Small businesses face a number of challenges, with security at the top of the list. Yet many small-business owners don’t even realize the substantial risk they face while banking online. Let’s take a look at some of the bone-chilling events happening in the small-business payments world today — cyberattacks that can devastate your business.
- Experi-Metal lost $550,000 through phishing attacks
- Sanford School District lost $117,000 to bogus payroll disbursements
- Hillary Machinery lost $800,000 through ACH and wire transfers
The list goes on. A recent report by Symantec found that targeted attacks against companies with 250 or fewer employees jumped to 36% in the six months that ended in June 2012, from 18% in December 2011.
And here’s the REALLY scary part — most SMB owners are unaware that unlike personal bank accounts that give you 60 days to report unauthorized transactions, commercial account holder only have 24 hours. Banks are not liable after that and most SMBs just don’t have the resources needed for litigation after a cyberattack.
Let’s look at why this is happening:
- Denial: Businesses think they are invincible. What’s more, because it is still considered a relatively low probability event (27 million businesses, but only a few hundred thousand cyberattacks at businesses annually), we wrongly assume the consequences “aren’t that bad.” The reality is twofold: It could happen to you AND the consequences can be debilitating.
- Follow the money: SMBs generally have a substantial amount of money in the bank — tens to hundreds of thousands — while consumers typically have far less.
- Chink in the armor: Controls for payments are weaker for SMBs than for larger corporations, which typically have a segregation of duties (i.e. the person who creates the payment doesn’t approve it). SMBs don’t have these natural safeguards because it is simply not practical for them to implement such processes.
- Malware is everywhere: SMBs work with a greater number of service providers that potentially carry malware. For example, a small business uses an outsourced financial consultant to keep the books and make payments, etc. This outsourced person uses their own machine outside the purview of the SMB’s internal IT processes and safeguards (i.e. he has other clients, is traveling a lot and leverages a family computer). This scenario opens the door to countless opportunities for malware to access the SMB’s information.
So what should SMB customers do to ensure their accounts are protected and that their banks offer the right levels of security? Here are some tips:
- Wake up and smell the cyberattack: Do NOT dismiss this very real risk. Recognize that it can happen and that the results can be devastating. For example, Patco Construction lost more than $500,ooo in a recent cyberattack. This kind of loss devastates working capital.
- Read the fine print: Understand that SMBs are not covered like consumers are by financial institutions. You can’t rely on regulation, and building a solid legal defense after the fact will cost you an infinite amount of time and money.
- Inquire within: Ask your bank about its security measures. Look for two-factor authentication (not just a username and password), fraud monitoring and tools to enforce segregation of duties. If your bank doesn’t offer these basic layers of protection, switch to one that does.
- Prevention is key: Take steps to protect your business. Use multilevel approval and solutions (like MineralTree) that don’t change how your payments are made, but makes them more secure. And use one dedicated computer for online banking.