Overview of cyber risks and online threats to small and medium businesses. Document outlines leading threats and importance of education across cyber risk areas spanning- business identity theft, data breach and business disruption, and funds theft/ eCrime.
Presentation created by EFTGuard - offering anti-malware desktop security, cyber education and fraud loss protection against corporate account takeover. Check us out at www.eftguard.com or follow us on Twitter @EFTGuard.
A copy of the white paper can be downloaded at www.eftguard.com.
2. Key Actions for Every Small to Mid-sized Business
1. Understand the Threat
2. Assess Your Cyber Risk
3. Protect Your Business
2
3. Did You Know…
Approximately 72% of
Nearly 75% of surveyed
the data breaches
U.S. businesses
investigated in 2011
experienced online
were at small
bank fraud in 2011.1
businesses.2
7 in 10 businesses were Median loss for a small
not fully reimbursed by business ($200,000) is
their Banks for fraud 37% higher than a large
losses.1 company.3
Sources: 1) Guardian Analytics/ Ponemon- 2012 Business Banking Trust Study, 2) Verizon 2012 Data Breach Investigations Report, 3) ACFE, 2008 3
4. Major Threats
US Businesses
Corporates Big IT; Secure
EDP* Cyber Identity Data SMEs
SMBs Target Rich for Cyber
Crime Theft Breach (~10MM businesses)
(~10MM businesses) Attackers
Steal Micro-Businesses
Customer (~20MM businesses) Less to Protect
Use a Data
Company’s
Steal a Identity
Company’s
Attack a Cash
Company’s
Computers, 27.5MM Total Businesses in the US (Source SBA)
Networks, and 4.9MM Businesses with 1 to 50 employees
Applications
3.9MM 1 to 9 employees
1.0MM 10 to 50 employees
* EDP = Electronic Data Processing
4
5. Major Impacts
Risk Impact Caused by:
Reputation Damage Mandatory Customer
Notification
Fines up to $MM Data Breach Violations
Corporates
Operational Expense Providing Free Credit
SMEs
SMBs
(~10MM businesses)
Monitoring
(~10MM businesses)
Fraud Losses up to Bank Account Takeover
Micro-Businesses $MM
(~20MM businesses)
Trade Secrets Stolen IP
Business DDOS, Network and
Disruption Application Attacks
5
6. SMB’s are Online
The Internet is indispensable to small and medium businesses
– Two thirds (66%) of small and medium businesses say that their business is dependent
on the Internet for its day-to-day operations
– 38% characterize it as very dependent
– 67% say they have become more dependent on the Internet in the last 12 months1
Businesses rely heavily on online banking
– Nearly 90% of SMBs now bank online2
– 51% of businesses transfer funds online
– 54% have used mobile banking services
– 20% conduct all of their banking transactions online3
Businesses have vital information to protect
– 69% handle sensitive information, including customer data
– 49% have financial records and reports
– 23% have their own intellectual property
– 18% handle intellectual property belonging to others outside of the company4
Sources: 1) National Cyber Security Alliance/Symantec, 2) Sophos 2012 Network Security Survey, 3) Guardian Analytics/ Ponemon- 2012 6
Business Banking Trust Study, 4) NCSA, Cisco Small Business Survey, 2012
7. Cyber Threats are Growing
56,859 – number of unique phishing web sites
identified in February 2012 – an all time high1
100,000 daily malware samples identified– total
unique malware samples now exceeds 90 million3
9,000 malicious web sites are identified every day
in the U.S. alone2
23% increase in new types of malware in the latest
quarter - the fastest growth rate in four years3
35.5% average number of infected PCs across the
globe1
60% of the websites that serve up malicious code are
actually legitimate, compromised sites3
$1,000 is the cost of an attack toolkit that
can check
browsers for as many as two dozen vulnerabilities
Sources: 1) APWG, Phishing Activity Trends Report Q1 2012, 2) McAfee, Threat Report 2012, 3) Symantec Norton Safe Web service, 2012 7
8. SMB’s: Target of Choice
“Cybercriminals are looking for low-hanging fruit. Their targets
are companies with poor defenses, a lack of security skills,
and vulnerable end users.”
Tim Wilson, InformationWeek, Sept 2012
Nearly two-thirds of midmarket business companies now cite
cybercrime as the greatest threat to their company.1
Source: 1) InformationWeek SMB, Symantec 2012 8
9. Why are SMB’s at Greater Risk?
High reward, low risk target for • Willie Sutton – criminals go “where the money is”
• Median loss for a small business ($200,000) is
cybercriminals.
37% higher than a large company1
Fewer resources focused on • No dedicated security staff or audit departments
• Lack hotlines and reporting systems
security and protection.
• Few internal controls and little employee training
• Limit protection to standard services such as AV
software, firewall- vs. more sophisticated tools
Higher risk activities and • Remote work teams and open BYOD policies
• Lack defined security and usage policies
technology profile.
• Heavy reliance on third-party services for web site
hosting, email, and point of sale systems
General disbelief and false • “We’re too small to be at risk”
• “No one here would steal from me”
sense of security.
• “Indifference is the biggest threat small
businesses face.” - CEO, Thrive Networks
Source: 1) Association of Certified Fraud Examiners, 2008 9
10. Small Businesses Have Riskier Behavior
No formal protection plans Weak or missing controls
52% have a plan or strategic approach in place 40% of managers worry about BYOD and mobile
for keeping their business cyber secure3 connectivity to their networks; 93% of SMBs have
remote workers1
50% of small business owners have employees
review and adhere to online security policies3 67% allow USB devices in the workplace2
63% do not have policies regarding how their 80% of small companies are not confident that
employees use social media2 their wireless networks are secure1
60% say they have a privacy policy in place that 50% update software every year; majority of
their employees must comply with when they attack kits focus on patched vulnerabilities1
handle customer information2
59% say they do not require any multi-factor
45% of surveyed small business owners say authentication for access to any of their networks2
they do not provide Internet safety training to
their employees2
50% only half say that all of their machines are
completely wiped of data before disposal2
Sources: 1) SophosLabs 2012 Network Security Survey, 2) StaySafeOnline.org- NCSA/ Symantec Research on Small Business, 2012, 10
3) InformationWeek, IT Pro Ranking Survey, 2012, 4) ACFE, 2008
11. 10 Cyber Threats SMB’s Can’t Ignore
InformationWeek SMB Sept 2012:
Ten of the most serious dangers to SMB’s:
1. Bank Account Takeover – Cyber Crime
2. Website Takeover
3. Employee-Generated Data Leaks
4. Sneak Attacks Through Service Providers
5. Targeted Attacks
6. Unpatched Software
7. Websites as Malware Hubs
8. Forgotten Systems
9. Mobile and Wireless Devices
10. Reputation Damage
11
12. Anatomy of a Bank Account Takeover
Source: FBI, IC3, FSIAC - Fraud Advisory for Businesses: Corporate Account Take Over, Oct 2010 12
13. When Bank Account Takeover Happens…
Your business account is not government protected.
• Businesses who bank online are not protected by Regulation E
• Reg E obligates banks to reimburse consumers for online fraud losses
• UCC 4a limits Bank liability with commercially reasonable security
Banks are not liable for your online losses.
• Banking online deposit agreements exclude protection for businesses
customers
• Approximately 70% of businesses that suffer online fraud losses were
not fully reimburses by their financial institution1
Standard business insurance policies are often
insufficient or excludes account takeover fraud losses.
• Basic Liability and Umbrella insurance policies are limited to legal
expenses and wages from lost work
• These policies do not cover online fraud losses
Source: 1) Guardian Analytics/ Ponemon-2012 Business Banking Trust Study 13
14. SMB Burden of Liability for Bank Account Takeover Losses
Banks are slow to identify and prevent … and rarely fully reimburse business
fraudulent transactions… customers for unrecovered, stolen funds.
Bank Response after a Fraud Loss:
How SMBs Learn about Fraud:
100%
Merchant, Letter Call from 90%
23% 25%
Vendor or from Bank the Bank
Supplier
80% 40%
70%
ACH-related 60% 31% 31%
fraud 40% 29% 33%
50%
29%
40%
Wire
transfer 39% 35% 32% 30%
fraud 46%
20% 44%
Mobile
31%
10%
banking 32% 35% 29%
fraud 0%
ACH-related fraud Wire transfer fraud Mobile banking fraud
No Compensation Partial Compensation Full Compensation
Both Bank notification methods are too slow 7 in 10 businesses that suffered fraud losses
for the Bank to fully recover funds. were not fully reimbursed by their Banks.
Source: Guardian Analytics/ Ponemon- 2012 Business Banking Trust Study 14
15. Bank OLB Business Agreements – Check the Fine Print
Bank Example:
VI. TERMS AND CONDITIONS
A. GENERAL ONLINE SERVICES TERMS AND CONDITIONS FOR ALL
CUSTOMERS
8. Password and Security/Your Liability for Unauthorized Transactions/Errors
and Questions
If you permit other persons to use Online Banking Services or your
PIN/Password/User ID… you are responsible for any transactions they authorize.
For Consumers Only: For more information on your rights and obligations
concerning unauthorized or erroneous Transactions, please refer to PNC's
Consumer Electronic Funds Transfer Disclosure Statement ("EFT Statement"),
F. TERMS AND CONDITIONS FOR TRANSFER FUNDS SERVICE (Consumer
and Business Accounts)
2.b. Your Liability for Unauthorized Transfers/Errors and Questions
For Consumer deposit accounts, PNC Bank's Consumer Electronic Funds Transfer
Disclosure Statement details your rights and obligations when an unauthorized
transaction has occurred.
Explicit Business
2.h.i. Additional Transfer Service Provisions for Business Customers
Exceptions We shall only be liable for our own negligence or misconduct and shall not be
responsible for any loss or damage arising from… any transfer resulting from
circumstances beyond our reasonable control…
2.ii In no event shall we be liable for any consequential, incidental, special or
Communication of indirect losses, damages, or expenses which the Business Customer incurs or
suffers… whether or not the likelihood of such losses or damages was known by
Business Liability us.
15
16. Bank Account Takeover: Fraud Loss Impact
Recent SMB Losses
Genlabs Ferma Corp. Patco Construction Village View Escrow Family Smile Zone
$437,000 $447,000 $588,000 $465,000 $205,000
Lifestyle Forms & Displays DKG Enterprises Golden State Bridge
$1,200,000 $100,000 $125,000
Sign Designs
$99,000
McFadden Law Eskola
$250,000 $130,000
16
17. Key Actions for Every Small to Mid-sized Business
1. Understand the Threat
2. Assess Your Cyber Risk
3. Protect Your Business
17
18. Assessing Your Cyber Risks
Seven Questions for Every Business Owner:
1. Do you or your employees use the Internet or social media for business
purposes?
2. Do your employees use their own personal computers or mobile devices to
access your company’s network or systems?
3. Do you or authorized employees use Online Banking to access your business
bank accounts online?
4. Do you carry large business account balances, have high available credit, or use
online transfer or payment functionality provided from your Bank?
5. Do you have company internal or financial information or other sensitive data
linked to the Web in any way?
6. Do you collect, store and use your customer’s personal information?
7. Do you rely on third-party providers to manage your company’s Web site,
corporate email, network or other back-office systems?
18
19. Assessing Your Cyber Risks
Business Activities: Potential Cyber Risks:
Business Data Breach & Funds Theft
Identity Theft Business Disruption & eCrime
1. Employees active on the Web and
use social media √
2. Employees use their own PCs and
mobile devices on your network √ √
3. Business uses Online Banking to
access business accounts √
4. Business has high cash balance,
credit, or uses higher risk functions √
5. Business provides access to
sensitive info via the internet √ √
6. Business collects, stores and uses
customer’s personal info √
7. Relies on third-party providers to
manage your web site, email,… √
19
20. Key Actions for Every Small to Mid-sized Business
1. Understand the Threat
2. Assess Your Cyber Risk
3. Protect Your Business
20
21. Protect Your Business
Business Data Breach and Funds Theft
Identity Theft Business Disruption & eCrime
Business Be Safe and Secure Protect Your Desktop Understand and Use
Owner When Online and Mobile Devices Your Bank’s Security
Your Focus on Employee Define Data Policies Establish Internal
Employees Security and Safety & Controls Company Controls
Your Business Proactively Monitor Protect your Understand & Protect
& Facilities for Cyber Risks Environment Against Financial Loss
21
22. SMB Cyber Protection Plan: Business Owner Checklist
Business Identity Theft Data Breach & Business Disruption Funds Theft & eCrime
Be Safe and Secure Protect Your Desktop Understand and Use
When Online and Mobile Devices Your Bank’s Security
User available Web browser Monitor and update AV, Anti- Use strong passwords.
security and privacy features Spyware and firewall software • Know the ingredients of a strong
• Learn how to tell- Is the site safe? password
• Use “Do Not Track” features • Don’t mix business & personal PWs
Create a Personal PC and Mobile
• Use a hardened browser • Consider a password vault
Device policy for your business
• Require use of lock codes
Beware of Web 2.0 and social • Encryption for work data Adopt available bank controls
networking vulnerabilities • Ban unauthorized plug-ins for login
• Sharing information • Employee agreement authorizing • Desktop Anti-malware SW
• Reputational risks remote access to lost or stolen devices • Out of Band protection
• Malware risks
Ban usage of public Wi-Fi for work Use bank controls for higher risk
Learn how to recognized related business payments and transfers
targeted phishing emails • Dual controls
• Positive Pay
Adopt virtual private network (VPN),
Learn how to avoid spyware and secure websites ( “https”)
Monitor your bank accounts and
ands malware whenever possible.
• Suspicious sites • Most popular web apps, including credit cards constantly for fraud.
• Downloads and attachments Gmail, Twitter, and Facebook, offer such
an option. Enroll in free instant alerts to
warn you about any unusual
account activity. 22
23. SMB Cyber Protection Plan: Employee Checklist
Business Identity Theft Data Breach & Business Disruption Funds Theft & eCrime
Focus on Employee Define Data Policies Establish Internal
Security and Safety & Controls Company Controls
Train Your Employees in Proper Create a formal data protection Follow a “segregation of duties”
Security Practices plan policy for high risk areas
• Understanding Phishing • Inventory of your sensitive data • Payments
• Social media risks • Set-by-step procedures for daily • Purchasing
• Mobile and Public Wifi usage protection
• Inventory
• Contingency plan if you are a victim
Do background checks on new
Train your employees on risks and Implement a “dual controls
employees and contractors
company procedures policy” with your Bank to
require two people for high risk
Limit employee access to
Create procedures to protect transactions
sensitive resources
physical company documents
• Known safe and secure locations Consider use of pre-paid
Utilize security and employee
• Use a micro cut shredder business credit card for
monitoring systems • Avoid sharing sensitive info unless you employees
made first contact
Use a dedicated PC for Online
Create policies for sharing company Banking and other sensitive
information online work
• Limit sharing of EIN, financial docs via
email and web
• Use security certificates and secure
23
email for sensitive communications
24. SMB Cyber Protection Plan: Business & Facilities Checklist
Business Identity Theft Data Breach & Business Disruption Funds Theft & eCrime
Understand &
Proactively Monitor Protect your
Protect Against
for Cyber Risks Environment
Financial Loss
Regularly Google your business Write a security plan that define Read and understand your Bank’s
name for any clones. security rules, guidelines, and Deposit and OLB Agreements.
goals for your business. • Know your liability
For higher profile businesses, • Patching Policy • Understand your responsibilities
consider for fee reputation and • Data Back-up
• System Maintenance Understand your current business
brand monitoring services.
insurance coverage for cyber risks.
Actively manage your company • Business identity theft
Monitor business credit reports
passwords. • Data breach & business disruption
across the three major bureaus. • Funds Theft & eCrime
• Change default passwords
• Update on a scheduled basis
Invest in a Business Identity • Avoid set-up of “master users.” Secure additional protection to
Theft and Credit Monitoring cover your financial exposure.
service. Ensure your third-party or cloud
members provide adequate Know how to report suspicious
Develop a plan to monitor and security. activity and fraud.
respond to cyber incidents: • FBI and Local police
• Spam Use the available technologies to • FTC/ NCTA
• Hacker attacks and viruses • Your financial institution
implement a cost effective
• Spyware
• Online shopping fraud layered security strategy.
24
25. Final Thoughts
Cyber attacks are Odds are, at least one of your
no longer rare… computers is compromised
Cyber attacks have Fines and fraud losses for
large negative some SMB’s tally in the
consequences… millions
In hindsight… solutions are inexpensive
and self evident
25
26. About the Author
EFTGuard Protects Businesses from Account Takeover Fraud Losses:
Approved for use with Trusteer Rapport®, Wontok SafeCentral®, IronKey® and
Webroot®
Security Education Content
Fraud Loss Protection up to $100,000 / account and up to $500,000 / customer
No underwriting and no deductibles, backed by AIG / Chartis
Peace of Mind for only $24.95 per month
Sign up in less than 5 minutes at www.eftguard.com
Contact EFTGuard Directly Follow us on Twitter
at info@eftguard.com @EFTGuard
26