Staying Safe Online
At Fannin Bank we know how important your business is. No business is created by magic. It takes creativity, commitment, and most of all-a lot of hard work. Consider for example all the elements it takes to protect a business, such as burglar alarms, fire insurance, and maybe security guards with fierce dogs.
You need to make sure that you have given the same consideration to cyber security that you have to physical security. You are not the only stakeholder in your business's security; there are also your vendors, your employees, and your customers. A breach in your network can mean loss of money, loss of information, and loss of trust.
Fannin Bank knows your business is an integral part to our community and our community can't thrive without you. In order to help you build a good cyber security plan Fannin Bank has compiled a list of industry best practice standards.
Key Security Components
"Although you cannot make it completely immune to attacks, there are ways to improve the overall security of your system to make it less vulnerable." - CERT Coordinator Center, Carnegie Mellon University
Identify your risks.
Determine what your company’s most critical information assets are, and spend your time and energy protecting what is most important.
Get the CEO involved.
Good security has to start from the top, with executives who help create a corporate culture that values security.
Put someone in charge.
Security is a complex job, so make sure someone is in charge of coordinating security efforts.
Develop and implement a security policy.
Establish guidelines for how your company handles and protects its data —from who makes sure software patches are installed, to how employees access their e-mail on the road, to how often passwords should be changed.
Educate employees and raise awareness.
Make security awareness an ongoing project. Employees need to understand why their role is so critical.
Have a security audit done.
Hire an independent third party to evaluate your security posture, and then use the recommendations made by the auditor.
Incorporate physical security into the plan.
The best security technology in the world will not do any good if a well-meaning employee lets the wrong person into the server room.
Remember internal threats.
Most attempted hacks come from the outside, but most successful ones start with people who have inside knowledge. Have a process in place to delete user accounts when employees quit or are let go.
Stay tuned in.
Make sure someone keeps track of new developments in information security, including new vulnerabilities and attacks.
Prepare for the worst.
Create an incident response plan to help you save time in the event of a security problem. This will lay out who needs to be involved, what their jobs are, and how you will minimize the damage.
Policies & Procedures
The first step in securing your network is to define how your company intends to manage and protect its information and resources. Such decisions depend upon things like the nature of your information and the cost of security. But regardless of your final decisions, your security practices should be written down and shared with all your employees.
Policies are the overall company attitudes and intentions. For example, "It is the policy of XYZ Company to back up our data nightly and store this backup at an offsite facility." Procedures, on the other hand, are step-by-step instructions, with the responsibility for each step carefully delineated.
Policies and procedures should be tailored to fit your specific environment, but should deal with such topics as:
The level of privacy an employee can expect on a company computer.
Which employees have access to which systems.
What to do when you suspect an intrusion.
Steps to take when an employee leaves the company.
Security policies and procedures should be documented, regularly enforced, and users should know their obligations for protecting the company's network. Users include all who have authorized accounts on your system. They can play a vital role in detecting signs of intrusion.
How do I get policies and procedures?
You can create your own policies and procedures, have them written for you by a consultant, or purchase them already written. There are several sources on the Internet that can help you:
About.com: Human Resources
The SANS Security Policy Project
Good website on overall security considerations:
CERT Tech Tips
When designing your business's network practices, have written documentation of everything. Every program you buy, every upgrade you install, and every modification you make needs to be documented. Also, you should have written policies on how to react before, during, and after any security breach is discovered.
Your policies should be updated frequently, and cover such items as:
How often to upgrade firewalls.
How often to upgrade anti-virus software.
How often to do data backups, and where they should be stored.
Contacting law enforcement and your financial institution immediately if a security problem is discovered.
Follow these guidelines to minimize your business's risk of intrusion.
Keep backups of all operating system software.
Keep backups of all important data.
Maintain software to recognize attacks and audit defensive steps.
Make sure all audit trails are turned on.
Be aware that there are potential intruders that may be "sniffing" your network.
Routinely test your network for vulnerabilities.
Change passwords frequently, and cancel them for employees who leave the company.
Passwords should require alphanumeric character combinations. These are more difficult to hack.
Minimize the number of modems on your system.
Your business is at risk. Computer crimes, cyber terrorism, physical disasters (theft and vandalism), and natural disasters (tornadoes, floods, power failures) —any of these can cause a complete loss of your operating information: customer names, inventory lists, accounts receivable records, etc.
40% of businesses that experience a disaster –never recover.—Peter Browne, V.P., Predictive Systems' Global Integrity
And those that do recover often take years to get back to their pre-disaster operating level.
Disaster Recovery Plans are helpful, but those take effect too late. You need a plan that starts before there is a disaster, to ensure that your business not only recovers, but also continues to operate smoothly.
Business continuity is the name given to the entire range of procedures, processes, and activities that you can use to ensure that your business keeps operating when the worst happens. Business Continuity Planners Association contains "some of the best known sites on the Internet that have material on business continuity and disaster recovery, as well as a few other resources you may find useful."
When you determine which level of security is right for your business, ask yourself the following questions:
What will be the effect on my business of being non-operational?
How much will it cost me to be non-operational for an hour? How about a day? A week?
How long am I willing to be non-operational?
How much will it cost to prevent excessive downtime?
The majority of the time laptops are stolen for the information they contain not the hardware. Your laptop may contain bank records and login credentials. Your laptop also has sensitive information about your business.
A common laptop theft scam:
Two people at a busy airport target a potential victim—YOU—carrying a laptop computer. After you place your laptop on the security conveyor belt, one of the scam artists will set off the metal detector. While everyone's attention (including yours) is turned toward the individual at the metal detector, the second person picks up your laptop when it appears on the conveyor belt. There might even be a third person that takes the computer as a hand-off and then disappears into the busy crowd. Your laptop is gone before you realize anything has happened
Tips to help you protect your laptop:
Maintain copies of important data somewhere other than the laptop. You might consider using an external portable storage device.
Be sure to back up all data, and make use of encryption features when you do so.
Exit out of programs prior to shutting down your laptop to avoid data loss and program corruption.
Never handle or manipulate a drive while it is operating.
Use a locking cable to secure your laptop to your desk or workstation.
Carry your laptop with you in a very non-descript carrying case, perhaps a backpack. Make sure your carrying case is sturdy, weatherproof, and padded. Keep it with you at all times; never place it on a seat beside you.
When traveling, never check your laptop as baggage.
Never put your laptop on the conveyor belt at a security checkpoint until the person in front of you has successfully passed through the metal detector. Keep a constant eye on it as it enters and exits the X-ray machine. Keep a close eye on the people in front of you and what they are picking up.
Engrave your laptop with your company logo and an identifying number.
Use a disk drive lock to prevent unauthorized access and operation of the computer.
Fannin Banks mission is to provide you with information and resources for protecting your cyber assets. However, we must always understand that any adequate computer security system begins with proper physical security.
The greatest firewall software in the world is not going to protect your data if your server is stolen.
In deciding on sufficient physical security, the goal is the same as with sufficient cyber security: try to make it so difficult to break in that the would-be criminal decides it's just not worth it. This is called "hardening the target" —not only do you make it difficult to get into, but you also make it appear so formidable that no one even tries.
This Business Security Test can assist you in assessing the level of your own security
On the surface, piracy doesn't seem to harm anyone. Expensive software applications are sometimes "loaned" between users to avoid licensing costs. In much the same way, digital music has made trading songs online commonplace.
Most of the piracy on the Internet is carried out using Peer-to-Peer (P2P) network applications such as limewire, Bearshare, and Gnutella. These programs facilitate the sharing of copyrighted files quickly, seamlessly, and virtually anonymously. Unfortunately, these programs can cause many problems including inadvertently downloading a computer virus. Most importantly, if they are not properly configured, these programs may share files on your computer that you never intended anyone else to see.
"Peer-to-Peer" file sharing users have inadvertently given banking information to anonymous users online.
There are four specific categories of piracy:
Social piracy is the unauthorized duplication of only the media, not including any of the packaging, original art, label, title, etc. There is no pretense that these are legitimate products. Examples of social piracy include mixed music discs that friends share with one another and software applications that are copied for coworkers.
Counterfeit piracy describes unauthorized copies of media as well as the unauthorized duplication of original artwork, label, trademark, and packaging. Counterfeits are passed off as legitimate and are often used by the pirate for monetary gain.
Bootleg recordings are the unauthorized recordings of live concerts, movies, or musical broadcasts on radio or television.
Online piracy is the unauthorized uploading of copyrighted material to be made available to the public. Downloading copyrighted material from an Internet site or a Peer-to-Peer network is illegal.
In the United States, software pirates can be punished with statutory damages of up to $100,000. If you are convicted of a felony charge of software piracy, you can get up to a five-year prison sentence plus fines of up to $250,000 for each work that is infringed.
How Piracy in the Workplace Can Damage Your Business
Performance may suffer from the lack of user manuals, reference materials, and product support
The company is liable for all pirated materials within its doors
The business may get a bad reputation if found guilty of copyright infringement
The business forfeits all product warranties and upgrades
Viruses introduced by illegal software can damage or even destroy systems
Serial number clashes can cause serious system disruption
Back-ups and recovery are often not possible when there are no original disks
The business receives no assurance of product authenticity or reliability
Using corporate networks for file sharing can be a hazard to network security
Misuse of bandwidth can slow down the entire network
How to Fight Piracy in the Workplace
The first step in fighting piracy is to make sure you don't contribute to it knowingly or unknowingly.
If you are a business owner, create a policy preventing the duplication, distribution, and use of copyrighted materials within your office doors
Create detailed procedures telling employees how to handle original software, and what steps to take to ensure that it is not copied illegally
Buy media only from authorized dealers
If you discover that you might have a counterfeit copy of a software application, movie, or CD, contact the dealer you bought it from. Keep in mind that they may have been fooled, too.
Disaster can strike any time and in many different ways. There is often no way to avoid a disaster. Whether it's a national crisis, weather-induced tragedy, or cyber attack. Knowing what to do in the event of a catastrophe is crucial for the survival of your business.
Prepare a disaster plan.
Many business owners have not prepared a strategy of what to do in case of a catastrophe. When considering a detailed plan, take into account as many variables as possible. The smallest oversight might damage your company severely. For example, consider the safest locations for your merchandise. Be sure you know how to contact your insurance agent in a hurry. Be familiar with a map of your company's location that includes safety exits and utility connections.
Back up your data, and store it off-site.
Business owners who utilize extensive computer data need to back it up on a regular basis. Back-ups should be safely stored off-site, because if your business is destroyed, you will lose the data as well. Create a schedule for your employees to backup their data regularly.
Be aware of your insurance coverage.
Meet with your insurance agent to make sure that your coverage is up to date. For home-based businesses, make sure that your coverage protects your company's equipment. Consider purchasing guaranteed replacement coverage. This way, you will not have to pay out of pocket if a disaster occurs and destroys your company's equipment.
Be sure to have emergency cash.
If possible, set aside several months' worth of business expenses. In case of an emergency, you'll have money available to pay bills and keep payroll flowing without having to let employees go.
Make everyone at your business aware of your disaster strategy.
Make sure that your employees understand what to do in case of an emergency. You will be depending on them to save your business. Furthermore, make sure that your clients and customers know that you have a contingency plan in case of emergency. This will build their confidence in you and your business.
For more guidelines on preparing a disaster strategy
Visit the U.S. Department of Homeland Security's disaster preparedness web site at Ready.gov.
Corporate Account Takeover is a form of corporate identity theft where cyber thieves gain control of a business bank account by stealing employee passwords and other valid credentials. Thieves can then initiate fraudulent wire and ACH transactions to accounts controlled by the thieves. Businesses with limited or no internal computer safeguards and disbursement controls for use with the bank's online banking system are vulnerable to theft when cyber thieves gain access to their computer systems, typically through malicious software (malware). Malware infects a business computer system not just through infected documents attached to an email but also simply when an infected Web site is visited.
Businesses across the United States have suffered large financial losses over the last few years from electronic crimes through the banking system. In Texas electronic thefts through banks have ranged from a few thousand to several million dollars! These thefts have occurred in banks of all sizes and locations and may not be covered by the bank's insurance.
Under the Electronic Funds Transfer Act (Reg E) commercial account do not enjoy the same protection from loss due to electronic fraud as a personal account. Banks are not required to refund any money you lose due to corporate account takeover. The attackers really are stealing your money and you could be the one left holding the empty bag.
Network intrusions are a serious threat to all businesses. They can easily cripple an, unprepared business.
An intrusion may have already happened without you noticing because your system seems to be operating normally.
Hackers can breach your network's defenses from remote locations, or try to physically break into your organization to access your valuable information. Intruders seek unpatched software vulnerabilities and develop sophisticated programs to rapidly penetrate those systems. An intrusion can be achieved in seconds.
Even if your organization has a comprehensive information security protection system, it is essential that you closely monitor your information assets for signs of intrusion.
To prevent intrusions, you need to develop a strategy for handling intrusions that includes preparation, detection, and response.
Invest money into a quality firewall. A good firewall can prevent most brute force attacks and even prevent some forms of malware from sending information home. You should also invest money into someone to set up the firewall for you. There are many companies that can help you do this for a reasonable fee. Firewalls can be tricky to set up and you need someone who has a good understanding of how network and internet traffic work.
A web filter is an inexpensive way to monitor web traffic on your system. Most web filters on the market today come with a block list of know malicious sites. There are many to choose from such as Barracuda, or CC Proxy.
Stand Alone Computer
You should setup a computer that is only used for internet banking. Do not check email surf the web or anything on this computer, other than your internet banking business.
If a stand alone computer is not in the budget you can use a live CD. A live CD is an entire computer operating system on a CD. Every time you boot from the CD it is like having a new computer.
By creating a white list of authorized payees you can help your bank identify suspicious ACH or wire transfers created using the internet banking system.
Dual control requires two people from your place of business to authorize an outgoing ACH or wire transfer created using the ACH or wire transfer feature in Internet Banking.
Use all Security Measures Available
You should use all security measures made available by your bank. The security measures offered by your bank are there for your protection and can not help if you do not use them.
It is estimated that one in every three scams in the United States is aimed at a small business owner. Among the variety of scams that they use are directory scams, vendor scams, and of course the Nigerian scam.
Small businesses are a principal target for scam artists of all types.
The Directory Scam
A con artist approaches a small business to ask if they would like to be included in a physical or on-line "business directory" which is being put together. The scam artist might call it a directory of "recommended" businesses. The business owner pays a fee to be included in the directory, and then never sees it or the salesperson again.
Ask to see the most recent copy of the directory or for the directory's URL
Ask to be referred to another business that has been included in past directories
This scam involves a phony office supply company that tries to sell office supplies at grossly inflated prices. These phony companies have generic names like "ACME Office Supplies" or "Office Supply Warehouse." Often times they'll contact you by e-mail, or even show up uninvited at your business. Even worse they may just send your company an invoice for items that you never ordered, and never received.
Make sure that all of your employees know which vendor supplies your office equipment
Be aware of the prices you usually pay for supplies
Follow up on any and all invoices that appear to be suspicious
The Nigerian Scam:
A con artist will pose as an official representative of Nigeria or some other foreign country who is looking to launder millions of dollars into the United States. If a business owner passes along his bank account and routing numbers, he or she will be offered a percentage of the cash smuggled into the country. Funds will likely exit your bank account rather than enter it.
Don't give your bank account information to anyone but a reputable business partner
Most importantly, use common sense when managing your business