Payment processes
Work with partners and vendors to expand automation
Track and monitor the results

Although the points above focus on addressing the gaps with the Accounts Receivable process, it is just one side of improving cash flow. Before improving any process, an organization must evaluate their current environment. Once changes are implemented they can determine whether the change led to success or had no impact.

The current process can include building a baseline of the current environment. Here are a few points to consider:

What is the current Days Sales Outstanding (DSO)?
How does this compare to the organizations in my peer group?
What is the current Cash Conversion Cycle (CCC)?

Quantifying these ratios and comparing the numbers once changes are implemented is key to improving the cash flow cycle. A reduction in the Days Sales Outstanding will open up additional cash that can now be infused into the business to support growth strategies, fund capital expenditures, fund expansion and strengthen the balance sheet. In addition, when an organization has an improved cash perspective, there are a number of initiatives that can be accomplished.

There are a number of ways a company can initiate a process to improve cash flow. For example, EBPP is one way to accomplish it. Companies that have employed an EBPP solution have improved margins and increased customer collection rates resulting in creating a positive cash flow. Automating the online bill payment and presentment can accelerate the posting of customer payments, accelerate DSO and reduce the posting of errors.

However, improving the Account Receivable posting is only one side of the equation. Consumer’s preference is causing more and more companies to evaluate their process and begin to explore processes to capture additional digital payments.

Alacriti

Category Archives: Alacriti Blog

A Lesson in IT Security, Information Privacy, and Pandemic Preparedness

Improve Working Capital through Account Receivable Automation