Business Bank Accounts Under Siege By Cyber-Criminals
Did you know that your U.S. business bank account is not insured by the FDIC? Instead, they are covered by the Uniform Commercial Code (UCC) which is not as comprehensive as FDIC coverage. Furthermore, individual banks may be able to wiggle out of what little coverage the UCC offers by simply changing their commercial banking agreements!
In their article “Cyber Crime & Bank Fraud”, BusinessIDTheft.org says that in 2011, the FBI investigated over 400 reported cases of business bank theft that resulted in over $85 million in losses to the firms involved.
Why are cyber-thieves targeting small business? Recent studies have shown that 83% of small businesses take no formal measures against cyber-threats even though almost half of all attacks are aimed at them. Some business owners do not take cyber-crime seriously, some don’t have strong internal controls to quickly discover a theft, and others feel that it is not worth the money to harden their computer networks and websites against outside intrusions. Many small business owners feel that cyber-criminals only concentrate on high-profile, large companies and that their companies are “under the radar”. They’re wrong!
Cyber-thieves are looking to profit from the proverbial “low hanging fruit”. After all, cyber-crime is a business. Why spend countless man-hours probing hardened networks, create or buy expensive intrusion programs, or risk discovery by the state-of-the-art detection systems of large corporations when they have such easy pickings exploiting the small-to-medium size business (SMB) market?
Don’t make it easy for cyber-thieves to steal your company’s cash reserves. Here are some things you should do:
- Limit access to banking, financial, and accounting sites. If possible, designate one (1) workstation to perform these functions and do not allow web surfing of any kind from this system. This designated workstation should also have secure, limited physical access.
- Frequently review bank transactions. All banks have online banking so there is no excuse for not reviewing transactions and balances daily. Report suspicious activity to your bank the moment it is detected. Many people think that if a cyber-attack occurs, the criminal will just clean out the entire account and therefore, they’ll quickly know and report what has happened. While many attacks do happen that way, what if a criminal gains access to your business account and, seeing that it has high activity (i.e. deposits in and automated withdrawals out), they siphon off a small amount over an extended period of time?
- Make sure your network is protected with hardware and software firewalls and monitor your network against intrusion. Periodic network intrusion scans are a great tool in the war against cyber-crime.
- If you have a company website, periodic Web Application Scanning will highlight vulnerabilities in your website that can be exploited by cyber-thieves. Once discovered — Fix Them!
- Have an enforceable Password Security Policy. Make sure all employees are instructed to never divulge their passwords, don’t use the same password for more than one system, and use long passwords from 8 to 15 characters in length comprising of upper and lower case characters, numbers, and special characters.
- Have a Backup/Disaster Recovery Plan in place and make sure all files are backed up daily. Utilize onsite and Cloud backup systems to fully protect your company’s data.
- Educate your employees. After all, they are the weakest link in your company’s IT security. Make sure they know not to click on links within emails from people they don’t know as well as how to identify a socially engineered attack.
- Lock company-sensitive files in password protected folders on your server and limit access to those folders. Hard copy sensitive documents should be identified and secured in locked cabinets with restricted access.
- Keep all software up-to-date. Make sure operating systems and applications on servers and workstations are updated and patched.
- Never operate a server or workstation without up-to-date anti-virus and anti-malware protection. Viruses, spyware, Trojans, etc. are the main ways cyber-criminals hack systems, steal secrets, and destroy data.
The internet is the most significant invention of our age. It has transformed the way the world gathers, keeps, and uses information. Online commerce is a world economic growth engine. But the internet has a dark and dangerous side. Tech-savvy cyber-criminals are, at this very moment, inventing new ways to steal your money using the internet. Why attack one company when you can simultaneously attack hundreds or even thousands at a time!
After reading this article, the first thing you need to do is ask your bank manager for the latest commercial bank account agreement. You want to see in writing what your bank will or will not do for you should funds get stolen. Will they restore your funds? If so, specifically under what circumstances? Get it in writing.
The bottom line is that you as the owner of your business, are responsible for protecting the assets of your company. Find out from your bank if or how you’re protected and then immediately implement the internal controls outlined above.
The IT landscape changes daily. No one article, blog post, or book can give you every single way to protect yourself. Keep up on the latest IT Security news. Here are a few internet resources:
XSolutions “The Letter ‘X’ Blog”
The Federal Bureau of Investigation Cyber Crime site