Data breaches and cyber security issues are always on my mind (note that I don’t sleep that well sometimes). So when I saw an article in the New York Times entitled “Hackers Lurking in Vents and Soda Machines” it caught my eye. The article begins with a story about how a company was breached because hackers infected the online menu of a nearby restaurant frequented by its employees. Unbeknownst to them, when they clicked on the menu, malware was installed on their workstation that gave the attackers access to the company network. As you can see, attacks on your cyber security are getting more creative.
Over the last year, I have witnessed a significant increase in the number of fraud attempts against our clients. Cyber criminals are increasingly shifting from targeting banks to targeting bank clients. In addition, businesses are relying more and more on third parties and third party software to manage everything from their HVAC systems to payroll. This shift has made businesses of all size especially vulnerable. Today, I want to share some proven best practices when it comes to managing your account, your transactions, your network, and most importantly – your employees.
How can a cyber-attack happen?
Businesses usually become compromised through a "phishing" attack. This attack might be disguised in a fraudulent email that appears to be a credible communication or it might be embedded in a website. When links or attachments in an email or on a website are opened, malware may be installed on the user's computer. This malware may record keystrokes, capture otherwise secure information, and allow the attacker access to the network. In another type of scheme, the attacker intercepts email communication or “spoofs” employee email addresses, making it appear that an email is being sent legitimately from a co-worker or vendor. In this case, the attackers then use this compromised communication to instruct the employee to wire or transfer money.
To put it in plainly, systems usually become compromised because of something someone does (i.e. employee clicks on an attachment from an unknown source) or something that someone doesn’t do (i.e. failing to set a strong password or failure to patch operating systems and ancillary applications such as Adobe and Java). Having the best firewall on the market isn’t enough to protect you. Every business needs well informed employees that can understand and identify various threats. Furthermore, it’s equally important they recognize how certain actions or inaction can put the company in a comprised position.
What can you do to prevent a cyber-attack?
Employee Practices and Policies
- Train and educate employees on an on-going basis.
- Create strong policies around password requirements (length, complexity, and expiration), use of email, and internet usage. Prohibit shared ID’s and passwords.
- Require employees to review and sign an acceptable use statement that outlines your security policies and hold them accountable to these policies.
- Limit administrative rights for your employees so they are unable to download malware or viruses embedded in seemingly harmless applications.
- Assign access to data based on each employees need.
- Deploy strong network security including a dedicated and actively managed firewall, anti-virus solutions, anti-malware solutions, and intrusion detection / prevention systems.
- Install operating system and ancillary application patches on a regular basis.
- Seal off sensitive data on the network from third party systems.
- Use encryption solutions as appropriate (email, laptops, thumb drives, cell phones).
- Test and validate the effectiveness of controls.
Online Banking Practices
- Use online banking to frequently review account activity.
- Require the use of dual-control for ACH and wire transfer origination.
- Utilize an out of band authentication method to confirm transfer requests (i.e. if a vendor sends you an email including wire instructions, call the vendor back on the phone to confirm the instructions).
- Verify that all online banking sessions are secure.
- Avoid using Automatic Log-In features.
- Do not access online banking from a public computer.
- Utilize other cash management services that add additional protection - ex. Positive pay and ACH filter.
- Promptly report suspicious performance (workstation or the web site).
Venture Bank values your business and is dedicated to helping safeguard the financial assets you've entrusted us with. If you have any additional questions or concerns, please don't hesitate to contact me directly.
SVP & CIO