Here’s a sobering thought for anyone who has a small business account: If your account gets hacked and thieves break in, you’re not going to get your money back.
Unlike consumers, small businesses are on their own. The FDIC does not insure small business bank accounts for cybertheft (although it does insure them for other types of theft up to $100,000).
That’s particularly bad news because cybertheft is on the rise. Tom Kellerman, vice president of security awareness for ethical hacking firm Core Security, says falsified wire transfers — the primary type of small business account hacking — is up 500 percent in the last two years.
The good news is there are some things you the IT decision-maker can do to lower the odds of a break-in. In particular:
- Limit the use of wireless. Kellerman says that wireless is a “very easy access point” for hackers. Best not to use wireless at all, but if you need to, use equipment adhering to the 802.11.i IEEE standard.
- Move away from passwords. Even the best passwords aren’t as secure as alternatives like tokens or biometrics. Tokens, which are physical objects like smart cards, are best paired with passwords to prevent fraud. Biometrics, using a fingerprint or voice, are unique to a particular user. (But of course, if you have a Trojan already lodged in your PC, such protection won’t offer any help.)
- Segregate your company’s banking data. Severely limit Web browsing on the PC that connects to your company’s bank account. Anton Chuvakin, principal of Security Warrior Consulting, takes this a step further and suggests that you have one PC on hand that just connects to your bank account and does nothing else. It’s worth it: The price of one PC (under $500) can completely protect your company from having its account hacked.
If Nothing Else, Be Smart
Security analysts say the best thing you can do is educate yourself and any other employees who might access the account on the dangers of phishing scams and Trojans. Since a Trojan causes mischief by lodging itself on your computer, the goal is to not allow that in the first place. So remind users to be extremely cautious about opening any suspicious email, particularly if it’s sent over a social network.
Kellerman says that even fairly sophisticated users can be taken in by so-called “spear phishing” attacks, which mimic websites or email addresses of people with whom you do business. So a good way to minimize the risks of such attacks is to limit the amount of people and PCs allowed to access banking information. IT’s rep is on the line if data is stolen, so take control of access points. Says Kellerman: “There’s no point in administration privileges if you’re going to have it for a bunch of devices.”