Online Banking for SMBs: Like Playing Russian Roulette
June 8, 2012 Leave a comment
- Before enabling online banking for payroll or other payments, SMB IT personnel should carefully review the bank’s security procedures and understand what guarantees the bank offers for securing funds against cyber losses.
- SMB IT managers should take special pains to educate the payroll manager on the risks and safe online behavior, and encourage hyper-vigilance in conducting company business online. If possible, a system should be dedicated to online banking, and blocked from accessing any other web sites or email.
Past studies have indicated that small and medium-sized businesses (SMBs) and non-profits are a target for cyber criminals because they don’t have the same level of protection that larger companies do. That is especially true for small and medium-sized banks, because they don’t have the same sophisticated online banking cyber-fraud controls that large banks have. That could be why the SMB/non-profit market has become so attractive to security vendors such as McAfee, which in the last year has made a concerted push to improve its presence and offerings for that market segment. In fact, security for SMBs is pegged to be about a $5.1 billion opportunity. Besides that bull’s eye they’re sporting on their backs, there’s another reason for SMBs and non-profits to be hyper vigilant about protecting their finances: should cyber thieves manage to gain access to their online bank accounts and steal their money, they are legally held responsible for the loss – not the bank. A Tennessee construction company found that out the hard way, according to security blogger Brian Krebs. Cyber thieves using the widely available Zeus Trojan toolkit managed to steal an employee’s user credentials as the user logged on to the firm’s online banking site, redirect the employee to a fake web page that claimed the bank’s site was under maintenance, and hijacked the employee’s online banking session to put through multiple fake payroll payments to a series of money mules. For some unknown reason, the bank failed to call the company for approval before it processed the automated clearing house payments, even though it had done so on a regular basis before the breach. Despite that lapse on the part of the bank, the construction company was left holding the bag.
Online banking is a great time saver for accounting folks, and banks make it very easy and tempting to use it in place of more traditional banking activities. There’s a good reason for that: it reduces the bank’s operating overhead, making its operations more profitable. And since they are not on the hook for cyber losses related to their business customers, it’s a win/win for them (which is not the case for individual online banking users, who are for the most part protected by law against cyber losses). There are very few if any banks that insure commercial accounts against cyber losses.