The Small Medium Business Online Banking Crisis

Smaller businesses are now the #1 target for online banking theft. Your banking credentials are obtained through malware or social engineering or brute force username/password combination attempts. Here’s the rub: You aren’t insured against theft from online banking transactions. You money is just gone.

Meanwhile banks are encouraging all of us to participate in online banking. Some are even going so far as the charge additional fees for not using “paperless” accounts.

Here are a few sample thefts to read about. http://krebsonsecurity.com/2013/05/nc-fuel-distributor-hit-by-800000-cyberheist/

http://krebsonsecurity.com/2013/04/bank-sues-cyberheist-victim-to-recover-funds/

http://krebsonsecurity.com/2013/04/hay-maker-seeks-cyberheist-bale-out/

These types of cases are most often settled in favor of the bank and not the business. But even it they were settled in favor of the business, how many businesses can survive drained bank accounts AND an expensive lawsuit? It’s a mess. They are finding in favor of the banks by pointing out that the businesses haven’t taken up the bank on every security feature that they offer. Whether you know about these options or not is another thing. Your bank might not tell you. My credit union told me “Of course we would cover you in case someone broke into your account” “Oh that’s great. I can see that in writing?” As you can guess, the conversation ended there. They don’t have it in writing because it’s not really going to happen. “You should use our new Phone banking app!” “I don’t think so”

Security is one of those things that has no absolute. We can’t guarantee security, no one can. We can however make things more security. Being more secure than the next guy means that it’s more work to hack you than someone else, they will go to that someone else. So here’s what we did and what I suggest that you do as well. Recognize that you have to have online banking these days, here’s a suggestion for how to handle it.

• Open a set of bank accounts that have NO online access and keep most of your funds there.
• Authorize the fewest number of computers possible to access online banking accounts. (BTW, online banking includes ACH, wire transfers and payroll)
• Take advantage of EVERY security option that your bank offers
• Have current anti-malware software
• Install and configure EMET. It’s a free security package from Microsoft to protect against suspicious behavior in browsers.
• Install and configured Tracking Protection in Internet Explorer
• DO NOT authorize anyone to do banking over mobile phone
• Keep your limits low for ACH and Payroll transfers. Set instant alerts if your bank offers them

This is a place for serious policies and protective additional computer security. We can help by providing a boiler plate policy and installing and configuring additional security on your authorized banking computers.

If you really want to get serious, we can create a virtual computer that it only turned on for banking, then turned off again and used for nothing else.

Please think seriously about your security and let us help you make these important decisions.

-Amy

Cloud + BYOD = A Greater Need for Security

Seems that recently all of the articles are telling business owners to stop buying PC’s and let their employees buy them instead. I even saw that the AICPA (CPA’s association) was holding continuing education where the whole day was dedicated to BYOD (Bring Your Own Device) and Cloud. Of course if your dig into their credentials, the people giving the presentations were representing Cloud service providers so they aren’t unbiased and that’s really a problem because their advice isn’t complete; it’s one sided.

BYOD can be a good idea and it makes sense for some types of employees. We are definitely seeing that as the maturation of the information age comes upon us that the information worker is the new blue collar. There’s a history of blue collar workers preferring to work with their own tools (carpenters, electricians, plumbers) and then eventually being required to have their own set of tools in order to get a job in the first place. We are seeing the same pattern in the information age.

It started with smart phones but has now moved into laptops and oddly it’s actually the employees that want to use their own computer instead of yours. They think it will bring them more freedom to work the way they want to work and use the applications that they want to use. They also think that then you can’t tell them not to watch TV, listen to music or spend time shopping because it’s their computer. How you manage this new environment is really critical for your business and security becomes an even greater concern than it has previously.

There are many questions to be answered:

• If there’s a problem with the employee owned computer and the employee isn’t productive at work because of it, what will you do?
• If the employee owned computer is infected with malware and infects other employee computers, who will pay for the repairs?
• If an employee uses their own applications for work and those are not licensed properly, who is liable?
• If an employee uses their own application for work and those applications contain your data, how will you retrieve it when they leave your employment? Is there backup for that data?
• If one employee uses software X and another uses software Y incompatibilities are introduced. What now?

Policies will need to be implemented. I suggested that you think about them and implement them well before you start allowing employee owned equipment into your business. There are new human resource issues, new security problems, new acceptable uses. We have a host of sample policies to help you get started.

Security will need to be redesigned. The network will need to be reconfigured. A balance needs to be struck between making employees productive on their own computers and protecting the corporate computers from any malware that they might bring in. We need to protect the ownership of your data too.

It’s a brave new computer network out there. One that can bring benefits but that has huge potholes of disaster waiting for those that don’t plan. We really don’t want to see any of our clients suffer so let’s make that plan before any problems occur.

-Amy