Financial trends 2024 for small businesses

Big Financial Trends 2024: What Canadian Small and Medium-Size Businesses Need to Know

Supplier costs continue to rise. Inflation continues to impact buyer behaviour. Global unrest is making people uneasy. All of these financial trends are affecting small and medium-sized businesses as we head into 2024. 12% worry they will be unable to continue past 2024. Here’s the good news: 88% of Canadian SMBs surveyed say they are confident about growing their company over the next three years — an improvement from 2022’s 83%.

Regardless of what you see coming in the years ahead, understanding your financial situation is crucial to effectively building a successful and sustainable business. Cash flow will be more important in the coming year, and managing the economic, consumer, technology, and labour challenges should be top of mind.

Financial Trends and Challenges Facing Small and Medium-Sized Canadian Businesses

Here are some of the key financial trends and challenges that SMBs must confront in 2024.

Economic Concerns

Are we heading into a recession? That’s the big question that we’re all grappling with. The Conference Board of Canada now believes we’ll avoid a recession with a recovery in 2024. Others disagree. Either way, SMBs need to keep tight control over finances and prepare for whatever comes next.

The Bank of Canada is expected to hold tight on interest rates for the first half of 2024, with rate reductions not coming until mid-year. High interest rates slow down many areas of the economy, including consumer spending. SMBs seeking financing will find it more expensive, and loan grants may be more restrictive.

With labour challenges causing wages to rise and costs of goods increasing, SMBs will have to make difficult decisions about raising prices and managing cash flow.

Consumer Behaviour

A long-running financial trends that will continue in 2024 is more consumers are shopping online. With internet usage across Canada at nearly 93%, the retail eCommerce market is forecast to hit $71.7 billion in Canada in 2024. Yet, many small businesses nationwide are lagging in building out eCommerce solutions. Businesses must assess their eCommerce strategy to stay competitive, especially with younger consumers.

If there is a recession, expect consumer behaviour to shift. As businesses downsize, many Canadians will suddenly be out of work or have their work hours reduced. Demand for goods and services will decrease, especially for items that aren’t considered essential.

Consumers are also focusing on sustainability and eco-friendly practices in decision-making. More people expect transparency into how businesses operate as part of purchase decisions. Starting in 2024, banks and insurance companies face mandatory disclosures for climate-related risk and exposure. While most SMBs do not have such reporting requirements, expect more interest in how you are operating.

Technology

Technology is playing an increasingly important role in business. Artificial intelligence and automation are both disrupting entire sectors and providing significant efficiencies.

At the same time, SMBs need to worry more about cybersecurity than ever before. Cybercriminals are increasingly targeting small and medium-sized businesses. Cybercrime in Canada is up more than 600% since the start of the pandemic, and nearly half of all attacks target SMBs.

Labour Laws

new regulation goes into effect on February 1, 2024, as part of the Labour Code, increasing the obligations employers have when terminating employees in federally regulated businesses. More notice will need to be given to those with three years or more of employment. Up to eight weeks’ notice is required for employees working at a company for eight years or longer. There are also new requirements about the statement of benefits, wages, and severance pay that must be provided.

Businesses that use employment contracts will want to review them to ensure they comply with the new measures. Businesses must update employee handbooks and policy manuals to meet the new guidelines.

What SMBs Can Do to Prepare for 2024

Seek Financial Advice

Consulting with accounting and finance experts like Avisar Chartered Professional Accountants should be a priority heading into 2024 and pondering how to prepare for emerging financial trends. A CPA firm can provide expert guidance on budgeting, cash flow management, financing options, and more to help SMBs adapt to evolving economic conditions.

Adapting to Changing Consumer Preferences

SMBs need to evaluate their products and services, looking at ROI in light of evolving consumer behaviour. Enhancing eCommerce and digital offerings, managing supply chains, and tight cost control are all part of the SMB landscape moving forward.

Leverage Technology

SMBs should stay current on technology and look for ways to streamline operations. The right technology can boost competitiveness by automating functions. Seeking input from your accounting firm can help you find new ways to optimize finances and reduce your accounting workload.

SMBs also need to evaluate their current cybersecurity to lower risk.

Remain Compliant

Regulatory compliance is essential. Rules and reporting requirements are changing, and SMBs need to avoid costly problems by adhering to evolving laws. A CPA firm can help ensure businesses adhere to the latest accounting, tax, and other financial standards.

Get Professional Financial Management

With these complex challenges facing SMBs in 2024, you need a trusted advisor to help guide you, keep you compliant, and better manage your finances.

Avisar Chartered Professional Accountants is a trusted BC-based Canadian accounting firm focused on serving small businesses, entrepreneurs, and not-for-profit organizations. Our team of highly experienced accountants understands the unique needs of small and medium-sized businesses and is dedicated to helping you manage your finances and grow your business.

Contact Avisar Charted Professional Accountants today to book a consultation.

Disclaimer: Avisar Chartered Professional Accountant’s blog deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein. Although every reasonable effort has been made to ensure the accuracy of the information contained in this post, no individual or organization involved in either the preparation or distribution of this post accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.

Phishing, mobile phone hacker or cyber scam concept.

4 Threats to Watch Out for When a Hacker Gets Your Phone Number

The more personal information we supply online, the greater at risk we are of identity theft, experts say.

Passing out your digits is all it takes to put you at risk of identity theft, warn cyber-security experts.

From account profiles to online registration forms – be it for retailers, hospital records or social media platforms – we are supplying personal information digitally without hesitation or regard for the implications.

“If someone has your phone number, they are likely to have other identity elements as well, so don’t be surprised,” says Claudiu Popa, a certified security and privacy risk adviser and CEO of Informatica Corporation, a Canadian cybersecurity consulting firm.

In a world where our offline and digital identities are symbiotic, here are some identity theft scams, and mitigation tactics, to watch out for.

Spoofing to scam

You’ve likely received several of these spammy, or spoofing, calls. The caller poses as police, the Canada Revenue Agency, or the immigration service, demanding payment and threatening jail time, deportation, and so on. Many are falling victim to a potentially financially devastating scam, warn experts.

“If [call recipients] don’t have that level of awareness, they are a sitting duck, and that’s who [spoofers] are hoping to catch,” says Popa.

According to the Canadian Anti-Fraud Centre, these scams have defrauded Canadians of more than $16.7 million since 2014. It has become so prevalent that the Canadian Radio-television and Telecommunications Commission recently ramped up its efforts to combat it.

The commission will require telecom service providers to implement, by next September, a new framework called STIR/SHAKEN (Secure Telephone Identity Revisited/Signature-based Handling of Asserted Information Using Tokens) technology, which enables the recipient to determine before answering whether the call is suspicious or not. In the meantime, the commission, now requires, as of Dec. 19, that these providers block calls with numbers more than 15 digits long or that can’t be dialed (such as those with a string of letters or zeros), or provide more advanced call-filtering services.

“Legislation would put the responsibility back on the organizations, and that will hit the cellphone carriers,” says Matt Coveart, identity theft expert at DragonFly I.D., an identity restoration service provider. “They are going to have to do more.”

Mitigate it

  • Avoid answering any calls received from unknown numbers.
  • If you do answer the call, immediately hang up and do not answer any questions.
  • Never give out any personal information (such as social insurance numbers and banking information) without verifying the request is legitimate.
  • Report any calls received to the Canadian Anti-Fraud Centre.
  • Keep abreast of offerings by your mobile provider to help stop these calls

Porting for profit

Identities are now being compromised by phone porting, whereby the fraudster, with phone number in possession, links that phone to another SIM card, enabling access to its apps, cloud and email accounts and more.

From there, the fraudster may call the mobile service provider, impersonating the phone owner and make account changes or report the device lost or stolen. They may change passwords on accounts using the “forgot password” option, gaining access through verification codes now sent to them.

Meanwhile, victims may be locked out of their accounts, unable to call, text or use data. They may fall prey to extortion threats or have their bank accounts drained and credit cards racked up.

“It’s very targeted. They find an old cellphone bill and try to leverage that information. The representatives believe the device is stolen or lost,” says Coveart. “They [cyber criminals] say they would like to have the phone ported to another device. Once it’s ported to that device … there are all sorts of impersonation scams from that point.”

Mitigate it

  • Protect your personal information. Cautiously fill out online forms, only entering what you absolutely need to. Does this company really need your date of birth, gender or marital status? Is it even legal to request it?
  • Contact your mobile service provider to find out what additional security measures are available if your phone is lost or stolen, or has been compromised.
  • If your identity is hacked, report it to the Canadian Anti-Fraud Centre and your local police force, and immediately contact your financial institutions and credit bureaus.

Phishing for vulnerability

According to security firm Wandera, 83 per cent of phishing attacks in 2019 took place in text messages or in apps. Meanwhile, a recent IBM study reported that users are three times more vulnerable to phishing attacks on a mobile device than a desktop.

Hackers know this, and target accordingly. Similar to email phishing, these fraudulent requests may be urgent or threatening, demanding payment or personal information, and/or encouraging users to click on ransomware-infected links or attachments. They may also be simple requests, including account updates or password confirmations.

“What people don’t understand about ransomware is that your data gets stolen first,” says Popa. “So that [info] goes out there and it just joins the masses of personal information that is available about anyone going forward and forever.”

Mitigate it

  • Never respond to (or click on) suspicious messages, links or attachments sent via text or apps.
  • Report suspicious messages to your mobile service provider, and anti-fraud centre.
  • If the message sent looks legitimate, contact the alleged sender (i.e., your bank) before responding or entering any information to confirm receipt.
  • Update any passwords/log-in credentials associated with targeted accounts.

Mining for identities

With access to one piece of personal information, fraudsters can mine for more data to piece together an identity, Popa says. With the amount we share online – from birthdates, to family members, to marital statuses, to employers – we make it easy for them, he adds.

A quick search of a phone number, he says, can lead to its mobile service provider. One phone call to that provider can reveal account details when the right questions are asked. One account detail can direct to a social media account. Furthermore, Popa adds, fraudsters can use data they collect from multiple individuals and combine the information to create virtual people.

“It could be a phone number. It could be a picture. It could be a home address, social media profile. Any one of these identity elements can give rise to an opportunity to gather more data about an individual,” he says.

“You can mix someone’s social insurance number with someone’s home address and suddenly you don’t have someone who really exists. That’s called a synthetic identity … and you can multiply your opportunities for making money.”

In an internal report completed last August, and obtained by the Canadian Press through an Access to Information request, Privacy Commissioner Daniel Therrien called out federal political parties for not adequately protecting Canadians personal information and misusing voter data without proper consent. The report states that Canadian privacy policies fall short on setting limits on how data is used, how long it is kept, whether it is accurate, and how it is safeguarded through security systems.

Mitigate it

  • When possible, create distinct digital identities across platforms and accounts using pseudonyms or nicknames, different email addresses, fake birthdates, and so on, advises Popa. Keep track of this information for customer service. “People need to understand one thing. The person that they are in real life is different than the digital identity that they have online. Divorce these two concepts,” he says. “The way they do that, is to be as pseudonymous as possible online.”
  • Use an offline password manager and database to keep track, creating new and distinct passphrases, rather than passwords (minimum of 12 characters, including spaces and punctuation), advises Popa. “Type in a sentence. It’s much easier to remember and it’s less likely to guess it.”

Disclaimer:
Avisar Chartered Professional Accountant’s blog deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.

Although every reasonable effort has been made to ensure the accuracy of the information contained in this post, no individual or organization involved in either the preparation or distribution of this post accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.

Fed Budget 2021: Electronic Filing Payments, Certifications

Federal Budget 2021: Electronic Filing, Payments and Certification

Budget 2021 proposes a number of measures that would better facilitate CRA’s ability to operate digitally, while also enhancing security.

Notices of Assessment (NOA)

Budget 2021 proposes to provide CRA with the ability to send certain NOAs electronically without the taxpayer having to authorize CRA to do so. This proposal would apply in respect of individuals who file their income tax return electronically and those who use the services of a tax preparer that files their return electronically. Taxpayers who file their income tax returns in paper format would continue to receive a paper NOA from CRA. This measure would come into force on Royal Assent of the enacting legislation.

Correspondence with Businesses

Budget 2021 proposes to change the default method of correspondence for businesses that use CRA’s My Business Account portal to electronic only. However, businesses could still choose to also receive paper correspondence. This measure would come into force on Royal Assent of the enacting legislation.       

Information Returns – T4A and T5

Budget 2021 proposes to allow issuers of T4A (Statement of Pension, Retirement, Annuity and Other Income) and T5 (Statement of Investment Income) information returns to provide them electronically without having to also issue a paper copy and without the taxpayer having to authorize the issuer to do so. This measure would apply in respect of information returns sent after 2021.

Electronic Filing Thresholds

Budget 2021 proposes a number of measures that would limit the ability to file paper returns, including:

  • persons or partnerships that file more than 5 (reduced from 50) information returns of a particular type (e.g. T4 or T5 slips) for a calendar year would be required to file them electronically;
  • professional tax preparers would be required to file electronically where they prepare more than a total of 5 (reduced from 10) corporate or income tax returns for a calendar year. The exception for trusts would be removed; and
  • professional tax preparers that file electronically would only be permitted to file a maximum of 5 (reduced from 10) paper returns of each type per calendar year.

These measures would apply in respect of calendar years after 2021.

The mandatory electronic filing thresholds for returns of corporations under the Income Tax Act, and of GST/HST registrants (other than for charities or Selected Listed Financial Institutions) under the Excise Tax Act would be removed, resulting in most corporations and GST/HST registrants being required to file electronically.

Electronic Signatures

Budget 2021 proposes to allow electronic signatures on certain prescribed forms, as follows:

  • T183, Information Return for Electronic Filing of an Individual’s Income Tax and Benefit Return;
  • T183CORP, Information Return for Corporations Filing Electronically;
  • T2200, Declaration of Conditions of Employment;
  • RC71, Statement of Discounting Transaction; and
  • RC72, Notice of the Actual Amount of the Refund of Tax.

This measure would come into force on Royal Assent of the enacting legislation.

Electronic Payments

Budget 2021 proposes that electronic payments be required for remittances over $10,000 under the Income Tax Act and that the threshold for mandatory remittances for GST/HST purposes be lowered from $50,000 to $10,000. Budget 2021 also proposes to clarify that payments required to be made at a financial institution include online payments made through such an institution. This measure would apply to payments made on or after January 1, 2022.

Disclaimer: Avisar Chartered Professional Accountant’s blog deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.

Although every reasonable effort has been made to ensure the accuracy of the information contained in this post, no individual or organization involved in either the preparation or distribution of this post accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.

Avisar Charter Professionals - Cybersecurity

Preserve Cybersecurity While Working Remotely

Most organizations have moved their workforces to some form of remote work as a result of the COVID-19 pandemic. Surprisingly, remote work has proven effective for many organizations, and they are now contemplating updating their remote work policies to allow employees more flexibility in a post-COVID-19 world. However, from a cybersecurity standpoint, remote work presents unique challenges and risks.

Employees may be accessing sensitive corporate data from their personal devices, or they may be using company-issued devices for corporate and unauthorized personal use. In both instances, hackers will prey on these distracted employees: sending them phishing emails in hopes of gaining access to the organization’s network, or stealing credentials which they sell to criminals who may then launch cyberattacks.

Technical Tips For a More Secure Network

That said, there are some basic steps organizations can take to improve their cybersecurity posture. Here are few technical steps you can use as a good starting point.

The extra step in the MFA process could be an email or text message confirmation, a biometric method, such as facial recognition or a fingerprint scan, or something physical like a USB fob.

  • Updates and patches. During the pandemic, most IT departments were focused on moving a large portion of the organization’s workforce to remote work. This may have put other IT tasks on hold, such as patching and implementing non-critical updates. 

Hackers will take advantage of this delay to access networks and potentially steal data. Thus, implementing any updates and patches as quickly as possible should be a priority.

  • Securing home routers. Employees working from home are relying on the Internet and Wi-Fi access at their residence. Did they change their router password after it was first installed? If not, their home network may be vulnerable.

It is important to take simple steps to protect home networks and prevent hackers from having access to connected devices. While changing a router password is a good first step, your employees should take additional measures. For example:

  • Ensure that firmware updates are installed, so that security vulnerabilities can be patched.
  • Make sure the encryption is set to WPA2 or WPA3.
  • Restrict inbound and outbound traffic.
  • Use the highest level of encryption available.
  • Switch off WPS.

Employees needing help with these measures should connect with your IT department.

Passwords should be unique for every account and should comprise a long string of upper- and lower-case letters, numbers and special characters. Additionally, organizations should consider implementing shorter periods for password resets, for example, going from a 90-day to a 30-day reset cycle.

Help Your Employees Stay “Cyber-Vigilant”

While implementing strong technical safeguards is essential to having a strong cybersecurity posture, the most important risk to organizations remains its people when they fall victim to phishing campaigns. Phishing emails are sent by hackers to steal information that can be used in further targeted phishing attacks, credit card and wire fraud, and in installing malicious software on the victim’s device or on the networks they access.

During this pandemic, there has been a marked increase in the number of phishing campaigns that target remote workers in a bid to steal their personal information or gain access to company accounts.

The key to avoiding this vulnerability lies in employee training and reminders to constantly be vigilant. For example:

  • If an email appears unusual or requests immediate action (even when it comes from a “known” source), your employees should have the reflex to pause and proceed carefully.
  • If the email contains a URL, they should know to hover their cursor over the link to validate the source, and to not open any unexpected attachments.
  • If they suspect that they may have inadvertently fallen for a hacker’s ruse, their reflex should be to immediately report the incident to IT, rather than trying to resolve the issue themselves or ignoring it.

The pandemic has shown that remote work is an effective way for organizations to continue operating, so it is likely that some form of remote work will be part of how organizations operate in the future. That said, being aware of the risks and taking some basic steps can significantly reduce your chances of becoming a victim of a cyberattack while working remotely.

Disclaimer: Avisar Chartered Professional Accountant’s blog deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.

Although every reasonable effort has been made to ensure the accuracy of the information contained in this post, no individual or organization involved in either the preparation or distribution of this post accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.

Protecting Your Business From Identity Theft

When we think about fraud committed against individuals, many of us immediately think of identity theft. Identity theft is the taking of a victim’s private information (such as their social insurance number or birthdate) to use for financial gain.

Examples of identity theft include applying for and using a credit card with the stolen information. Our awareness of identity theft as a crime has increased significantly over the past few years, because the issue has been regularly featured on the news and in popular culture, and the risks have been frequently highlighted by financial literacy organizations (such as CPA Canada).

What is business identity theft?

Though many people are well aware of the risks of individual identity theft, what is not as commonly known is that identity theft can just as easily happen to a business. Identity theft for a business has the same definition as for an individual: acquiring a business’s private information to use for financial gain.

Why does business identity theft happen?

Any person(s) committing fraud, including identity theft, will typically need to have all three of the following factors: incentive, rationalization and opportunity.

What information is needed to commit business identity theft?

For individual identity theft, a person’s social insurance number (SIN) and birthdate are key pieces of information to acquire. For a business, the key information to protect against identity theft is your company’s business number (BN) and/or provincial tax identification number. In Ontario, that would be your Business Identification Number (BIN). Other key information that may be used for business identity theft include:

  • legal corporate / business name
  • mailing address
  • supplier names
  • customer names
  • employee information (e.g., email addresses and phone numbers)

What are examples of business identity theft schemes?

There are several ways in which a business identity thief can use the acquired information for financial gain. Examples include:

  • transferring funds out of the business bank accounts
  • opening and using a corporate credit card
  • applying for and receiving a loan from the bank
  • making large business purchase orders
  • filing false tax returns to receive refund amounts from the government

Consequences of Business Identity Theft?

The consequences of identity theft for a business, much like for an individual, is lost time and money. Examples include:

  • loss of revenue and cash from the business if fraudulent purchases are made
  • reputational damage if the fraudulent use of the business’s identity is carried out in ways that are antithetical to the business
  • tax liabilities to the government if fraudulent corporate tax returns are filed

Mitigating the Risk of Identity Theft

To mitigate business identity fraud, there are both preventative and detective actions that can be taken. Preventative actions help to protect against the theft occurring in the first place. Detective actions help to discover the business identity theft before significant losses have occurred.

Disclaimer: Avisar Chartered Professional Accountant’s blog deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.

Although every reasonable effort has been made to ensure the accuracy of the information contained in this post, no individual or organization involved in either the preparation or distribution of this post accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.

Cyber Securirty - Risk Mitigation

Cyber Security: Mitigating the Risks to Cyber Attacks

Cyber attacks come in a variety of forms and with a variety of intentions. Whether for money or pure disruption, organizations are at risk of both the intrusion and the potential breach of regulatory obligations.

Identifying Cyber Risks

Nearly 90% of cyber incidents are phishing attacks. While the technological maturity level of an organization can greatly influence the response rate, statistics show that upwards of 30% of the targets of a phishing attack open malicious emails.

Up to 12% were found to take the next step and open the included website or attachment. As a result, your user base is often one of the weakest points in your environment.

Getting on The Right Track

Organizations can significantly reduce their cyber risk with the implementation of a consistent IT methodology with security in mind. Start by taking an inventory of your organization’s hardware and software.

By simply removing unsanctioned hardware and software from access to your network, you immediately improve your defences. Manage this going forward by restricting the administrative privileges needed to install new applications and to configure hardware options.

As part of your IT methodology, establish a consistent configuration base of all your devices. Add rigour to how these units are configured, and ensure that proper security protocols are used. In many cases, simply making changes from the manufacturer’s default settings will help reduce exposure.

Once you have established your configuration, employ change-control procedures to assess and monitor their upkeep. Work in a regular patching process to ensure that all your devices are up to date with the latest changes from the manufacturer, which often include security improvements. Many attacks focus specifically on out-of-date software versions.

As discussed earlier, many attacks are buoyed by fooling users into clicking a dangerous link or downloading malicious applications. As such, do not underestimate the importance of educating your user base. Be sure to highlight what to look for, enforce a critical thinking approach, and reassess as needed. Phishing email drills can be very eye-opening and can help to reinforce preparedness.

Getting the Right Help

Cyber security is an increasingly complex and important topic. As such, it is often difficult for smaller organizations to stay on top of their security needs. They may not have the proper in-house skills to set the right IT methodology in place or manage it going forward. There is certainly a cost-benefit consideration to hiring the needed technical help versus bringing it in externally.

Do not hesitate to look for help. There are numerous consulting companies that can be engaged to conduct an initial cyber security review or assessment of your current environment. These companies can either direct you as to where to make the most important improvements or take over the responsibility as part of an outsourcing agreement.

Responsibility to Protect

Currently, in Canada, it is not against the Criminal Code to fail to implement cyber security measures. However, there are a number of civil and liability obligations that are relevant.

Most notably, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) is relevant to all personal information involved in commercial activities. PIPEDA calls for the protection against loss or theft, modification, copying, unauthorized access, or even disclosure of personal information. This means that the organization itself has a duty to protect the data in its realm.

PIPEDA is not the only regulatory component to be concerned with. Several provinces have passed similar legislation that requires the keepers of data to safeguard this information. Various industry regulators have also implemented regulations around not only the protection of data but also the reporting of intrusive events. For example, the Canadian Securities Administrators (CSA) requires market participants to implement a security framework (relative to their scale).

Cyber attacks are a part of the new reality in our increasingly connected commercial paradigm. Your industry, your scale and the sensitivity of your data will dictate how much you need to do to mitigate the inevitable intrusions. The basic steps above will help to reduce simple or widespread cyber attacks. However, do not underestimate the importance of an effective IT methodology to fully mitigate risks associated with cyber attacks.

Disclaimer: Avisar Chartered Professional Accountant’s blog deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.

Although every reasonable effort has been made to ensure the accuracy of the information contained in this post, no individual or organization involved in either the preparation or distribution of this post accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.

Antivirus Preparedness: What To Look For In An Antivirus Solution

Finding a good antivirus solution is kind of like searching for insurance coverage. We know we need it, but few of us really understand how it works. Here is a simple discussion outlining what antivirus software is, the threats out there and what to look for in selecting a security solution.

What Is Antivirus Software?

Antivirus software are programs that are specifically designed to deal with various forms of malicious software (often referred to as malware) that can infect your computer and cause data corruption, breach of privacy or many other forms of malintent. Typically, antivirus software is used to both prevent and remove the offending malware. Given that there are constantly new kinds of malware being released, a key aspect of antivirus software is the frequency and completeness with which it is updated.

The term antivirus has become synonymous with protection against a variety of threats, and not just viruses as the name suggests. It is worth understanding, at least at a high level, what the various forms of these threats are.

WHAT THREATS SHOULD YOU BE CONCERNED ABOUT?

There are several different threats present in our modern environment. These are normally categorized by the method by which they are transmitted and/or by the malicious activity of the offending code and are collectively called “malware”. A few of the most prominent types of threats are listed below. This is by no means a complete list:

  • Viruses – usually an executable file that has the capability of replicating itself, causing several different malicious intents. Executing the infected file activates or triggers the virus to act.
  • Worms – similar to viruses in that they can replicate themselves, however, they differ in that they do not require the execution of a file to trigger their activity and are transmitted by taking advantage of gaps in existing security protocols.
  • Trojan horses – a type of malicious software or code that – as you can probably guess by the name – masquerades as legitimate software, and fools users into downloading it. Once downloaded and activated, a Trojan horse typically will open pathways for other malicious software to enter your PC.
  • Spyware – malicious programs that, once they have found their way onto your computer, collect various pieces of data about you, your transactions and/or any data that resides on your PC. Once this personal data has been collected, the spyware will transmit it back somewhere to be collected by hackers, who could potentially steal your identity.
  • Ransomware – probably the scariest of all the threats listed. In this case, the malicious software seeks out your important files – such as photos, documents, and videos – and encrypts them. Once these are all locked up, large sums of money are requested by the hackers to release your own files back to you.

Selecting An Antivrius Software

Here are some important things to consider when evaluating an antivirus solution:

Comprehensive coverage – With the many different threats that are out there, it is vital that you are looking for more than just antivirus coverage, but also for other forms of defence. Things like a firewall, internet browsing protection and even identity protection are key elements to have.

Ease of use – No tool is worth anything if it won’t be used. Complicated pieces of software may provide a little better protection, but if it is not easy to understand, frustration will result. Look for easy-to-use screens, good documentation and options around how the product is configured.

Performance impact – This is probably one of the biggest complaints about robust security solutions. They can use a fair amount of your PC’s resources to run the checks, scans and updates necessary to keep you protected. If you find that you see consistent slowness in your PC, regardless of the product used, it may be time to upgrade.

Reliability – Reliable security software products have a few common elements. First, they are frequently updated, meaning that the provider is constantly adapting to new threats. Second, they have tools to automate the scanning process, and are highly configurable; so you can customize when they are run, and what files are investigated. They will also have a high malware detection rate (look for a number higher than 95%). The high detection rate indicates that few viruses are missed, and conversely that most are caught. Lastly, they should guard against being unintentionally uninstalled, as some malware has been known to uninstall the antivirus software that is present. This is easily prevented by adding required confirmations to the uninstall process.

FREE VERSUS PAID

This is a common debate. There are some good low- or no-cost antivirus products available, however, most research does point to the paid product as having a better long-term rate of malware detection. The paid software is updated more frequently, is more robust in terms of functionality and comes with better support. Free solutions, while less feature-rich, may provide less interruption to your PC – however, remember that, at the end of the day, those interruptions are saving you from harm.

Disclaimer: Avisar Chartered Professional Accountant’s blog deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.

Although every reasonable effort has been made to ensure the accuracy of the information contained in this post, no individual or organization involved in either the preparation or distribution of this post accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.

Online Transactions: know What’s Happening To Your Data

Online purchasing transaction security is not absolute. There are not really “safe” and “unsafe” options anymore, meaning only alternatives remain that have varying degrees of security. However, understanding how your data is stored and used is an important first step.

WHAT ARE THE RISKS OF PURCHASING ONLINE?

The risks of conducting transactions online are real and require constant vigilance. Online transactions are open to “normal” procurement risks, but also have a unique set of other hazards. Beyond being exposed to such things as fake websites, inflated user reviews, or the possibility of never actually receiving what was bought, purchasers can be exposed to much more sinister dangers. Credit card fraud and identity theft are real possibilities. It is not all doom and gloom though. The key is understanding these risks and what is being done to protect you and your personal data.

WHAT INFORMATION CAN ONLINE RETAILERS STORE?

The storing of personal data is controlled more by the industry than by federal or provincial laws. The Payment Card Industry Data Security Standard (PCI DSS) was implemented by the major credit card companies as a means of ensuring compliance amongst the retailers, online or otherwise. Deviation from compliance is met with stiff fines. Per PCI DSS direction, brick and mortar stores are required to keep customer data only until they have been successfully authenticated. Online retailers face similar restrictions. However, when it comes to saving data for repeat transactions, customer data can be saved if it is properly encrypted and guarded. Due to the complex nature of storing and managing customer data in this manner, this function is often off-loaded to third-party providers.

The actual data that is stored by online retailers, per the PCI DSS, is the customer’s:

  • name
  • account details
  • credit card number (a.k.a. Primary Account Number or PAN)
  • the expiration date

Not to be stored are the customer’s:

  • PIN number
  • the security code (CVV).

Further, access to the stored data is to be restricted, and the full PAN must be concealed. Policies must also be in place to destroy the customer’s data once it is no longer required.

WHERE IS PERSONAL INFORMATION STORED?

To understand how your online personal data is stored, it is important to understand that there are two different areas in which your data is stored. First, many people store personal details within their internet browsers (Google Chrome, Firefox etc.). This allows for increased convenience – you don’t have to enter addresses, credit card numbers and other details each time you want to shop online.

Websites can store these details in the form of cookies, or as part of the autofill functionality. Cookies are stored on your computer and accessed by the website when you navigate there, and can store account numbers, even credit card numbers. Recently, browsers have significantly expanded their use of autofill functionality. A large amount of personal data is stored within the browser setting files, and can be accessed to speed up the process for people filling out online forms.

Secondly, retail partners themselves maintain personal data in the form of customer accounts, complete with address, credit card, buying patterns and many other sensitive details. We have all signed up for customer accounts to take advantage of promotions, newsletters, points, or just to speed the checkout process. Online transactions are usually brokered by a Payment Service Provider (PSP). These PSPs tokenize the consumer’s payment details and are usually certified by the relevant agencies. The certification details are often available on the seller’s website. Tokenization means that the data is encrypted as randomized characters and transmitted as such. Interception of this data is meaningless, as the credit card numbers, addresses and other details have been scrambled.

HOW DO YOU SECURE YOUR INFORMATION?

If we think about the two different places where customer data is stored, it makes sense that we will have two different approaches to securing our personal data.

First, make a habit of reviewing and deleting the cookies saved on your computer, especially if other people use your computer. To stop new cookies from being created with your data, simply use the “Guest” option on websites as much as possible. This is usually available on most websites and refers to the option of entering only the personal data needed to conduct the immediate transaction. Much less data is stored for future recovery, or misuse. If you choose to save some of your data, use the autofill functions. This not only speeds up data entry later, but also stores it more securely than with cookies.

Finally, in terms of data stored by online retailers, staying informed and proactive on what data you have out there is important. Take a minute to read the retailer’s security policy and understand their policies in terms of customer data retention, and if they use professional third-party partners to guard your data. Consider whether you really need to create an account with the retailer to speed future transactions. Maybe you will prefer to manage this data yourself.

Disclaimer: Avisar Chartered Professional Accountant’s blog deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.

Although every reasonable effort has been made to ensure the accuracy of the information contained in this post, no individual or organization involved in either the preparation or distribution of this post accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.

Bartering, Taxation, And The Internet

The normal procedure for business transactions follows the tried-and-true method of selling a product or service and recording the income. The income earned is taxable as earned income. Rather than use the traditional approach, many individuals and businesses may decide to barter their products or services.

Did you know that good business practice would suggest that you treat all barter and internet transactions as you would normal business transactions?

If you ever face a CRA audit, it will help spare your corporation, proprietorship or partnership the inconvenience of a long, laborious tax audit and potential penalties and interest – or even being convicted for tax evasion.

Bartering occurs when individuals conduct a transaction for goods or services without using a recognized medium of exchange such as money. Undoubtedly, most sellers who involve themselves in barter transactions are unaware that they are required to report the value of the transaction. And, there may be some who use bartering to circumvent corporate or individual income tax and GST/PST.

When bartering transactions occur in the normal course of business, there are effectively two transactions that must be considered:

  • The first transaction is the value of the service or product that is provided to the customer.
    • For example: if your business sells bricks, the value of those bricks should be included in the seller’s business income. Further, the HST/GST and PST (if applicable) must be added to the value assigned to those bricks, then it should be reported and submitted.

Note that this assumes that the individual providing the product or service has already reached or surpassed the small supplier threshold of $30,000 with sufficient “conditions.” You can review these requirements on the CRA website.

  • The second transaction to record is the assigned cost to the goods or services received in exchange for the product you have provided.
    • Assuming that the person or business with whom you are bartering is an HST/GST registrant, it may be possible to record and claim the Input Tax Credit (ITC). If that provider does not provide their GST number, you will have to record the assigned cost as an expense and cannot claim the ITC.

There may be situations when the barter transaction may be considered the sale of capital property. In this case, the transaction may give rise to a capital gain. Your CPA will be able to provide guidance on these transactions.

INTERNET SALES

Bartering has been around since before the advent of currency, but the ability to barter has been enhanced and overshadowed with the advent of the internet, providing access to millions of opportunities to not only barter but also to sell goods or services.

For those who have used the internet to conduct what may be construed as business transactions – whether innocently or intentionally – the CRA believes that there are enough transactions not being reported that are negatively affecting its treasury.

Consider that the CRA court-ordered eBay Canada to release the following account information and sales data of Canadian residents who conducted transactions on its online selling site:

  • sales of more than $20,000 and at least 24 sales transactions in any of the calendar years 2006, 2007 or 2008, (irrespective of membership in eBay’s PowerSeller program), or
  • sales of more than $100,000 in any of the calendar years 2006, 2007 or 2008, regardless of the number of sales transactions..

Given this court order, any Canadian-resident eBay seller who meets these sales thresholds will have the following information released to CRA: full name, user ID, mailing address, billing address, telephone number, fax number, email address, and the selling prices (high bids) of the items

If your transactions meet the above criteria, a wise business decision would include contacting your local CPA and determining the need for voluntary disclosure to prevent penalties and interest, should the CRA carry out an audit.

The following information is required for voluntary disclosure:

  • name, social insurance number (SIN) and date of birth of each member of the family
  • if a business, the names of the principals of the partnership or the shareholders of the corporation,
  • along with their SIN.
  • the last personal tax returns that were filed for the individual and family members
  • the date that the eBay business started
  • if the business is a sole proprietorship, partnership or corporation: the business number
  • for a corporation, the articles of incorporation and the provincial corporate tax number
  • Financial statements, whether for incorporated companies or for sole proprietorships or partnerships, should be available to establish whether eBay income was reported when filing returns.
  • Tax returns should be available to support the financial data that indicates whether eBay income was reported.
  • For corporations or sole proprietors that are registered for GST/HST, all returns filed with the CRA from the date eBay transactions began should be made available. (If the taxpayer exceeded the threshold for registering, the CRA may retroactively register the corporation or individual.)
  • bank accounts showing all transactions through platforms such as PayPal
  • Sales income and expenses that may offset recorded income and therefore affect HST/GST/ITC should be made available. Expenses that may be allowable are those that are necessary to earn income. (It is advisable to review your expenses with your CPA.)

The court order issued to eBay defined the time frame for the information that the CRA was seeking to audit. Canadian taxpayers should not conclude that they have avoided an audit because they have not received
a notice of audit.

If your eBay account meets the criteria discussed above, contact your CPA and discuss the possibility of submitting information to the CRA under the Voluntary Disclosures Program (VDP).

Disclaimer: Avisar Chartered Professional Accountant’s blog deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.

Although every reasonable effort has been made to ensure the accuracy of the information contained in this post, no individual or organization involved in either the preparation or distribution of this post accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.

Electronic Signatures

Owner-managers have adapted quickly to transferring funds electronically, paying invoices online and scanning and sending data to and fro.

When it comes to product delivery, contracts or agreements, many are still relying on hardcopy signatures or faxed copies of paperwork to finalize the deal or witness product or service transactions. This process can be time-consuming, with the need to attend your solicitor’s or client’s site or to print and file shipping or receiving documents.

Signing documents electronically is a great solution for saving time while ensuring they are legally binding.

Two types of signatures are available that help make this process easier: a digital signature and an electronic signature. Both methods produce the same effect: The signed document is recognized as an authentic signature of a signatory and meets the Canadian standards for electronic signatures.

Canadian law regarding electronic signatures is under the guidance of the Personal Information Protection and Electronic Documents Act (PIPEDA). It states:

  • “An electronic signature means a signature that consists of one or more letters, characters, numbers or other symbols in digital form incorporated in, attached to or associated with an electronic document”
  • “A secure electronic signature is as an electronic signature that
    • is unique to the person making the signature;
    • the technology or process used to make the signature is under the sole control of the person making the signature;
    • the technology or process can be used to identify the person using the technology or process; and
    • the electronic signature can be linked with an electronic document in such a way that it can be used to determine whether the electronic document has been changed since the electronic signature was incorporated in, attached to or associated with the electronic document.”

ANDROID OR APPLE?

Most businesses will require electronic signatures with hardware and software that will allow someone to sign off on a document from anywhere. Whether you have Android- or Apple-based hardware and software, you can buy a tablet or iPad that’s Microsoft Word or Excel-compatible and allows PDF signing in an application such as Adobe Acrobat. In theory, they let you start e-signing right “out of the box.”

HARDWARE COST

The hardware cost for signature pads varies from $150 to $650. The less expensive models provide a basic touchpad and stylus, while the more expensive approach legal-sized electronic units that will provide an electronic copy of the document and a hardcopy if needed. Regardless of the unit, you’re considering, ensure your choice includes high-quality biometric and forensic capture techniques to guarantee confidentiality and reliability.

WHAT TO LOOK FOR

Most companies that offer electronic signature capabilities should provide the following:

  • You should be able to provide your signature via all of the business’s formats (smartphone, laptop, etc.). Using your finger, stylus, mouse or keyboard makes it valid.
  • It should enable a complete audit trail with date and time stamps and in-document checkboxes that ensure signees follow the expected procedure in a reasonable timeframe.
  • Your documents should be secure, encrypted and legally binding in every country.
    It should create unique signatures that can only be used by the signatory. (Only individuals authorized by an organization have document access, and all files are encrypted during transit and storage.)
  • Signatures should be able to be stored securely in the Cloud and at your premises.
  • User authentication methods should be equal to the transaction’s security need.
  • There should be multi-party signing capability for items needing more than one signature.
  • You should be able to track the progress of the document.
  • The solution should be able to integrate with the application your company is already using, such as Google Drive, DropBox or SalesForce.

AND THE COST …?

The cost of obtaining and maintaining your electronic signature template is tricky to find and understand. Most websites will not provide a specific quote. Some will start with a basic per-year cost, but will still require that you contact them to see if your business is able to take advantage of bulk discounts or discuss whether your specific application requires additional features that add to the cost.

Companies such as Adobe may offer their service as part of an integrated package. Packages are usually sold for a flat monthly or an annual fee or are based on the number of senders (similar to cost structures of most software, where more users mean higher cost). Or you may pay on a per signature basis.

As you can see, good business practice suggests that determining what the business requirements are before making a final decision will avoid disappointment and expensive upgrading. You will need to contact the supplier for help determining your specific needs, then work with them to agree on the costs to the organization for such a solution, based on how you will integrate existing systems and your needs for hardware, software, communication and reporting.

If your business has become comfortable with the paperless approach and you’re already using it for banking, invoicing, payroll, purchasing and sales, maybe it’s time to “complete the circle” and adopt electronic signatures, too.

Disclaimer: Avisar Chartered Professional Accountant’s blog deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.
Although every reasonable effort has been made to ensure the accuracy of the information contained in this post, no individual or organization involved in either the preparation or distribution of this post accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.