Small-medium business: You're basically on your own

By | August 15, 2012

Posted in: Network Security Trends

Online banking continues to rise steadily in popularity, but small and medium businesses aren’t learning the lessons. The good news is that fully a quarter of the banks are reimbursing the full amount of the fraud, according to a joint poll taken by the Ponemon Institute at the behest of anti-fraud vendor Guardian Analytics. So the scale is tipping slightly towards reimbursement. The bad news is that companies do little or nothing to their routine to prevent fraud.

The number of transfers executed online is just over half (51%), up from 45% a year ago. That being said, 44% think their computer is safe or very safe, and that hasn’t changed in the three years of the survey. They are generally quite wrong.

But only a quarter use a dedicated computer for online banking, virtually the same as the year before. This is somewhat shocking, given the level of banking fraud and case, after case of companies that fall victim to online fraud. Consider this: three quarters of the respondents said they had experienced fraud at some point. More than half had some experience with fraud in the previous 12 months (10% just did not know!). So where’s the sense of urgency?

An effective and simple answer is a laptop that’s used only for banking transactions. No email, no browsing, no Facebook, no Twitter. Lock it in a safe or a drawer when it is not being used; let it see the light of day only for transactions. That’s pretty much the end of the problem. No phishing messages, no Zeus or other banking Trojans.

But the prevailing attitude still seems to favor convenience over security, with some improvement. While 43% did nothing in the wake of a fraud incident, that’s down by a tenth. But it’s still very high, and shows an attitude that lightening won’t strike twice. OK, and what if it does? Those that made changes opted in favor of firewalls with antimalware (a misguided response) or tightening their processes with dual controls. No movement on the one thing that can make a significant difference, dedicated laptops.

There was a direct connection between the actions a company took in response to fraud, with a heavy percentage tilting in favor transferring its primary functions from the offending bank, to simply saying that’s not good enough and switching banks. The switches were in proportion to the bank’s ability to wash their hands of it, or, in some cases, make good the losses. But even with the make good policy, banks still lost business. Good is not good enough, it seems.

Overall, banks were not able to stop transfers in time in a third of the cases. In 28%, they were able to catch on in time to recover some of the money.

Businesses need to be leery. Most banks still stick with the “commercially reasonable” card for as long as they can. There have been a couple of cases turning to favor the plaintiffs, but so far it’s a good defense. That pretty much leaves small and medium business on their own.

You May Also Be Interested In: