Working smart: Keys to reducing cybercrime losses
There is a significant black-market trade in stolen data that allows criminals to exploit misappropriated bank details.
While it can be challenging to establish accurate statistics on cybercrime and the losses businesses suffer because of it, there’s no doubt that enormous sums of money are involved. We also know that cybercrime is on the rise. According to the 2019 annual report from the FBI’s Internet Crime Complaint Center (IC3), total recorded losses over the last five years were $10.2 billion, but $3.5 billion of that was stolen last year alone.
The IC3 figures tend to be conservative, and there’s no telling how many scams go unreported, either because they’re not uncovered or because the victim is too embarrassed. Cybercrime is complex, and there’s a roaring black-market trade in stolen data that enables criminals with different skill sets to exploit and monetize stolen bank details, account logins and other kinds of information.
Defenses can take many forms, from software and systems to security awareness training for staff to expert consultations. However, several strategies are frequently overlooked, particularly by mid-sized and small businesses: establishing security rules with banks and financial services and obtaining proper insurance against online fraud.
Working with your bank
You may assume that your bank has stringent security measures in place as a matter of course, but that could be a dangerous assumption to make. Many fraudulent funds transfers are unwittingly processed by banks every day, and it is incumbent on commercial customers to thoroughly check into any prospective bank’s standard security measures.
Here are some desirable features to look for:
- Multi-factor authentication — This should be a requirement to authorize all online funds transfers to new beneficiaries or for large sums. All good banks distribute security tokens for this purpose.
- Regular transfers review — Your bank should examine your normal funds transfer activity to establish a baseline so that any unusual activity, or transfers that exceed a certain value you have decided upon, always trigger a challenge.
- Confirmation procedures — With normal activity and a value limit set, your bank should confirm any large transfers or unusual transfers before processing them, either via phone, SMS or encrypted email.
- Specify IP addresses — You can register specific IP addresses with your bank that are authorized to order funds transfers. Any address not registered should trigger a confirmation call before being processed.
Ensuring that your bank has all these security protocols in place will help reduce the threat of fraudulent bank transfers going through successfully. Insist that your bank adheres to everything listed here or consider switching to another that does.
Further steps to protect company finances
The above list is a good start, but it should be considered the bare minimum. There are additional steps you can take to safeguard company funds to make theft more difficult.
- Consider setting up a separate user account on your system used solely for funds transfers. Even better, designate a single computer for funds transfers and nothing else.
- Ensure that you have comprehensive anti-malware software installed on any machine used for funds transfers. This should include antivirus, antispyware, a firewall, anti-rootkit and more with continuous scanning scheduled.
- Consider establishing a regularly scheduled phone call to your bank listing funds transfers and amounts for the day. Choosing specific days and times and pre-authorizing with the bank by phone could prevent any fraudulent transfers.
- Draw up a list of recipients for funds transfers and set maximum amounts for each one, then share this list with your bank as a reference guide. Anything that doesn’t fall within the parameters on the list should trigger an investigation and require the bank to contact designated staff to get approvals.
Now that we’ve run through some important measures to help prevent the loss of funds to cybercrime, let’s discuss what happens when fraud is successfully perpetrated against your company. No matter how good your defenses, there is always some risk that criminals will find a way around them.
Assessing fraud insurance
Because the potential impact of a successful attack on an organization is so devastating, large businesses almost always take out insurance policies. The perception that these are an expensive and possibly unnecessary expense is common enough that small- and mid-sized businesses often eschew them entirely. This is a mistake.
Cyber liability policies may not be as expensive as you think. At the very least, you should talk to some insurers about what benefits the right policy could offer and precisely how much fraud insurance would cost for your business. Good insurers will tailor policies for your specific circumstances and help tighten up your defenses and reduce your potential exposure.
Ultimately, successful fraud has the potential to close your business down for good, and that’s an unacceptable risk.
While there is still some complacency, forward-thinking banks and insurers are cognizant of the need for security measures and policies that protect small- and mid-sized businesses without prohibitive pricing.
Find the right partners, and you can minimize the risk of losses and reduce your potential exposure dramatically.
Stu Sjouwerman is the founder and CEO of KnowBe4, developer of security awareness training and simulated phishing platforms, with over 30,000 customers and more than 20 million users. He is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.”
Related: