Most small to medium businesses don’t know that if a key-logger gets onto a computer that accesses the businesses checking account, the attacker can withdraw funds, and the business is out the money! Gone, see ya, have a nice day.
The banks DO NOT insure against this type of loss. Malware phishing attacks on businesses are up dramatically. While many publications will mention this fact, you won’t hear about the losses that are hitting local businesses. While privacy laws may require a business to notify its customers of a database breach, a checking account that gets robbed in cyberspace, does not necessarily fall into the notification category. After all it is the cash of the business, not necessarily directly associated with customers. So the local business gets robbed and no one knows. This is a huge issue for the FBI which is hamstrung to deal with the issue because the money moves offshore without a trace (increments of less than $10,000 not reported). Malware that is plaguing business such as Zeus and other key loggers, are among the leading culprits and are even more prevalent in 2011 according to Bank Information Security, a publication that is proactive on this topic in the banking community. http://www.bankinfosecurity.com/articles.php?art_id=3228
If you assume that the credit card protection policies apply to your business checking account, they do not. This problem is ugly for the banks, because the money is withdrawn from them, but with your credentials captured by the key-logger, so they are avoiding the liability. This may change, but so far has not. The brand name security companies that offer you so-called “endpoint protection,” will not want to engage on this one either.
So what do you do?
1. Mind the cookie jar, because no one else is doing it. Protect the computers that access the checking account. After all, besides protecting your customers’ privacy, don’t you care more about the cash in your bank account for payroll and being solvent? There are a variety of new techniques such as application whitelisting, two factor authentication, and using a dedicated computer that ONLY accesses the bank checking account (although that can be impractical from the entrepreneur on the run with a laptop).
2. Ask your bank and IT service provider about this. They handle multiple businesses and have a substantial incentive to help you.
3. Insist that your endpoint protection vendor deal with the problem. Symantec and McAfee are making billions on your annual subscription payments, but somehow are not providing protection from these threats. We hear that from you consistently. You are required to used them for PCI DSS and other standards. They must be laughing all the way to their bank. Use the power of the internet and online communities. Let them know you are dissatisfied.
While many businesses have spent the past few years getting compliant, overall we have lost ground in keeping up with the new level of malware and security threats. At Savant Protection we focus on helping small to medium businesses, banks, credit unions, and managed service providers deal with the problem. Our approach has been adopted by some of the largest companies in the world, and we are making it available to SMBs and MSPs.
Filed under: Security
