Company secretarial services

You know you can’t work forever – and you certainly aren’t immortal. But plenty of business owners are living as though they’re completely infallible.

If you only make one security tweak to your business, it should be this: turn on multifactor or two factor authentication. Multifactor authentication (MFA) is a simple change that can massively improve data protection. Without it enabled, your business or Not for Profit organisation could be in breach of the Privacy Act depending on the type of information you hold. What is multifactor authentication? Multifactor authentication means accessing a particular app or system requires more than one method of identification. Without MFA, you log on via one device, with a single set of credentials. MFA requires more from users based on three factors: Something you have, like a smartphone or a secure USB key Something you are, like a fingerprint or facial recognition. Something you know, like a password or PIN. For example, to log into Xero online, you enter your email and password. With MFA, you then need to confirm your identity another way – such as on your phone via the Xero app. If MFA is enabled for Microsoft Outlook and you log on using a device that isn’t trusted, you will also need to enter a security code that has been sent to a trusted email account or phone number. Whether it’s a text code, a fingerprint or a phone confirmation, MFA ensures more than one ID method is required to get into your important data. Most platforms and applications give you the option to switch it on through your security settings. It seems inconvenient – why would you bother? Single-factor authentication can make it much easier for a cybercriminal to compromise your bank accounts, accounting software, or business systems from anywhere in the world. All they need is your email address and password, which might have been stolen or leaked, or gained through phishing. With two-factor authentication, it becomes exponentially more difficult for malicious users to get access to your systems. According to Microsoft, there are more than 300 million fraudulent sign-in attempts on its cloud services daily: “All it takes is one compromised credential or one legacy application to cause a data breach.” It estimates that MFA can block more than 99.9% of account compromise attacks. If that seems too high, perhaps it is, but MFA is still highly effective; Google says its implementation of MFA halved the number of account compromises. When you have MFA enabled, it’s less concerning if your password is leaked or compromised. That alone won’t be enough to allow a hacker to gain access. Without MFA, you’re probably in breach of the Privacy Act The Office of the Privacy Commissioner recommends all organisations, regardless of their size to introduce MFA. When a breach occurs, one question often asked is whether an organisation has taken reasonable steps to protect the data they hold. If it is deemed the organisation did not take reasonable steps to protect its data, this could result in a breach of the Privacy Act. What’s reasonable depends on the size of the organisation breached and the scale and sensitivity of data it holds. No matter how small your business or charity might be, it almost certainly holds some personal information. It might be as basic as a list of members’ names, phone numbers and email addresses. Or perhaps it’s a more complex customer management system that includes payment details, health information or biometric data. As such, implementing the MFA is no brainer. Under the Privacy Act, every organisation or individual that holds data must collect it appropriately, keep it safe and allow the people it concerns to be able to access it (for more details, read the Privacy Principles). The Office of the Privacy Commissioner describes two-factor authentication as a bare minimum for small businesses or organisations that hold digital information. Without MFA in place, if someone unauthorised accesses your business data, you are likely to be in breach of the Privacy Act. This could lead to a penalty under the Act starting from $10,000; the most ever awarded is just over $168,000. The risks of a data breach go far beyond penalties, though. Your organisation may also experience potentially huge financial losses, reputational damage, and be forced to shut down. We know of one instance where a small online business experienced a data breach, and the cost of remediation and compliance was so high that dissolving the business was the best outcome. Cyber incursions are such a significant risk it’s hard to overstate their potential impact – yet many organisations are unaware of their responsibilities and risks. It’s all part of everyday risk management Cyber security can feel like a particularly thorny specialist topic that sits outside business as usual. But there’s a better way to think about it – cyber security is simply another risk management activity. It’s not separate or unique or different to other risks in your business, so managing it should equally be an everyday task. This means switching on MFA and getting everybody using it automatically, as well as keeping up to date with software patches and managing passwords effectively. Simple steps like these go a long way to protecting your organisation from breaches. In some cases, you might need to switch platforms to be able to access MFA for your organisation. We also occasionally see small regional organisations in areas that are digitally excluded, which can make this tricky. There may be workarounds available, or alternative platforms that can help. Create awareness and provide training We know that it can feel inconvenient to add MFA to apps you use frequently. If those who use your systems don’t understand the importance of using MFA, they may find this extra effort irritating, or try to switch it off. It’s essential to have all users on board. Education is the key – you need to explain to everyone why MFA is vital and why it is well worth the additional effort. You need to create awareness and provide training. According to research by Verizon, 82% of all cyber attacks “involved a human element”, and phishing scams still dominate social engineering attacks. We know that many small and medium enterprises and Not for Profits, don’t have in house IT and cyber expertise, however, being small or local doesn’t exempt you from the Privacy Act, so you still need to make the effort to not only enable MFA, but to understand your obligations under the Act, establish cyber security policies, and incorporate MFA into your overall approach to risk management.

Beyond compliance: What are your annual financials really telling you? With the first six months of the 2024 year behind us and March 2023 year end compliance work in full swing, it’s always interesting to see common themes jumping out from clients’ financial reports. While annual compliance can be seen as a chore for many, it still provides important opportunities to discover valuable insights to keep your business safe and help it improve. What’s behind your record revenue numbers? To a large degree this is an inflation story, but we are seeing genuine growth in the mix as well. The key is maintaining and increasing the gains you’ve made. Revisit your goals for what you want your 2024 year-end financials to look like and develop or enhance your plan to get there. For example, what can you do to generate more leads and increase customer retention? From setting up a customer feedback programme to exploring where advertising your brand would be most effective, a little bit more investment in your sales and marketing efforts can make a huge difference. And, how well do you know your client base, and what are your most successful and profitable product lines? While you’re likely to have a reasonably accurate idea of where your revenue is coming from, investing in tools and software to segment your customer base can open up a whole new world of up-to-the-minute insights about what’s working well and what isn’t. You can then allocate more resource to the most successful products and services. Take the 80/20 rule for example – if 80% of your revenue comes from 20% of your customers or offerings – focus on that instead of everything else. This can also give you time and space to explore new products or services to enhance your customers’ experience. The margin squeeze: Reduced gross profit percentage A weaker New Zealand dollar, higher costs of freight and shipping in the earlier part of the 2023 financial year, and higher costs to purchase goods all contribute the squeeze. While businesses have put their prices up, contributing to the growth in revenue, in many cases it has not been by enough, or not soon enough to maintain gross profit margins to the same extent as in 2022. We typically see a lag in clients putting their prices up, often wearing cost escalation for fear of losing business and market share. Keep a regular eye on your month to month and year to date financial results, along with comparison to prior years. Once or twice a year just isn’t going to cut it in a volatile economic environment. This is where the power of periodic reporting comes in. These monthly reports act as a temperature check for your business by giving you updates about your key performance indicators which typically include: • Current ratio of liabilities to assets (working capital) • Gross and net profit margins • Interest cover • Stock turnover • Aged debtors and creditor payment times • Ratio of wages to sales It may sound onerous to set up, but it’s an invaluable exercise. Once you have reports automatically rolling over monthly, you can also streamline your annual compliance requirements, save a considerable amount of time trying to find historical information, and get regular up-to-date results that lead to improved decision-making. Overheads are creeping up What seems like death by a thousand cuts, with overheads up across the board, a little here and a little there, it absolutely makes a difference, particularly at the wages line. We’ve heard this in the media on a frequent basis and it has absolutely been playing out in clients’ results. Watch out for ‘lazy’ costs. It’s easy for excess to creep in when times are good and the cash is flowing. Consider what is necessary to core business and staff morale and retention, and focus on trimming the fat. Are you up to speed on technology developments within your industry, and continued emergence of AI? Are there tools or processes you could introduce to materially reduce overheads or improve efficiencies? This could include reducing the impact of travel on your overhead costs by using technology for meetings instead, or simply delaying capital expenditure for a certain period of time. Sometimes bigger cuts need to be made – particularly when it comes to wages, but proceed with caution and approach all decisions with a future focus. For example, if you need to reduce your headcount, will this increase again during your next growth phase? There’s always going to be costs for recruiting and training new team members, and if the labour market is tight how will this impact your ability to deliver products and services to customers? It all comes down to cashflow A cliché no doubt, but cashflow is absolutely the lifeblood of your business. There’s lots of levers you can pull to improve your position, including: Terms of trade with your customers: Can you reduce/re-negotiate payment terms, speeding up your cash conversion rate? Making customer payments easy: Set up a click through payment function within your invoices and enable payment by credit card. The easier it is to be paid, the sooner you will be paid. Focus on debtor collection: Stop putting off those tough conversations and start making your accounting software work for you – many products have automated reminders. Take the time to set this up and any other relevant functionality. It will save you time in the long run. Are you carrying too much stock? Does your stock system alert you to aged stock? And, without shooting yourself in the foot from a margin perspective, what clever ways can you clear excess stock profitably? Are you paying your creditors too soon? Make the most of payment terms available to you and consider re-negotiating with suppliers where applicable. Are you getting the best deal from your suppliers? Go to market and see what’s out there. We’ve seen some incredible cost savings for clients undertaking this activity. Consolidate your suppliers: If you’re using a multitude of suppliers, explore options where you can negotiate a better rate by spending more with fewer suppliers, resulting in cost savings overall Consider debt funding structures: You may be able convert short term bank overdrafts into term debt to spread the load during times of tight cashflow. Jump on the tax pooling bandwagon: Consider using tax pooling to smooth out or defer provisional tax payments. And above all, forecast, forecast, forecast! Failing to forecast cashflow and plan ahead can cause even the most profitable businesses to rapidly fail.