When It Comes to Security, Helping Business Is Your Business

 Author: Kevin Moland, KMoland@profitstars.com 

When I was much younger and still single, a coworker of mine gave me some excellent advice about finance and relationships. She had been born and raised in Britain, and I can still hear the lilt of her English accent as she told me, “My old hubby always says, ‘When poverty comes in the front door, love goes out the back.’”

The point, of course, is that when conditions make it difficult for something to exist in one realm, it usually moves on. With that in mind, I have some good news and some bad news.

Here’s the good news: The more sophisticated security measures merchants are implementing have the potential to reduce fraud at the Point of Sale (POS). The most heralded form of physical POS fraud prevention is the impending requirement for U.S. stores to support new EMV (short for Europay, MasterCard and Visa) cards with imbedded chips designed to more effectively authenticate cardholders. Unfortunately, while EMV will provide meaningful protection against fraud at the physical point of sale, it won’t do much to protect online systems. According to Dave Fortney, Senior Vice President of The Clearing House, “The downside with EMV is that it was created when there was no Internet, no online commerce, no smartphones and no tablets. While EMV is great for securing card transactions at point-of-sale terminals, it is less useful for online payments and other card-not-present transactions.”

So here’s the bad news: As these new physical POS security measures are “coming in the front door” of retail shops with physical POS terminals, the fraudsters are “going out the back,” but they’re going into the rapidly expanding online world, where they are increasing their attacks on virtual, rather than physical, systems.

The banking industry has long been familiar with electronic attacks, and in spite of the proliferation of new security measures designed to mitigate the risk, online banking fraud continues to be a pervasive and persistent problem for financial institutions. But, driven by increased regulatory pressures and their own self-interests, banks and credit unions are becoming more adept about protecting their online channels. Again, with this good news come more bad news: Faced with the increased security measures deployed by banks and credit unions, fraudsters are turning their attention to the systems of the corporate customers those FIs serve. And, in this case, the news gets even worse because, unlike financial institutions, many of these corporate clients aren’t adequately prepared to protect themselves. An alarming number even believe their losses from online theft will cost them less in the long run than deploying adequate security systems!

These attacks against corporate systems take many forms, some of them ridiculously simple. Fraudsters have been known to send e-mails to business’ accounting departments in which they impersonate one of the business’ suppliers. These e-mails appear to be from an officer of the supplier, and they provide “new account” information to which the business is instructed to send future payments. The accounts are, of course, under the control of the fraudsters, and any payment the business sends vanishes immediately.

So what can financial institutions do about this trend? The answer is simple: FI’s can support their business customers by sharing what they’ve learned about fraud prevention. Most business owners are too busy keeping their enterprises afloat to research fraud methods and implement comprehensive security plans. Business operators aren’t security experts, and most organizations can’t afford to hire one. Because financial institutions generally provide the systems businesses use to monitor their accounts, collect funds, and make payments, FI’s have a responsibility to help businesses secure access to those systems and protect the points where they intersect with the business’ own internal programs.

Here are three things banks and credit unions can do to help businesses be more secure:

1. Encourage them to use the security measures embedded in online banking and payment systems. Businesses often resist using basic tools like dual control because it takes more time and requires more effort. Financial institutions need to nudge, cajole, encourage or require their corporate users to get on board with additional security measures. Like FIs, businesses should perform their own risk assessments in order to know which of the FI’s security measures will fit them best. Not only are these measures the best way for businesses to protect themselves and limit their liability, financial institutions serve their own self-interests when they help business clients avoid costly and embarrassing breaches.

2. Educate them about fraud and the mitigation measures they need to take to protect themselves. Businesses rarely understand how crucial this information may be to their survival, so FIs may need to be very proactive in their education efforts. Have a 90-minute Security Seminar once a quarter. Provide lunch and maybe even waive the monthly service fees for businesses that send a representative from management, operations or IT. Teach them about the security “touch points” in their company, including social engineering and the need to train their employees to spot it so they can avoid becoming a victim.

3. Provide them with tools and sample policies and guidelines to make their task easier. Regulators require FIs to maintain these types of policies and procedures. Task your audit group with creating a “business” version of the security guidelines in use at the financial institution, or talk to your online services provider to see if they have business-facing security information available for distribution to businesses. Business owners are far more likely to tighten security in their shop if they are presented with a prepackaged set of procedures and guidelines. And creating the tools isn’t enough. Your FI will need to review them periodically, as you do your own policies and procedures, to confirm that the information you are providing is up to date and applicable across your various business segments.

These are just a few ideas a proactive financial institution could put into action. Whatever your bank or credit union decides to do, the key is to get involved in helping your business clients strengthen their defenses. In the long run, the losses you prevent may very well be your own.