CHICAGO — Quick. Easy. Efficient. Who doesn’t love online banking? Be aware, though, of the danger: Hackers can access your account, drain your funds and threaten the survival of your business.
The risk is growing. Cyber attacks increased some 24% in the first half of 2012 over the same period the previous year, according to a new report from security firm Symantec. Reason? “Any time the economy goes down, white collar crime goes up,” says Bill McDermott, CEO of Atlanta-based McDermott Financial Solutions. “We’re seeing an increase in corporate account takeovers. It’s a huge problem.”
Banks commonly refuse to indemnify companies for funds stolen from commercial accounts. “A lot of people have the misunderstanding that banks offer to business accounts the protection offered to consumers,” says McDermott. “In fact, banks will not hold business account holders harmless for losses from cyber-fraud.”
Security experts have long championed the virtues of strong passwords. A mix of letters and numbers is much safer than using an easily guessed word such as “qwerty” or even “password.” Too often, though, employees don’t get the message. They often complain about the difficulty of remembering complicated strings of characters.
Help is at hand. It’s not really necessary to commit passwords to memory. “There is a lot of good software to help you manage your passwords,” says Michael Spadaro, president of Help with a Smile, a New York City-based technology support firm serving small businesses. “One of my favorites is LastPass (lastpass.com). But you could also use something as simple as keeping your passwords in a notebook locked in your desk.”
Be careful how you distribute passwords to employees, adds Spadaro. Giving the same password to everyone has a downside: Every time an employee leaves the company, you have to change the password used by everyone who remains. “Many banks will allow multiple log-ins, so assign different passwords to different users,” he suggests. “Then you can disable a departing person’s password without disabling everyone’s.”
VET YOUR BANK
Businesses are not always to blame when cyberfraud hits. Sometimes, banks drop the ball. There is some motivation for financial institutions to maintain a minimal level of security: Good internal practices are encouraged by government agencies charged with overseeing bank activities. “The bright side of enforcement is that financial institutions are having to architect and deploy solutions that hopefully increase the security of customer accounts,” says Stephen Sims, senior instructor at Bethesda, Md.,-based SANS Institute, a security training organization.
Even so, you will want to subject your own bank to some due diligence. “Perform risk assessments when evaluating potential banks,” suggests Sims. “Draft a list of questions with your biggest concerns and run them by each organization.”
How good is the bank’s Internet defenses? How do the bank’s practices, and the security features it offers business accounts, compare with other institutions? For example, does it offer a two-step validation, in which an ACH transfer must be approved by a second representative at your office? There are other forms of what is called “multifactor authentication,” in which the bank must receive a backup confirmation from your business, in the form of a voice phone call or e-mail, before honoring a wire transfer.
Sims suggests researching each prospective bank using publicly available tools such as Google, the Securities & Exchange Commission, Dun & Bradstreet, and others. “Analyze each bank’s stock performance if publicly traded,” he says. “Read through some of the comments in public message boards. Hint: Many of the posters are employees.”
Sims suggests visiting websites such as darkreading.com to see if there are any reports regarding incidents at your prospective bank. Use specially crafted Google searches to find breaches. For example, try using: intitle:“bank name” intext:hackers or breach.
Big bank, small bank: Which is better? Each has its benefits. While all financial institutions are required to abide by federal regulations, larger banks may have more security resources and experience. However, smaller banks may have fewer accounts to monitor and may give each one more attention.
Since no banks of any size indemnify business accounts, you may want to look into getting your own coverage. Ask your broker for information about fraud insurance that has a rider for fraudulent bank transfers.
WHEN HACKERS STRIKE
Suppose, despite your best efforts and smart practices, a hacker siphons money from your account. Can you get any back? While it’s highly unlikely that a victimized business will recover all of its stolen money, portions can often be saved. “Fraudulent transactions frequently are reversed, so most victims get some money back,” says Brian Krebs, a cyberfraud investigative reporter in suburban Washington, D.C.
The secret to recovering your cash? Act fast. “Time is your enemy,” he says. “The longer the time that elapses since a breach, the more money you are likely to lose.” Don’t wait until the last minute to figure out whom to call in the event of a money loss. Put together a list of vital financial and legal contacts and keep it handy.
Quick action on your part, though, must be matched by your financial institution. “You have to have a cooperative bank that pulls things together quickly,” says Krebs. Once your funds have been withdrawn as cash—often at overseas money transfer offices—they are gone for good.