Target, Home Depot, TJ Maxx, eBay. They’ve all been hacked in recent years, costing retailers, consumers and their financial institutions billions of dollars. And these retail giants are hardly alone. More than 80 percent of U.S. companies have been successfully hacked, according to a Duke University/CFO Magazine Global Business Outlook Survey released last summer. The U.S. Department of Justice calls cybercrime “one of the greatest threats facing our country.”
The challenge is that conducting online business is a necessity, which means businesses must find a way to protect themselves and their customers by making transactions secure. So how can they protect themselves? And are they doing enough to keep their financial data safe? Those are the questions that have banking and cybersecurity experts reaching for the Tums. “Cybersecurity is one of the most pressing and challenging issues that keep banking executives up at night,” says Joe Reilly, NH regional president of Eastern Bank in Bedford.
While banks and financial institutions have to meet rigorous cybersecurity standards set by the FDIC and other government regulators, most of their clients do not. Local bankers and cybersecurity experts say many companies overlook important security measures or let them slide because of tight operating budgets or limited staff. “Companies need to be taking this very seriously. They need to develop a series of best practices and educate their employees,” says Reilly.
Here are nine simple but often-overlooked measures businesses should take to help keep banking and financial information safe:
1. Use Two-Factor Authentication
Two-factor authentication is an extra layer of security that requires not only a password and username, but also something that only the user has access to, such as a privileged piece of information, a token or a fob, or a fingerprint. Paypal, for example, offers two-step authentication, requiring a username and password first, then sending an authentication code to the user’s cell phone that must be entered within five minutes.
Two-step authentication is “absolutely huge,” says Candy Alexander, a NH-based cybersecurity consultant and a member of the board of directors of the Information Systems Security Association. “It makes it that much harder for a criminal to break in. It’s like going to a house with an ADT sign—they’re going to think it’s not worth the risk and go on to the next house that doesn’t have it.” She recommends that businesses use two-factor authentication, and to only do business with banks and other financial institutions that use it.
2. Don’t Assume You’re Safe
Increasingly, hackers are targeting small businesses because they often lack security measures found in larger companies. A 2015 report from McAfee found that almost 90 percent of small- and medium-sized businesses in the U.S. do not use data protection for company and customer information. “I think there’s very much that mentality that if you’re small, you’re not a target,” says Reilly. “But the bad actors know that the larger the organization, the more sophisticated the firewalls … they’re looking for the lower-lying fruit in the smaller business segments, the ones who may not have sophisticated security.” Small businesses should be vigilant about protecting information, training employees and taking steps to strengthen security, he says.
3. Protect Your Information
It sounds simple, but basic steps go a long way, says Alexander. Make sure your computer is password-protected, that the password is strong and not being shared or written down, and that you’re aware of who has access to those passwords or to banking information, she says. Those passwords should also be changed regularly. “When I look at businesses, there are two major ways that people get hacked. The first is through the system software, but the second is access, whether that’s access to a computer or to the bank account,” she says. “You need to protect that access.”
4. Scrutinize Your Vendors
Even if your security is up to snuff, third parties could create vulnerabilities, says Mike L’Ecuyer, president and CEO of Bellwether Community Credit Union in Manchester. “Before we decide to partner with somebody, part of our due diligence is assessing the strength of their cybersecurity,” he says. “We assess their audits, take a look at their policies, interview their people—anyone that might use or store or have access to our members’ private information. Our reputation is on the line.”
5. Update Software With Caution
Users often delay applying software updates, but those updates can include critical security measures, says Alexander. “Malicious users will use those known security holes as a means to get malware on your computer,” she says. She recommends applying updates from trusted sources, like Windows, or from trusted anti-virus software programs immediately.
That said, users should be cautious about automatically installing updates from ad-on applications or programs like Adobe or Java, she says, as such programs are often targets for viruses or malware. “I personally go out to their websites, to the Adobe site, and see, did they really release a patch? Or I do a search for that update to double-check,” she says.
6. Have a Banking-Only Computer
One computer should have no other software programs besides what’s needed for banking—no email, no applications, says Reilly. “If you have a dedicated line and a dedicated PC that runs in a secure fashion between your computer and your financial institution for online banking purposes only, you take the element of somebody sending in a bad email or malware totally out of the equation,” he says. Leland Beachy, the senior vice president of information security in risk management at Bank of NH in Laconia, also urges companies to use one computer just for banking. “The easiest way to get a small business’s computer compromised is through email channels and going online to check social media. Just keep your banking functions out of that.”
The downside, of course, is the additional expense involved with dedicating a separate computer and connectivity line to only one function, but Beachy insists it’s worth it. “Most small businesses could probably afford the $400 to $500 for a single-purpose computer, compared to losing thousands of dollars from a security breach,” he says.
7. Train Your People
Firewalls, passwords and encryption can only go so far, says Peter LaMonica, the department chair and professor of computer science at Manchester Community College in Manchester. “The people part is the thing we can’t build technology to protect us from,” he says. Employees may open emails they shouldn’t, fall for phishing scams, fail to update passwords, link their personal devices to the company’s system, or create other security vulnerabilities, he says. Companies need to make sure employees are vigilant and aware, he says. “I think we are seeing companies trying to have more [training] sessions with their employees, and that’s a good thing for prevention purposes. It’s always that people aspect of things that seems to get us,” he says.
He recommends that companies consider training programs for employees, many of which are offered through law enforcement agencies, small business groups, chambers of commerce and third-party security companies. Beachy, meanwhile, says his bank rewards employees who alert leaders to suspicious emails, links or other scams as a way to help encourage vigilance and elevate security.
7. Run Security Drills
LaMonica also recommends testing security measures regularly and teaching employees what to do is if there’s a breach. At Bellweather Community Credit Union, leaders periodically bring in security experts, who try to hack their systems to help spot vulnerabilities. “We are constantly evolving from what we learn in these assessments and audits,” says L’Ecuyer.
8. Analyze Your Log Files
Many operating systems and software programs include a logging system, which records events such as logins. The log files can reveal important security information, such as “who is logging on, attempting to log in and from where,” says LaMonica. But that information only comes to light when someone takes the time to look at the log files, and companies that don’t have a dedicated security person often overlook this, he says.
9. Secure Your Email
Bad links, malware, and phishing scams often come through email, so Beachy recommends companies install programs to filter the email before it even reaches employees. He also suggests businesses set up policies against accepting certain kinds of files through emailed attachments, such as zip files, which can be more vulnerable. That policy is in place at Bank of NH, he says. “It just helps us avoid things that tend to be higher risk.”