With the diversity of security attacks globally, it is becoming increasingly difficult and complex for small and midsize businesses (SMBs) to assemble the right in-house resources to protect themselves against cyberthreats, whether it's a data breach through the network, data leakage by employees, or lost laptops or mobile devices.
We have seen an uptick in the number of court cases, where SMBs have had six-figure amounts stolen from their bank account by cyberthieves. The liability for these breaches is shifting to the CIOs and IT managers, as SMBs are accused of not taking the appropriate precautions to protect their data.
The need for comprehensive information security is more pressing now than ever before.
According to estimates, cybercrooks are stealing as much as $1 billion a year from SMBs in the United States and Europe.
One startling example of the effects of increased security liability for SMBs lies with a small, family-owned construction company in Maine, Patco Construction Co. Patco was victim to a cybercrime that cost the company a half-million dollars in 2009. While the bank was able to recover about $150,000, the company sued the bank for the remaining $350,000.
In May 2011, the court ruled in favor of the bank, saying that it followed Federal Financial Institutions Examination Council (FFIEC) guidelines set in 2005 for multifactor authentication for online banking, leaving Patco unable to recover the hundreds of thousands of dollars lost.
Another example is with California demolition firm, Ferma. During the summer of 2009, an employee clicked on a link and was led to a malicious website run by online criminals who used the compromised computer to steal nearly $500,000 from their bank. Ferma was able to recover approximately 60 percent of the lost money. However, according to the company's president, the bank refused to repay the remainder and withheld at least $50,000 in additional funds until Ferma agreed to sign a document saying it would not sue the bank for the remaining losses.
A single financial attack could put a smaller organization out of business or irrevocably cut into annual profits for a medium-size business. The implications of a financial breach can be a matter of life or death for SMBs.
Here are eight simple steps to help SMBs protect financial data and minimize risk:
- Use a dedicated computer for financial matters, such as online banking and bill-pay. That computer should not be used for extraneous activities, such as sending and receiving emails or surfing the web. Web exploits and malicious email are two key infection vectors for malware.
- Avoid clicking on links or attachments within emails from untrusted sources. Even if you recognize the sender, if an attachment is unexpected or looks suspicious, you should confirm that the sender has delivered the specific email before clicking on any links or attachments.
- Reconcile your banking statements on a regular basis to immediately identify abnormal transactions that may indicate account takeover.
- Advise your employees against visiting small, hosted websites that feature community forums for hobbies involving sports, computer games, etc. These forums are often hosted by internet service providers that are not diligent about security.
- If you are visiting a website and are not sure if it has been secured from viruses, observe the quality of the site. Watch out if it appears to be quickly put together and is not sophisticated, or has a disclaimer that warns visitors to browse at their own risk or that the authors are not liable for any information on the site.
- Make sure you have your security protections in place throughout the organization and install regular updates for your applications and for your computers' operating system.
- Be cautious about installing software (especially software that is too good to be true – e.g. download accelerators, spyware removal tools, etc.) and be cautious of pop-ups from websites asking users to download/execute/run otherwise privileged operations. Often this free software and these pop-ups contain embedded malware.
- Do your homework before selecting an anti-virus vendor, ensuring that they not only provide coverage for the key threats but also respond quickly with protections when new ones are introduced. Invest in an product instead of using “trial versions” as your source of protection. Trial versions of anti-virus offerings are good for testing but they do not receive updates, so any new virus that is introduced after the trial was released will have total access to your PC.
The bottom line: It's much more expensive to deal with the consequences of a financial breach than it is to prevent one. Don't wait until the last minute to find out just how essential it is and start putting your security precautions into place before it's too late.