Companies face two threat origins: internal and external. Internal origins can be disgruntled employees, foreign nationals, or competitor espionage. Whether you are the CFO of a company or its payroll clerk, you’re targeted by external junk mail, cold calls, anything to get a dime from the corporate veil. What most accountants or business owners don’t typically think about is that they are also highly targeted, because cyber criminals know there is a very high chance they have the virtual keys to the corporate bank accounts.
Two of the most common attack vectors are through email and web browsing. The emails, which can appear to be bank correspondence, typically ask for your password. More difficult to protect against is click jacking and/or search poisoning, where a compromised website will directly download and silently install malware on your computer (such as those fake antivirus popups we’ve all seen). While your PC may be acting normal, it’s now key-logging your bank account usernames and passwords, while redirecting you to a fake maintenance page. Have a dual authentication login process, such as using an RSA key fob? No problem! That same malware is messaging a remote criminal with the key while they log in to your account. You may not notice that a breach has occurred, but that same criminal now has your check images, complete with routing number, account number, check stock, and signatures. Next, you “check in” at lunch using a geolocation app on your phone and post it to Facebook. The criminal now knows you’re not in your office, which is probably a good time to turn that computer into a zombie and start processing some ACHs.
These cyber criminals also know that these large companies also typically have large IT security budgets and know-how. Therefore, it’s easier for them to focus on small businesses, which may not place such an importance on information security… or have the budget for it. Smaller companies typically have proportionately fewer people wearing more hats, so dedicated risk and cash management isn’t always feasible. The payout may be smaller, but the security countermeasures on the company-side are typically easier to bypass. Financial security for business accounts has two stakeholders: the bank and you. The bank may offer positive pay services, RSA authentication, or secure connections via https protocol. However, if a breach occurs due to the malware on your workstation, who is responsible for the financial loss? More people have cell phones than they have electricity or safe drinking water, and increasing amounts of theft originate from smart phones. Once they transfer funds out of your account, they’ll power off their device and how will anyone trace the triangulate the thief’s location and catch them?
External risk mitigation can be fast, effective, and relatively low cost for smaller companies, and larger firms can also benefit from these strategies as well. Use a dedicated PC for banking (and/or payroll) with no email or Internet access except for your financial institution. Require dual control ACH/wire release (the person initiating an ACH batch should not be the same person approving the batch) and initiate/approve on different PCs. Ensure all OS/software patches are up-to-date, including antivirus software. Limit administrative rights on your PCs – not everyone should have free rein to install untrusted software. Assume your network is already infiltrated with rogue malware. Enable transactional emails or SMS messages from your bank, such as over a certain dollar amount which would be material for your company. Enable behavioral or anomaly detection for abnormal trends in your banking patterns. Some banks may offer exception reporting, helping you identify transactions which may not typically be standard for your organization. Reconcile your bank transactions daily; it may be painful at first, but it becomes routine and can stop a small problem from becoming large. Smaller transactions fly under the radar (yours or the banks) a lot easier than large transactions. Develop an incident response plan: if your business account has been compromised, who do you contact? Compile a list of numbers to call for your IT department, bank, FBI, or other parties.
If you can think of some of the scenarios above, these criminals have already thought of it – or done it. While this post isn’t meant to scare you, greater risk management of financial assets needs to occur regardless of company size. If your company uses online access for bank accounts, there can’t be any “it won’t happen to me”-type thought.
The next post in risk mitigation will focus on internal finance department threats.
Aaron Solar is a Senior Technical Consultant for Aronson Systems, and has served as VP of Technology for the Armed Forces Communications & Electronics Association (AFCEA), Central Maryland chapter, for three years.