If your personal bank account were to be victimized in an online attack, as a consumer, your bank would be required to reimburse your funds and cover any damages. If the same thing were to happen to your organization’s commercial account, that’s not the case.
In recent months we’ve seen several attempts by businesses to set precedence in the courts by suing their financial institutions after being the victims of online theft. Most recent of these is Oregon Hay Products, Inc., who are taking Community Bank in Joseph, OR to court for not adequately protecting its customers. Brian Krebs, as usual, does a great job of summing up the details, so I’ll kindly direct you over to his post for the particulars.
What’s at issue here is the blame game. If you scroll down to the comments section on Krebs’ post, something I’m loath to do on even the most intelligent of blogs, you’ll see some back and forth over whether it was the bank’s fault for not providing adequate protections, or the victim’s fault for, well, being a victim. My personal opinion…it’s a bit of both. However, I am siding with the victim in this case.
There are regulations in place that require financial institutions to provide a “reasonable level of security” for their customers. Obviously, that is an objective term, but in this day and age it should most definitely be more inclusive than simple username/password and silly “security questions.” This is NOT multi-factor authenticaion. It is single-factor authentication of multiple values. Big difference.
At the same time, small community banks are often lucky if they even have ONE person dedicated to IT in general. Unfortunately, that one guy or gal ends up being tasked with desktop support, domain administration, network admin, compliance and all things security. On the flip side, the BofAs and HSBCs of the world have as many people in InfoSec alone as some of these community banks employ in total.
This leads the small guys to rely on their trusted central processors for guidance. In the case mentioned above, that’s Jack Henry. Jack Henry, Fiserv and the rest of them do a darn fine job when it comes to their core function. But they are not security service providers or subject matter experts on defending from or preventing cyberattacks.
A few pieces of advice:
- If you are a business owner, I strongly suggest that you check with your commercial bank for specifics on what they’re doing to protect you from online theft. If you’re not satisfied with the answer, let them know and, at the very least request additional measures be taken (I’m being nice there…go find someone who is taking the correct steps)
- If you’re a banker, don’t be the guy who sets the precedent because of screwing this up. From that point forward, whenever any business takes their bank to task, your name will be invoked, redamaging your brand. (Not to mention the legal costs, and restitution). Instead, do yourself a favor and be proactive. Bring in some experienced security folks. Listen to them. If you can’t afford to staff FTEs, well I happen to know of a particular company whose blog you’re reading right now that would love to help you out. Give us a call.