Ramesh’s Take: When a small business’ bank account is compromised, don’t count on the bank to make everything good again. While banks generally cover losses incurred by individuals due to account breaches, the law dictates that they are not liable for business losses as long as they employ ‘reasonable security measures.’ With online attacks against businesses on the rise and no clear demarcation of liability, businesses must take steps to protect their interests. Communicating with the bank, outsourcing security to expert firms, using dedicated computing resources to access the bank and controlling access to sensitive data all can help keep your business safe. Silo addresses these concerns, keeping information secure and giving businesses peace of mind when the banks won’t. Read the original article here.
Businesses handle most of their banking using online applications or web apps today. Many executives trust in the relationships they have with vendors, including their banks. When problems come up, businesses expect vendors to fix them somehow. Take note: if your online bank accounts are hacked, resulting in the loss of data or funds, don’t count on your bank to make everything good again.
Recent court rulings suggest that banks need to only show that they have “reasonable security measures” to protect their business customers. The definition of “reasonable” is still up for discussion, as no U.S. federal standards yet exist for online banking security nor is there a federal data breach law that would cover business bank account breaches. Judges ruled in June that a Missouri escrow firm that lost $440,000 in a 2010 cyber heist cannot hold its bank liable and worse, the firm is also on the hook to pay the bank’s legal fees. The Missouri District Court found that the escrow firm had not followed security precautions suggested by its bank. In an interview, the CEO of the escrow firm stated that his company would probably go out of business as a result.
While banks generally reimburse consumers for any theft related to personal credit cards and accounts, that is not always or even typically the case with business accounts which don’t have the same protections. Online attacks against business are growing, yet there’s no clear demarcation line for liability, says Mickey Estey, an insurance broker specializing in professional liability related to media and network security, for R-T Specialty LLC. “The trend is incident specific,” he says.
There have been large settlements where customers prevail against their banks in court, such as with Patco, a Maine construction firm that lost more than $600,000 and TRC Operating Company, a California oil production firm that will be reimbursed $350,000 from its insurance provider for its losses. Yet in both cases, there was clear evidence that the bank made a mistake leading to the cyber attack. When the evidence is gray, companies have far less leverage. “It varies from state to state, but we’re seeing that increasingly, banks are prevailing in court,” says Jeffery Chiow, an associate specializing in compliance with law firm Rogers Joseph O’Donnell.
SMBs: Ticking time bombs for cyber disaster
A 2014 Ponemon Institute study found that the average cost to a company from a data breach was $3.5 million, 15 percent higher than the previous year. “Evidence shows me that SMBs are more often becoming targets of online fraud because they are perceived as having valuable data and less sophisticated defenses,” says Chiow.
Even if your company has name-brand antivirus and security software, you’re still not safe. While phishing attacks persist—which happen when an employee clicks on a rogue link in an email disguised as its bank or other trusted vendor and enters login or other sensitive information –the latest breaches are trickier. Say for instance, an employee is innocently surfing the web, encounters an insecure site and clicks on a link, after which a piece of malware is automatically downloaded to his computer. From there, the malware records keystrokes on the infected PC or device and recognizes when an individual is logging onto a financial site. Once the login information is retrieved, hackers sell the data to large online criminal networks that quickly initiate the fraud; wire transfers stealing hundreds of thousands of dollars can occur in a few hours or even minutes. “At a small business, if the banking credentials are hacked, by the time somebody notices the fraud, the money is long gone and often can’t be recovered,” Estey says.
So what’s a business to do?
The first step is to accept that the business is ultimately responsible and that banks will not be there to clean up the mess. Now you can start to systematically think through where vulnerability exists, and what measures you can take to implement security controls and tighten up internal processes. Here are some ideas that will get your organization moving in the right direction.
1. Talk to your bank. Determine whom at your bank is well-versed in access-control processes and security measures to protect business accounts. You might have to drill down a few levels to find the right person, but it’s worth the effort to understand exactly what your bank is doing on the security front and how they will help your business in the event of fraud. How do they protect wire transfers and do they use advanced encryption and offer sophisticated MFA (multifactor authentication) tools to thwart hackers? Do they have anti-fraud software to quickly detect suspicious activity and notify customers immediately? Do they ask for customer passwords over the phone, email or text? (They shouldn’t). Consider that a smaller regional bank may have less sophisticated defenses than a major institution such as Wells Fargo or Bank of America.
2. Outsource to the experts. In the age of cloud computing, there’s not a compelling reason for a small or midsize business to manage its own security systems much less networking and other complex infrastructure components. For one, that’s expensive, for two, this requires specialized skills that are usually not available in a SMB and for three, hacking tactics are changing all the time. Qualified security experts – whether software vendors, auditors or consultants – will know exactly what you need based on your company’s industry and risk profile. Service providers can manage antivirus and other security technology updates, common areas of forgetfulness at small companies. “Don’t try to do this yourself,” Estey says. “Make sure that you have contracts in place stating explicit obligations among various IT providers for breaches and loss,” adds Chiow. Also, look for vendors with the highest-possible security certifications and practices, namely SANS “Critical Security Controls” and SSAE16 SOC 3.
3. Use dedicated computing resources to access the bank. Accessing online accounts from various computers increases the surface area for some kind of exploit to compromise the banking session. Browsers are hard to secure as users mix business and personal tasks at work and traditional antivirus products are not adept at identifying and thwarting the new class of exploits. But there are new technology solutions that run a dedicated browser within a secure sandbox to keep it separate from the rest of the machine. Some live on the user’s computer, but others run in the cloud and can be accessed from any device.
4. Control access to your sensitive data. Small companies, especially startups, tend to have an “open door” policy with respect to employees’ use of their information systems, says Estey. Yet there’s no reason why anyone other than the CFO/controller and the CEO need access to a company’s online financial accounts. Don’t allow sharing of credentials (i.e. passwords) and keep employees educated about the latest hacking techniques and safe computing practices. Shared accounts for administrators are particularly problematic, because administrators have broad access to systems and networks. Consider granting such “privileged” users context-driven or time-limited use and instill rigid monitoring practices for privileged accounts. At one company that suffered a major financial breach involving the theft of $1.2 million, the CEO now requires that all outbound bank transactions have verbal clearance from an authorized company executive.
5. Purchase insurance. Some insurance carriers offer network security or privacy loss policies, which can help cover the loss as well as related expenses such as notification costs, forensics research to investigate the incident, legal costs, and crisis management/PR costs, says Estey. Newer crime insurance policy endorsements can also cover digital theft and fraudulent transfers, and can reimburse the company for all or part of any financial loss from a cyber theft incident. Such policies are becoming more popular, and are not prohibitively expensive for small businesses, says Estey. The insurance carrier might require a company to deploy particular technologies and processes to qualify. For many companies, the cost of insurance will more than offset theft, if cyber criminals are able to siphon hundreds of thousands of dollars from your accounts. As more entities, including banks, ensure against cyber risks, uninsured SMBs may be exposed to “subrogation” claims in which insurers seek to recover costs from third parties whose actions contributed to the loss, Chiow says.
6. Develop a response plan. Every state has different laws regarding what companies are required to do in the event of a data breach, loss or privacy violation, says Chiow. For instance, you may have to notify customers within 24 hours of discovering a breach. Get your lawyers, insurance reps, IT contractors, business executives and PR people together to fashion a plan ahead of time, because speed is essential after an attack.
The burden is yours
Suffice to say, the burden is largely on the small business owner today to protect their companies from attack and utter destruction by cyber criminals. A prevention program including regularly educating employees, instilling sound data access and control policies, and deploying the best technology available (including insurance) is the best way to avoid incidents and minimize loss. Even if a bank agrees to reimburse your business for some of the loss, it can take years to see a check, says Chiow. For some companies, that will be too late.
Read the original article here.