Skip to Main Content

insightsarticles

Resources for
not-for-profits
affected by COVID-19

07.21.20

Related Professionals

Principals

  • Renee Bishop
    Chief Operating Officer of Assurance, Tax, and Advisory Services
    T 207.991.5158
  • Ryan Gough
    Principal
    Healthcare, Not-For-Profit
    T 603.518.2612

BerryDunn experts and consultants

BerryDunn’s Healthcare/Not-for-Profit Practice Group members have been working closely with our clients as they navigate the effect the COVID-19 pandemic will have on their ability to sustain and advance their missions.

We have collected several of the questions we received, and the answers provided, so that you may also benefit from this information. We will be updating our COVID-19 Resources page regularly. If you have a question you would like to have answered, please contact Sarah Belliveau, Not-for-Profit Practice Area leader, at sbelliveau@berrydunn.com.

The following questions and answers have been compiled into categories: stabilization, cash flow, financial reporting, endowments and investments, employee benefits, and additional considerations.

STABILIZATION
Q: Is all relief focused on small to mid-size organizations? What can larger nonprofit organizations participate in for relief?
A:

We have learned that there is an as-yet-to-be-defined loan program for mid-sized employers between 500-10,000 employees. You can find information in the Loans Available for Nonprofits section (link below) of  the CARES Act as well as on the Independent Sector CARES Act web page, which will be updated regularly.

Q: Should I perform financial modeling so I can understand the impact this will have on my organization? Things are moving so fast, how do I know what federal programs are available to provide assistance?
A:

The first step in developing a short-term model to navigate the next few months is to gain an understanding of the programs available to provide assistance. These resources summarize some information about available programs:

Loans Available for Nonprofits in the CARES Act
Families First Coronavirus Response Act (FFCRA): FAQs for Businesses
CARES Act Tax Provisions for Not-for-Profit Organizations

The next step is to develop scenarios ranging from best case to worst case to analyze the potential impact of revenue and/or cost reductions on the organization. Modeling the various options available to you will help to determine which program is best for your organization. Each program achieves a different objective – for instance:

  • The Paycheck Protection Program can assist in retaining employees in the short term.
  • The Emergency Economic Injury Grants are helpful in covering a small immediate liquidity need.
  • The Small Business Debt Relief Program provides aid to those concerned with making SBA loan payments.

Additionally, consider non-federal options, such as discussing short-term deferrals with your current bank.

Q: How should I create a financial forecast/model for the next year?
A:

If you have the benefit of waiting, this is likely a time period in which it makes sense to delay significant in-depth forecasting efforts, particularly if your business environment is complicated or subject to significantly volatility as a result of recent events. The concern with beginning to model for future periods, outside of the next three-to-six months, is that you’ll be using information that is incomplete and ever-changing. This could lead to snap judgments that are short-term in nature and detrimental to long-term planning and success of your organization. 

With that said, we recognize that delaying this analysis will be unsettling to many CFOs and business managers who need to have a strategy moving forward. In developing this model for next year, consider the following elements of a strong model:

  1. Flexible and dynamic – Allow room for the model to adapt as more information is available and as additional insight is requested by your constituents (board members, department heads, lenders, etc.).
  2. Prioritize – Start with your big-ticket items. These should be the items that drive results for the organization. Determine what your top two to three revenue and expense categories are and focus on wrapping your arms around the future of those. From there, look for other revenue and expense sources that show correlation with one of the big two to three. Using a dynamic model, these should be automatically updated when assumptions on correlated items change. Don’t waste time on items that likely don’t impact decision making. Finally, build consensus on baseline assumptions, whether it be through management or accounting team, the board, or finance committee.
  3. Stress-test – Provide for the reality that your assumptions, and thus model, will be wrong. Develop scenarios that run from best-case to worst-case. Be honest with your assumptions.
  4. Identify levers – As you complete stress-testing, identify your action plan under different circumstances. What are expenditures that can be deferred in a worst-case scenario? What does staffing look like at various levels?
  5. Cash is king – The focus on forecasting and modeling is often on the net income of the organization and the cash flows generated. In a time such as this, the exercise is likely to focus on future liquidity. Remember to consider your non-income and expense items that impact cash flow, such as principal payments on debt service, planned additions to property & equipment, receipts on pledge payments, and others.  
CASH FLOW
Q: How can I alleviate cash flow strain in the near term?
A:

While the House and Senate have reacted quickly to bring needed relief to individuals and businesses across the country, the reality for most is that more will need to be done to stabilize. Operationally, obvious responses in the short term should be to eliminate all nonessential purchasing and maximize the billing and collection functions in accounts receivable. Another option is to utilize or increase an existing line of credit, or establish a new line of credit, to alleviate short term cash flow shortfalls. Organizations with investment portfolios can consider the prudence of increasing the spending draw on those funds. Rather than making a few drastic changes, organizations should take a multi-faceted approach to reduce the strain on cash flow while protecting the long term sustainability of the mission.

Q: How can I increase my organization’s reach to help with disaster relief? If we establish a special purpose fund, what should my organization be thinking about?
A:

Many organizations are looking for ways to increase their direct impact and give funding to individuals or organizations they may not have historically supported. For those who are want to expand their grant or gift making or want to establish a disaster relief fund, there are things to consider when doing so to help protect the organization. The nonprofit experts at Hemenway & Barnes share their thoughts on just how to do that.

FINANCIAL REPORTING
Q: What accounting standards have been delayed or are in the process of being delayed?
A:

FASB:
The $2.2 trillion stimulus package includes a provision that would allow banks the temporary option to delay compliance with the current expected credit losses (CECL) accounting standard. This would be delayed until the earlier end of the fiscal year or the end of the coronavirus national emergency.

GASB:
On March 26, 2020, the Governmental Accounting Standards Board (GASB) announced it has added a project to its current technical agenda to consider postponing all Statement and Implementation Guide provisions with an effective date that begins on or after reporting periods beginning after June 15, 2018. The GASB has received numerous requests from state and local government officials and public accounting firms regarding postponing the upcoming effective dates of pronouncements as these state and local government offices are closed and officials do not have access to the information needed to implement the Statements. Most notably this would include Statement No. 84, Fiduciary Activities, and Statement No. 87, Leases.

The Board plans to consider an Exposure Draft for issuance in April and finalize the guidance in May 2020.

ENDOWMENTS AND INVESTMENTS 
Q: What should I consider with regard to endowments?
A:

Many nonprofits with endowments are considering ways to balance an increased reliance on their investment portfolios with the responsibility to protect and preserve the spending power of donor-restricted gifts. Some things to think about include the existence (or absence) of true restrictions, spending variations under the Uniform Prudent Management of Institutional Funds Act (UPMIFA) applicable in your state, borrowing from an endowment, or requesting from the donor the release of restrictions. All need to be balanced with the intended duration and preservation of the endowment fund. Hemenway & Barnes shares their thoughts relative to the utilization of endowments during this time of need.

EMPLOYEE BENEFITS
Q: We are going to suspend our retirement plan match through June 30, 2020 and I picked a start date of April 1st. What we need help with is our bi-weekly payroll (which is for HOURLY employees). Their next pay date is April 3rd, for time worked through March 28th. Time worked March 29-31 would be paid on April 17th. How should we handle the match during this period for the hourly employees?
A:

The key for determining what to include for the matching calculation is when it is paid, not when it was earned. If the amendment is effective April 1st, then any amounts paid after April 1st would not have matching contributions calculated. This means that the amounts paid on April 3rd would not have any matching contributions calculated.

Q: Can you please provide guidance on the Families First Coronavirus Response Act (FFCRA) and how it may impact my organization?
A:

On March 30th, BerryDunn published a blog post to help answer your questions around the FFCRA.

If you have additional questions, please contact one of our Employee Benefit Plan professionals

ADDITIONAL CONSIDERATIONS
Q: I heard there was going to be an incentive for charitable giving in the new act. What's that all about?
A:

According to Sections 2204 and 2205 of the CARES Act:

  • Up to $300 of charitable contributions can be taken as a deduction in calculating adjusted gross income (AGI) for the 2020 tax year. This will provide a tax benefit even to those who do not itemize.
  • For the 2020 tax year, the tax cap has been lifted for:
    • Individuals-from 60% of AGI to 100%
    • Corporations-annual limit is raised from 10% to 25% (for food donations this is raised from 15% to 25%)
Q: Have you heard if the May 15th tax deadline will be extended?
A:

Unfortunately, we have not heard. As of April 6th, the deadline has not been extended.

Q: Could you please summarize for me the tax provisions in the CARES Act that you think are most applicable to not-for-profits?
A: Absolutely! Our not-for-profit tax professionals have compiled this document, which provides a high-level outline of tax provisions in the CARES Act that we believe would be of interest to our clients.

We are here to help
Please contact the BerryDunn not-for-profit team if you have any questions, or would like to discuss your specific situation.

Article
COVID-19 FAQs—Not-for-Profit Edition

With the most recent overhaul to the Form 990, Return of Organization Exempt From Income Tax, the IRS has made clear its intention to increase the transparency of a not-for-profit organization’s mission and activities and to promote active governance. To point, the IRS asks whether a copy has been provided to an organization’s board prior to filing and requires organizations to describe the process, if any, its board undertakes to review the 990.

This lack of ambiguity aside, it is just good governance to have an understanding of the information included in your organization’s Form 990. After all, it is available to anyone who wants a copy. But the volume of information included in a typical return can be daunting.

Where do you even start? Let’s take a look at the key components of a Form 990 that warrant at least a read-through:

  • Income and expense activity (Page 1 and Schedule D) – Does this agree to, or reconcile to, the financial reporting of the organization?
  • Narratives on Page 2 – Does it accurately describe your mission and “tell your story”?
  • Questions in Part VI about governance, management, and disclosures – If any governance or policy questions are answered in the negative, have you given consideration to implementing changes?
  • Part VII – Board information and key employee/contractor compensation – Is the list complete? Does the information agree with compensation set by the board? Does it seem appropriate in light of responsibilities and the organization’s activities

Depending on how questions were answered earlier in the Form 990, several schedules may be required. Key schedules include:

  • Schedule C – Political and lobbying expenditures
  • Schedule F – Foreign transactions and investments reported (alternative investments may have pass-through foreign activity)
  • Schedule J – Detailed compensation reporting for employees whose package exceeds $150,000
  • Schedule L – Transactions with officers, board members, and key employees (conflict-of-interest disclosures)

In addition to the Form 990, an organization may be required to file a Form 990-T, Exempt Organization Business Income Tax Return, if it earns unrelated business income. In general, it’s good practice to review the Form 990 with the organization’s management or tax preparer to be able to ask questions as they arise.

Filing and reviewing the Form 990 can be more than a compliance exercise. It’s an opportunity for a good conversations about your mission, policies, and compensation—a “health check-up” that can benefit more areas than just compliance. Understanding your not-for-profit’s operations and being an engaged and informed board member are essential to effectively fulfilling your fiduciary responsibilities.

Article
Good governance: Understanding your organization's Form 990

Read this if you use QuickBooks Online.

You should be running reports in QuickBooks Online on a weekly—if not daily—basis. Here’s what you need to know.

You can do a lot of your accounting work in QuickBooks Online by generating reports. You can maintain your customer and vendor profiles. Create and send transactions like invoices and sales receipts, and record payments. Enter and pay bills. Create time records and coordinate projects. Track your mileage and, if you have employees, process payroll.

These activities help you document your daily financial workflow. But if you’re not using QuickBooks Online’s reports, you can’t know how individual elements of your business like sales and purchases are doing. And you don’t know how all of those individual pieces fit together to create a comprehensive picture of how your business is performing. 

QuickBooks Online’s reports are plentiful. They’re customizable. They’re easy to create. And they’re critical to your understanding of your company’s financial state. They answer the small questions, like, How many widgets do I need to order?, and the larger, all-encompassing questions like, Will my business make a profit this year?

Getting the lay of the land

Let’s look at how reports are organized in QuickBooks Online. Click Reports in the toolbar. You’ll see they are divided into three areas that you can access by clicking the labeled tabs. Standard refers to the comprehensive list of reports that QuickBooks Online offers, displayed in related groups. Custom reports are reports that you’ve customized and saved so you can use the same format later. And Management reports are very flexible, specialized reports that can be used by company owners and managers.


A partial view of the list of QuickBooks Online’s Standard reports 

Standard reports

The Standard Reports area is where you’ll do most—if not all—of your reporting work. The list of available reports is divided into 10 categories. You’re most likely to spend most of your time in just a few of them, including:

  • Favorites. You’ll be able to designate reports that you run often as Favorites and access them here, at the top of the list.
  • Who owes you. These are your receivables reports. You’ll come here when you need to know, for example, who is behind on making payments to you, how much individual customers owe you, and what billable charges and time haven’t been billed.
  • Sales and customers. What’s selling and what’s not? What have individual customers been buying? Which customers have accumulated billable time?
  • What you owe. These are your payables reports. They tell you, for example, which bills you haven’t paid, the total amount of your unpaid bills (grouped by days past due), and your balances with individual vendors.
  • Expenses and vendors. What have I purchased (grouped by vendor, product, or class)? What expenses have individual vendors incurred? Do I have any open purchase orders?

The Business Overview contains advanced financial reports that we can run and analyze for you. The same goes for the For my accountant reports. Sales tax, Employees, and Payroll will be important to you if they’re applicable for your company.

Working with individual reports


Each individual report in QuickBooks Online has three related task options.

To open any report, you just click its title. If you want more information before you do that, just hover your cursor over the label. Click the question mark to see a brief description of the report. If you want to make the report a Favorite, click the star so it turns green. And clicking the three vertical dots opens the Customize link. 

When you click the Customize link, a vertical panel slides out from the right, and the actual report is behind it, grayed out. Customization options vary from report to report. Some are quite complex, and others offer fewer options. The Sales by Customer Detail report, for example, provides a number of ways for you to modify the content of your report so it represents exactly the “slice” of data you want. So you can indicate your preferences in areas like:

  • Report period
  • Accounting method (cash or accrual)
  • Rows/columns (you can select which columns should appear and in what order, and group them by Account, Customer, Day, etc.)
  • Filter (choose the data group you want represented from several options, including Transaction Type, Product/Service, Payment Method, and Sales Rep)

Once you’ve run the report, you can click Save customization in the upper right corner and complete the fields in the window that opens. Your modification options will then be available when you click Custom reports, so you can run it again anytime with fresh data.


You can customize QuickBooks Online’s reports in a variety of ways.

We’ll go into more depth about report customization in a future article. For now, we encourage you to explore QuickBooks Online’s reports and their modification options so that you’re familiar with them and can put them to use anytime. Contact our Outsourced Accounting team if you have any questions about the site’s reports, or if you need help making your use of QuickBooks Online more effective and productive.

Article
Getting started with reports in QuickBooks Online

Read this if you use QuickBooks Online.

Are you taking on a worker who’s not an employee? QuickBooks Online includes tools for tracking and paying independent contractors.

The COVID-19 pandemic created millions of self-employed individuals and small businesses. Whether they chose to, or circumstances forced them to, these new entrepreneurs had to learn new ways to get paid and to prepare their income taxes.

If you’re thinking about taking on a contract worker, you, too, will have to educate yourself on the paperwork and processes required to comply with the IRS’ rules for his or her compensation. It’s much easier than hiring a full-time employee, but it still takes some knowledge of how QuickBooks Online handles these individuals.

You’ll also need to make certain that the person you’re hiring is indeed an independent contractor and not an employee. The IRS takes this distinction very seriously. If you’re at all unsure of your new hire’s employment status, we can help you sort it out.

Creating records for contractors

Once new contractors have accepted your offer, you’ll need to have then fill out an IRS Form W-9. You can download a copy here. Employees complete the more detailed Form W-4 so that the employer can withhold income taxes correctly, but you won’t have to withhold taxes for your contract workers. They will be responsible for calculating and paying quarterly estimated taxes and filing an IRS Form 1040 every year. 

You, though, will be responsible for sending them an IRS Form 1099-NEC (Non-Employee Compensation) every January if you paid them more than $600 during the previous year. You do not need to send a 1099-NEC to a corporation or to an LLC that is treated as a C Corp or an S Corp. 

You can complete the Vendor Information window for each independent contractor, checking the box in front of Track payments for 1099.

Using the information the contractors provide, you can create records for them in QuickBooks Online. If you don’t have a QuickBooks Payroll subscription, you can set them up as 1099 vendors. Click the Expenses tab in the toolbar and then on the Vendors tab. Click New vendor in the upper right to open the Vendor Information window. Complete the fields for the worker and be sure to check the box in front of Track payments for 1099, as shown in the partial image above.

The vendor records you create will appear in QuickBooks Online’s Vendors list (again, Expenses | Vendors). Click on one to open it. You can toggle between two tabs here. The first, Transaction List, will eventually display all your financial dealings with that contractor. Vendor Details opens the record you just created, which you can edit from this screen.

Paying contractors

When independent contractors send you invoices, you’ll return to this same screen. There are three ways you can pay them. Click the down arrow next to New Transaction in the upper right corner to see your options (or look down at the end of the row while you’re in list view). You can record the debt as a Bill if you want to pay it later (or if that’s the way you structure your recordkeeping). If you’re paying it right away, you can create an Expense or write a Check

You can choose an option from this vendor action menu to pay your independent contractors.

When you click one of these, QuickBooks Online opens a form with many of the contractors’ details already filled in. You’ll need to complete any additional fields at the top of the screen, and then either record the payment or debt under Category details or Item details, depending on how you do your bookkeeping. Either way, you’ll be able to enter the quantity and rate and/or amount and mark it billable (with a markup percentage, if you’d like) to a customer or project.

You’re probably going to want our help here, since there’s more than one way to pay independent contractors. If you subscribe to QuickBooks Payroll, you can use the service’s contractor features, which include the ability to invite your contractors to fill out their own records in QuickBooks Online. You may also want to add an account to your Chart of Accounts, and we’d want to offer guidance there. And you need to ensure that you’re classifying payments correctly, so they’ll appear in 1099 reports and 1099s themselves.

Creating records for independent contractors and paying these individuals seem like they should be simple operations. But anytime you’re dealing with payroll issues, you’re dealing with peoples’ livelihoods – and the IRS. We strongly encourage you to let us help you get this right. Contact the Outsourced Accounting team, and we’ll make sure you’re handling your worker payments with absolute accuracy.

Article
Hiring an independent contractor? How QuickBooks Online can help

Read this if you are a not-for-profit organization.

With springtime upon us, it may be difficult to start thinking about this upcoming fall, but that is exactly what many folks in the nonprofit sector are starting to do. The reason for this? It’s because 2022 brings with it the mid-term election cycle. While technically an off-year election, many congressional and gubernatorial races are being contested, in addition to a myriad of questions that will appear on ballots across the country. It is around this time of year we start to see many questions from clients in the nonprofit sector in the area of political campaign activities, lobbying (both direct and grassroots), and education/advocacy.

This article will discuss the three major types of activities nonprofit organizations may or may not undertake in this arena and will offer guidance to give organizations the vote of confidence they need to not run afoul of the potential pitfalls when it comes to undertaking these activities.

Political campaign activity

Political campaign activities include participating or intervening in any political campaign on behalf of (or in opposition to) any candidate for elective public office, be it at the federal, state, or local level. Examples of such activities include contributions to political campaigns as well as making public statements in favor of or in opposition to any candidate. The IRS explicitly prohibits section 501(c)(3) organizations from conducting political campaign activities, the consequence of doing so being loss of exempt status. However, other types of exempt organizations (such as 501(c)(4) organizations) are allowed to engage in such activities, so long as those activities are not the organization’s primary activity. Only Section 527 organizations may engage in political campaign activities as their primary purpose. 

Direct lobbying

Direct lobbing activities attempt to influence legislation by directly communicating with legislative members regarding specific legislation. Examples of direct lobbying include contacting members of Congress and asking them to vote for or against a specific piece of legislation.

Grassroots lobbying

Grassroots lobbying, on the other hand, attempts to influence legislation by affecting the opinions of the general public and include a call to action. Examples of grassroots lobbying include requesting members of the general public to contact their representatives to urge them to vote for or against specific legislation.  

A quick way to remember the difference:
Political = think “P” for People – advocating for or against a specific candidate 
Lobbying = think “L” for Legislation – advocating for or against a specific bill

Education/advocacy

Organizations may engage in activities designed to educate or advocate for a particular cause so long as it does not take a specific position. For example, telling members of Congress how grants helped constituents would be considered an educational activity. However, attempting to get a member of Congress to vote for or against specific piece of legislation that would affect grant funding would be considered lobbying. Another example would be educating or informing the general public about a specific piece of legislation. Organizations need to be mindful here as taking a specific position one way or the other would lend itself to the activity being deemed to be lobbying, and not merely education of the general public. There is no limit on how much education/advocacy activity a nonprofit organization may conduct.

Why does this matter?

As you can see, there is a very fine line between lobbying and education, so it is important to understand the differences so that an organization conducting educational activities does not inadvertently end up conducting lobbying activities.

Organizations exempt under Code Section 501(c)(3) can conduct only lobbying activities that are not substantial to its overall activities. A 501(c)(3) organization may risk losing its exempt status and may face excise taxes on the lobbying expenditures if it is deemed to be conducting excess lobbying, whereas section 501(c)(4), (c)(5), and (c)(6) organizations may engage in an unlimited amount of lobbying activity.

What is substantial?

Unfortunately, there is no bright line test for determining what is considered substantial versus insubstantial. As an industry standard, many practitioners have taken a position that insubstantial means five percent or less of total expenditures, but that position is not codified and could be challenged by the IRS. 

Section 501(c)(3) organizations that intend to conduct lobbying activities on a regular basis may want to consider making an election under Code Section 501(h). This election is only applicable to 501(c)(3) organizations and provides a defined amount of lobbying activity an organization may conduct without jeopardizing its exempt status or becoming subject to excise tax. The 501(h) election limit is based on total organization expenditures with a maximum allowance of $1 million for “large organizations” (defined as an organization with total expenditures over $17,000,000). 

While the 501(h) election provides some clarity as to how much lobbying activity can be conducted, it may be prohibitive for some organizations whose total expenditures greatly exceed the $17,000,000 threshold. Another item to be aware of is that the lobbying threshold applies to all members of an affiliated group combined, which means the entire group shares the maximum threshold allowed. 

Another option for those engaging in lobbying is to create a separate entity (such as a 501(c)(4) organization) which conducts all lobbying activities, insulating the 501(c)(3) organization from these activities. As previously mentioned, organizations exempt under Code Section 501(c)(4) can conduct an unlimited amount of lobbying activities but can only conduct limited political campaign activities.

What about political campaign activities?

Section 527 organizations, known as political action committees, are exempt organizations dedicated specifically to conducting political campaign activities. If a 501(c)(4), (c)(5), or (c)(6) organization makes a contribution to a 527 organization, it may be required to file a Form 1120-POL and be subject to tax at the corporate tax rate (currently a flat 21%) based on the lesser of the political campaign expenditures or the organization’s net investment income. State income taxes may also be applicable. Section 501(c)(3) organizations may not make contributions to 527 organizations. 

If your organization is considering participation in any of the above activities, we would recommend you reach out to your not-for-profit tax team for additional information. We’re here to help!

Article
Lobbying and politics and education, oh my!

Read this if you have a cybersecurity program.

This week President Joe Biden warned Americans about intelligence that indicated Russia may be preparing to conduct cyberattacks on our private sector businesses and infrastructure as retaliation for sanctions applied to the Russian government (and the oligarchs) as punishment for the invasion of Ukraine. Though there is no specific threat at this time, President Biden’s warning has been an ongoing message since the invasion began. There is no need to panic, but this is a great time to re-visit your current security controls. Focusing on basic IT controls goes can make a big difference in the event of an attack, as hackers tend to go after the easy, low hanging fruit. 

  1. Access controls
    Review and understand how all access to your networks is obtained by on-site employees, remote employees, and vendors and guests. Make sure that users are maintaining strong passwords and that no user is connecting remotely to any of your systems without some form of multi-factor authentication (MFA). MFA can come in the form of a token (in hand or built-in) or as one of those numerical codes you have delivered to your phone or email. Poor access controls are simply the difference between leaving your house unlocked versus locked when you leave to go somewhere. 
  2. Patching
    One of the most common audit findings we have to date and one of the biggest reasons behind successful attacks is related to unpatched systems. Software patches are issued by software providers to address vulnerabilities in systems that act as an unlocked door to a hacker, and allow hackers to leverage the vulnerability as a way to get into your systems. Ensuring your organization has a robust patch management program in place and that systems are up-to-date on needed patches is critical to your security operations. Think of an unpatched system like a car with a broken window—sure the door is locked, but any thief can reach through the broken window and unlock the car. 
  3. Logging 
    Account activity, network traffic, system changes—these are all things that can be easily logged and with the right tools, configured to alert you to suspicious activity. Logging that is done correctly can alert management to suspicious activity occurring on your network and notifies your security team to investigate the issue. Consider logging and alerting like your home’s security camera. It may alert you to the activity outside, but someone still needs to review the footage and react to it to mitigate the threat.  
  4. Test backups and more
    Making sure that your systems are successful backed up and kept separate from your production systems is a control we are all familiar with. Organizations should do more than just make sure their backups are performed nightly and maintained, but need to make sure that those data backups can be restored back to a useable state on a regular basis. More so than backups, we also often hear in the work we do that our client’s test only parts of their disaster recovery and failover plans—but have never tested a full-scale fail-over to their backup systems to determine if the failover would be successful in the event of an event or disaster. Organizations shouldn’t be scared to do a full-scale failover test, because when the time comes, you may not have the option to do a partial failover and just hope that it occurs successfully. Not testing your backups is like not test driving a car before you buy it. Sure it looks nice in the lot, but does it actually run? 
  5. Incident Management Plan 
    We often review Incident Management Plans as part of the work we do, and often note that the plans are outdated and contain incorrect information. This is an ideal time to make sure your plans are current and reflect changes that may have occurred, like your increasingly remote work force, or that systems have changed. An outdated Incident Management Plan is like being sick and trying to call your doctor for help only to find out your doctor has retired. 
  6. Training—phishing attacks
    Hackers’ most common approach to gain access to systems and deploy crippling ransomware attacks is through phishing campaigns via email. Phishing campaigns trick a user into either providing the hacker with credentials to log into systems or to download malware that could turn into ransomware through what appears to be legitimate business correspondence. Training end-users on what to look for in verifying an email’s authenticity is critical and should be seen as an opportunity that benefits the entire organization. Testing users is also critical so management understands the current risk and what is needed for additional training. Security teams should also have other supporting controls to help prevent phishing emails and detection tools in place in case a user does fall for an email. Not training your employees on security is like not coaching your little league team on how to play baseball and then being surprised you didn’t win the game because no one knew what to do. 

In the current environment, information security is an asset to any organization and needs to be supported so that you can protect your organization from cyberattacks of all kinds. While we can never guarantee that having controls in place will prevent an attack from occurring, they make it a lot more challenging for the hacker. One more analogy, and then I’m done, I promise. Basic IT controls are like speedbumps in a neighborhood. While they keep most people from speeding (and if you hit them too fast they do a number on your car), you can still get over them with enough motivation. 

If you have questions about your cybersecurity controls, or would like more information, please contact our IT security experts. We’re here to help.

Article
Cyberattack preparation: A basics refresher