• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Small and Medium Business Cyber Risk Overview for

Small and Medium Business Cyber Risk Overview for



Overview of cyber risks and online threats to small and medium businesses. Document outlines leading threats and importance of education across cyber risk areas spanning- business identity theft, ...

Overview of cyber risks and online threats to small and medium businesses. Document outlines leading threats and importance of education across cyber risk areas spanning- business identity theft, data breach and business disruption, and funds theft/ eCrime.

Presentation created by EFTGuard - offering anti-malware desktop security, cyber education and fraud loss protection against corporate account takeover. Check us out at www.eftguard.com or follow us on Twitter @EFTGuard.
A copy of the white paper can be downloaded at www.eftguard.com.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Small and Medium Business Cyber Risk Overview for Small and Medium Business Cyber Risk Overview for Presentation Transcript

    • Small and Medium Business Cyber Risk Overview Presented by: Copyright © 2012 EFTGuard, L.L.C. For Client & Prospective Clients Internal Use Only.EFTGuard and “Minimize Your Risk. Protect Your Money” are trademarks of EFTGuard, L.L.C. All other marks are the property of their respective owners.
    • Key Actions for Every Small to Mid-sized Business 1. Understand the Threat 2. Assess Your Cyber Risk 3. Protect Your Business 2
    • Did You Know… Approximately 72% of Nearly 75% of surveyed the data breaches U.S. businesses investigated in 2011 experienced online were at small bank fraud in 2011.1 businesses.2 7 in 10 businesses were Median loss for a small not fully reimbursed by business ($200,000) is their Banks for fraud 37% higher than a large losses.1 company.3Sources: 1) Guardian Analytics/ Ponemon- 2012 Business Banking Trust Study, 2) Verizon 2012 Data Breach Investigations Report, 3) ACFE, 2008 3
    • Major Threats US Businesses Corporates Big IT; Secure EDP* Cyber Identity Data SMEs SMBs Target Rich for Cyber Crime Theft Breach (~10MM businesses) (~10MM businesses) Attackers Steal Micro-Businesses Customer (~20MM businesses) Less to Protect Use a Data Company’s Steal a Identity Company’s Attack a Cash Company’s Computers, 27.5MM Total Businesses in the US (Source SBA) Networks, and 4.9MM Businesses with 1 to 50 employees Applications 3.9MM 1 to 9 employees 1.0MM 10 to 50 employees* EDP = Electronic Data Processing 4
    • Major Impacts Risk Impact Caused by: Reputation Damage Mandatory Customer Notification Fines up to $MM Data Breach Violations Corporates Operational Expense Providing Free Credit SMEs SMBs (~10MM businesses) Monitoring (~10MM businesses) Fraud Losses up to Bank Account Takeover Micro-Businesses $MM (~20MM businesses) Trade Secrets Stolen IP Business DDOS, Network and Disruption Application Attacks 5
    • SMB’s are Online  The Internet is indispensable to small and medium businesses – Two thirds (66%) of small and medium businesses say that their business is dependent on the Internet for its day-to-day operations – 38% characterize it as very dependent – 67% say they have become more dependent on the Internet in the last 12 months1  Businesses rely heavily on online banking – Nearly 90% of SMBs now bank online2 – 51% of businesses transfer funds online – 54% have used mobile banking services – 20% conduct all of their banking transactions online3  Businesses have vital information to protect – 69% handle sensitive information, including customer data – 49% have financial records and reports – 23% have their own intellectual property – 18% handle intellectual property belonging to others outside of the company4Sources: 1) National Cyber Security Alliance/Symantec, 2) Sophos 2012 Network Security Survey, 3) Guardian Analytics/ Ponemon- 2012 6 Business Banking Trust Study, 4) NCSA, Cisco Small Business Survey, 2012
    • Cyber Threats are Growing 56,859 – number of unique phishing web sites identified in February 2012 – an all time high1 100,000 daily malware samples identified– total unique malware samples now exceeds 90 million3 9,000 malicious web sites are identified every day in the U.S. alone2 23% increase in new types of malware in the latest quarter - the fastest growth rate in four years3 35.5% average number of infected PCs across the globe1 60% of the websites that serve up malicious code are actually legitimate, compromised sites3 $1,000 is the cost of an attack toolkit that can check browsers for as many as two dozen vulnerabilitiesSources: 1) APWG, Phishing Activity Trends Report Q1 2012, 2) McAfee, Threat Report 2012, 3) Symantec Norton Safe Web service, 2012 7
    • SMB’s: Target of Choice “Cybercriminals are looking for low-hanging fruit. Their targets are companies with poor defenses, a lack of security skills, and vulnerable end users.” Tim Wilson, InformationWeek, Sept 2012 Nearly two-thirds of midmarket business companies now cite cybercrime as the greatest threat to their company.1Source: 1) InformationWeek SMB, Symantec 2012 8
    • Why are SMB’s at Greater Risk? High reward, low risk target for • Willie Sutton – criminals go “where the money is” • Median loss for a small business ($200,000) is cybercriminals. 37% higher than a large company1 Fewer resources focused on • No dedicated security staff or audit departments • Lack hotlines and reporting systems security and protection. • Few internal controls and little employee training • Limit protection to standard services such as AV software, firewall- vs. more sophisticated tools Higher risk activities and • Remote work teams and open BYOD policies • Lack defined security and usage policies technology profile. • Heavy reliance on third-party services for web site hosting, email, and point of sale systems General disbelief and false • “We’re too small to be at risk” • “No one here would steal from me” sense of security. • “Indifference is the biggest threat small businesses face.” - CEO, Thrive NetworksSource: 1) Association of Certified Fraud Examiners, 2008 9
    • Small Businesses Have Riskier Behavior No formal protection plans Weak or missing controls 52% have a plan or strategic approach in place 40% of managers worry about BYOD and mobile for keeping their business cyber secure3 connectivity to their networks; 93% of SMBs have remote workers1 50% of small business owners have employees review and adhere to online security policies3 67% allow USB devices in the workplace2 63% do not have policies regarding how their 80% of small companies are not confident that employees use social media2 their wireless networks are secure1 60% say they have a privacy policy in place that 50% update software every year; majority of their employees must comply with when they attack kits focus on patched vulnerabilities1 handle customer information2 59% say they do not require any multi-factor 45% of surveyed small business owners say authentication for access to any of their networks2 they do not provide Internet safety training to their employees2 50% only half say that all of their machines are completely wiped of data before disposal2Sources: 1) SophosLabs 2012 Network Security Survey, 2) StaySafeOnline.org- NCSA/ Symantec Research on Small Business, 2012, 10 3) InformationWeek, IT Pro Ranking Survey, 2012, 4) ACFE, 2008
    • 10 Cyber Threats SMB’s Can’t IgnoreInformationWeek SMB Sept 2012: Ten of the most serious dangers to SMB’s: 1. Bank Account Takeover – Cyber Crime 2. Website Takeover 3. Employee-Generated Data Leaks 4. Sneak Attacks Through Service Providers 5. Targeted Attacks 6. Unpatched Software 7. Websites as Malware Hubs 8. Forgotten Systems 9. Mobile and Wireless Devices 10. Reputation Damage 11
    • Anatomy of a Bank Account TakeoverSource: FBI, IC3, FSIAC - Fraud Advisory for Businesses: Corporate Account Take Over, Oct 2010 12
    • When Bank Account Takeover Happens… Your business account is not government protected. • Businesses who bank online are not protected by Regulation E • Reg E obligates banks to reimburse consumers for online fraud losses • UCC 4a limits Bank liability with commercially reasonable security Banks are not liable for your online losses. • Banking online deposit agreements exclude protection for businesses customers • Approximately 70% of businesses that suffer online fraud losses were not fully reimburses by their financial institution1 Standard business insurance policies are often insufficient or excludes account takeover fraud losses. • Basic Liability and Umbrella insurance policies are limited to legal expenses and wages from lost work • These policies do not cover online fraud lossesSource: 1) Guardian Analytics/ Ponemon-2012 Business Banking Trust Study 13
    • SMB Burden of Liability for Bank Account Takeover LossesBanks are slow to identify and prevent … and rarely fully reimburse business fraudulent transactions… customers for unrecovered, stolen funds. Bank Response after a Fraud Loss: How SMBs Learn about Fraud: 100% Merchant, Letter Call from 90% 23% 25% Vendor or from Bank the Bank Supplier 80% 40% 70%ACH-related 60% 31% 31%fraud 40% 29% 33% 50% 29% 40%Wiretransfer 39% 35% 32% 30%fraud 46% 20% 44%Mobile 31% 10%banking 32% 35% 29%fraud 0% ACH-related fraud Wire transfer fraud Mobile banking fraud No Compensation Partial Compensation Full Compensation Both Bank notification methods are too slow 7 in 10 businesses that suffered fraud losses for the Bank to fully recover funds. were not fully reimbursed by their Banks. Source: Guardian Analytics/ Ponemon- 2012 Business Banking Trust Study 14
    • Bank OLB Business Agreements – Check the Fine PrintBank Example: VI. TERMS AND CONDITIONS A. GENERAL ONLINE SERVICES TERMS AND CONDITIONS FOR ALL CUSTOMERS 8. Password and Security/Your Liability for Unauthorized Transactions/Errors and Questions If you permit other persons to use Online Banking Services or your PIN/Password/User ID… you are responsible for any transactions they authorize. For Consumers Only: For more information on your rights and obligations concerning unauthorized or erroneous Transactions, please refer to PNCs Consumer Electronic Funds Transfer Disclosure Statement ("EFT Statement"), F. TERMS AND CONDITIONS FOR TRANSFER FUNDS SERVICE (Consumer and Business Accounts) 2.b. Your Liability for Unauthorized Transfers/Errors and Questions For Consumer deposit accounts, PNC Banks Consumer Electronic Funds Transfer Disclosure Statement details your rights and obligations when an unauthorized transaction has occurred. Explicit Business 2.h.i. Additional Transfer Service Provisions for Business Customers Exceptions We shall only be liable for our own negligence or misconduct and shall not be responsible for any loss or damage arising from… any transfer resulting from circumstances beyond our reasonable control… 2.ii In no event shall we be liable for any consequential, incidental, special orCommunication of indirect losses, damages, or expenses which the Business Customer incurs or suffers… whether or not the likelihood of such losses or damages was known by Business Liability us. 15
    • Bank Account Takeover: Fraud Loss Impact Recent SMB Losses Genlabs Ferma Corp. Patco Construction Village View Escrow Family Smile Zone $437,000 $447,000 $588,000 $465,000 $205,000 Lifestyle Forms & Displays DKG Enterprises Golden State Bridge $1,200,000 $100,000 $125,000 Sign Designs $99,000 McFadden Law Eskola $250,000 $130,000 16
    • Key Actions for Every Small to Mid-sized Business 1. Understand the Threat 2. Assess Your Cyber Risk 3. Protect Your Business 17
    • Assessing Your Cyber Risks Seven Questions for Every Business Owner: 1. Do you or your employees use the Internet or social media for business purposes? 2. Do your employees use their own personal computers or mobile devices to access your company’s network or systems? 3. Do you or authorized employees use Online Banking to access your business bank accounts online? 4. Do you carry large business account balances, have high available credit, or use online transfer or payment functionality provided from your Bank? 5. Do you have company internal or financial information or other sensitive data linked to the Web in any way? 6. Do you collect, store and use your customer’s personal information? 7. Do you rely on third-party providers to manage your company’s Web site, corporate email, network or other back-office systems? 18
    • Assessing Your Cyber RisksBusiness Activities: Potential Cyber Risks: Business Data Breach & Funds Theft Identity Theft Business Disruption & eCrime1. Employees active on the Web and use social media √2. Employees use their own PCs and mobile devices on your network √ √3. Business uses Online Banking to access business accounts √4. Business has high cash balance, credit, or uses higher risk functions √5. Business provides access to sensitive info via the internet √ √6. Business collects, stores and uses customer’s personal info √7. Relies on third-party providers to manage your web site, email,… √ 19
    • Key Actions for Every Small to Mid-sized Business 1. Understand the Threat 2. Assess Your Cyber Risk 3. Protect Your Business 20
    • Protect Your Business Business Data Breach and Funds Theft Identity Theft Business Disruption & eCrimeBusiness Be Safe and Secure Protect Your Desktop Understand and UseOwner When Online and Mobile Devices Your Bank’s SecurityYour Focus on Employee Define Data Policies Establish InternalEmployees Security and Safety & Controls Company ControlsYour Business Proactively Monitor Protect your Understand & Protect& Facilities for Cyber Risks Environment Against Financial Loss 21
    • SMB Cyber Protection Plan: Business Owner Checklist Business Identity Theft Data Breach & Business Disruption Funds Theft & eCrime Be Safe and Secure Protect Your Desktop Understand and Use When Online and Mobile Devices Your Bank’s Security User available Web browser  Monitor and update AV, Anti-  Use strong passwords. security and privacy features Spyware and firewall software • Know the ingredients of a strong • Learn how to tell- Is the site safe? password • Use “Do Not Track” features • Don’t mix business & personal PWs  Create a Personal PC and Mobile • Use a hardened browser • Consider a password vault Device policy for your business • Require use of lock codes Beware of Web 2.0 and social • Encryption for work data  Adopt available bank controls networking vulnerabilities • Ban unauthorized plug-ins for login • Sharing information • Employee agreement authorizing • Desktop Anti-malware SW • Reputational risks remote access to lost or stolen devices • Out of Band protection • Malware risks  Ban usage of public Wi-Fi for work  Use bank controls for higher risk Learn how to recognized related business payments and transfers targeted phishing emails • Dual controls • Positive Pay  Adopt virtual private network (VPN), Learn how to avoid spyware and secure websites ( “https”)  Monitor your bank accounts and ands malware whenever possible. • Suspicious sites • Most popular web apps, including credit cards constantly for fraud. • Downloads and attachments Gmail, Twitter, and Facebook, offer such an option.  Enroll in free instant alerts to warn you about any unusual account activity. 22
    • SMB Cyber Protection Plan: Employee Checklist Business Identity Theft Data Breach & Business Disruption Funds Theft & eCrime Focus on Employee Define Data Policies Establish Internal Security and Safety & Controls Company Controls Train Your Employees in Proper  Create a formal data protection  Follow a “segregation of duties” Security Practices plan policy for high risk areas • Understanding Phishing • Inventory of your sensitive data • Payments • Social media risks • Set-by-step procedures for daily • Purchasing • Mobile and Public Wifi usage protection • Inventory • Contingency plan if you are a victim Do background checks on new  Train your employees on risks and  Implement a “dual controls employees and contractors company procedures policy” with your Bank to require two people for high risk Limit employee access to  Create procedures to protect transactions sensitive resources physical company documents • Known safe and secure locations  Consider use of pre-paid Utilize security and employee • Use a micro cut shredder business credit card for monitoring systems • Avoid sharing sensitive info unless you employees made first contact  Use a dedicated PC for Online  Create policies for sharing company Banking and other sensitive information online work • Limit sharing of EIN, financial docs via email and web • Use security certificates and secure 23 email for sensitive communications
    • SMB Cyber Protection Plan: Business & Facilities Checklist Business Identity Theft Data Breach & Business Disruption Funds Theft & eCrime Understand & Proactively Monitor Protect your Protect Against for Cyber Risks Environment Financial Loss Regularly Google your business  Write a security plan that define  Read and understand your Bank’s name for any clones. security rules, guidelines, and Deposit and OLB Agreements. goals for your business. • Know your liability For higher profile businesses, • Patching Policy • Understand your responsibilities consider for fee reputation and • Data Back-up • System Maintenance  Understand your current business brand monitoring services. insurance coverage for cyber risks.  Actively manage your company • Business identity theft Monitor business credit reports passwords. • Data breach & business disruption across the three major bureaus. • Funds Theft & eCrime • Change default passwords • Update on a scheduled basis Invest in a Business Identity • Avoid set-up of “master users.”  Secure additional protection to Theft and Credit Monitoring cover your financial exposure. service.  Ensure your third-party or cloud members provide adequate  Know how to report suspicious Develop a plan to monitor and security. activity and fraud. respond to cyber incidents: • FBI and Local police • Spam  Use the available technologies to • FTC/ NCTA • Hacker attacks and viruses • Your financial institution implement a cost effective • Spyware • Online shopping fraud layered security strategy. 24
    • Final ThoughtsCyber attacks are Odds are, at least one of yourno longer rare… computers is compromisedCyber attacks have Fines and fraud losses forlarge negative some SMB’s tally in theconsequences… millionsIn hindsight… solutions are inexpensive and self evident 25
    • About the Author EFTGuard Protects Businesses from Account Takeover Fraud Losses:  Approved for use with Trusteer Rapport®, Wontok SafeCentral®, IronKey® and Webroot®  Security Education Content  Fraud Loss Protection up to $100,000 / account and up to $500,000 / customer  No underwriting and no deductibles, backed by AIG / Chartis  Peace of Mind for only $24.95 per month  Sign up in less than 5 minutes at www.eftguard.com Contact EFTGuard Directly Follow us on Twitter at info@eftguard.com @EFTGuard 26