ARLINGTON, Va. — A man walks into a bank with the intention to rob it. He slips the teller a note who then turns to him and says “You know you can do this online now.”
That punch line is how John Walp describes the cyber threat epidemic.
“It’s an old problem with a new face,” said the administration vice president and corporate information security officer at M&T Bank Corp, which has branches across the Northeast. “It’s more difficult to chase down when the person robbing your bank is 6,000 miles away.”
Hackers are finding it easier to target small and mid-sized businesses as large businesses erect more sophisticated information security systems. In the recent past, Americans have seen an increase in cyber security threats, which mounts to large business losses.
Symantec Corp. identified more than 240 million new malicious programs in 2009, double from the year before. A White House report last year found businesses have lost more than $1 trillion of intellectual property because of these attacks. The National Institute of Standards and Technology, an agency of the Department of Commerce, calculated that it cost about $130 per person to inform all persons whose data might have been compromised, in compliance with some state notification laws.
Because business accounts don’t have the same protections as consumer accounts, they are more likely to incur the costs of cyber threats. Small businesses are less equipped to handle cases of fraud, so the costs to them are typically higher. The average cost of fraud to self-employed and small-business owners is $4,627 compared with the national average of $4,240, said Stephen A. Cox, president and CEO of the National Council of Better Business Bureaus.
The No. 1 takeaway almost all panelists at a Federal Deposit Insurance Corp. symposium on cyber crime stressed Tuesday is that small-business owners need to be aware of the threats that exist and be educated on solutions, so here are eight recommended ways to beef up your cyber security system.
1. Dedicate another machine for all financial transactions. “The ideal is really to have a separate computer workstation that you use only for payment functions,” said Deborah Shaw, managing director of network enforcement and risk management at NACHA, an electronic payments association and small business that employs a staff of 65. “If for some reason that’s not possible, then at least restrict that computer you’re using this for so they’re not also going on social networking sites,” said Shaw, pointing out the vulnerabilities on websites such as Facebook.
2. Get the chief financial officer involved in information security. Don’t turn to the IT department to make your cyber security system more robust. “The IT guy already knows about cyber security,” said Larry Clinton, president and CEO of the Internet Security Alliance. “The IT guy is already starved for funds.” In 95 percent of companies, the CFO is uninvolved in information security, Clinton said. He recommended CFOs create a cyber risk team to develop a risk management plan that should be analyzed, tested and reformed regularly.
3. Prepare for threats from the inside. Employees have been more likely than hackers to be a security threat within the last year, Clinton said. It is important to restrict administrative access so employees don’t — intentionally or not — pose a security risk. In addition, separate accounts make it easier to track down the source of any malicious programs. Employees should also be required to regularly change their passwords, advised Richard Kissel, computer scientist at the National Institute of Standards and Technology. Also remember to restrict former employees’ access as soon as they leave the company.
4. Effectively destroy data. Often computers that end up on eBay or in thrift stores contain sensitive information that should have been purged, so take extra precautions when discarding any media. That includes everything from a crosscut paper shredder to physically destroying hard drives, Kissel suggested. Businesses can also contract companies that specialize in destroying data.
5. Be skeptical of unsolicited phone calls. Sure phishing scams might seem obvious, but an increasingly popular way for hackers to attain information is by calling companies through information listed publicly online. These social engineers might pose as an IT guy and claim they need to patch the company’s system and ask for vital security information over the phone, Walp said. Receptionists should turn these calls to a business owner or executive. Before any information is given out, it is important to verify the identity of the caller by asking for specific information that only an IT company would know.
6. Limit check transactions. Checks remain the most popular way to commit payment fraud, accounting for 68 percent of cyber crime followed by consumer cards at 20 percent, said David Bellinger, director of payments at the Association for Financial Professionals. In 2009, 73 percent of organizations experienced attempted or actual fraud through checks. Businesses are protecting themselves with a variety of methods, including positive pay, an anti-fraud system that protects companies from altered and counterfeit checks. If possible, businesses should shift more transactions away from checks, Bellinger urged.
7. Check every link in the chain. Business owners should verify and validate the soundness of every aspect of their online and financial systems, from the integrity of Web hosting to bank monitoring. A security system is only as strong as its weakest link, said Murray Walton, senior risk officer at Fiserv Inc., a company that specializes in information management and electronic commerce system.
8. Practice good Internet hygiene. Just like washing behind your ears and flossing your teeth, you need to establish smart online habits. This includes everything from keeping your machines up to date by downloading necessary patches to signing out of personal accounts and not logging into financial accounts over unprotected wireless networks. Being aware of the potential threats is the first step to ensuring one’s business is protected.