"It could mean that some owners aren't really familiar with these services, that they think they're too expensive or they don't know how to use them," says Di Gangi, executive vice president of small and mid-size enterprise banking at Bank of the West.
Through a recent survey of small business owners, Bank of the West found that a majority have no policies or best practices in place to protect them from cyber-risks associated with remote networking and e-mail and Internet vulnerabilities.
"In all instances, I suggest that small business owners do talk to their banks or other service providers and trusted advisors who can help them make informed decisions about steps that will make the most sense for their own business," Di Gangi says during an interview with Information Security Media Group [transcript below].
More than 1,600 business owners from across the country participated in the survey.
Too often, small business owners rely on their banking institutions for fraud detection and prevention, rather than monitoring their accounts as well, says Pollino, Bank of the West's enterprise fraud prevention officer.
"Small business owners should really review the contracts they have in place," he says. "The consumer protections that are provided [by a banking institution] are usually different than the small business protections, and they need to know the difference."
During this interview, Di Gangi and Pollino discuss:
- The top fraud risks for small businesses;
- Why small businesses are not investing in anti-fraud systems for ACH transactions;
- How using Positive Pay can help small businesses prevent and detect fraud.
Di Gangi, executive vice president of small and mid-size enterprise banking at Bank of the West, joined the firm in 2008. Previously, she spent more than 22 years at Wells Fargo.
Pollino, senior vice president and enterprise fraud prevention officer, joined the bank in 2011. Previously, he served as manager of online fraud prevention strategy and analytics for Wells Fargo and as online risk officer for Washington Mutual. Pollino has written several books, including RSA Press: Wireless Security, The Hacker's Challenge Books 1, 2 and 3 and Hacking Exposed: Wireless.
Small Business, Consumer Survey
TRACY KITTEN: What was the purpose of conducting this study?
MICHELLE DI GANGI: At Bank of the West, we work with thousands of small business owners throughout our 19-state footprint. Through our close relationships with them, we've seen firsthand how devastating fraud can be on them. We wanted to take a deeper look into how they're protecting themselves, what their plans are over the coming months and years and how we can better help them moving forward.
KITTEN: How many businesses and consumers were included in this survey and where were they primarily located?
DI GANGI: It's a fairly extensive study. It was comprised of more than 1,600 business owners in total. We conducted more than 800 online interviews across the country through Harris Interactive, and then we also had our bankers meet with about 800 customers and other small business contacts throughout the entire 19-state footprint.
Top Fraud Concerns
KITTEN: Is financial fraud a concern for these companies that were surveyed?
DAVID POLLINO: Protecting yourself from financial fraud should be a concern for everyone, especially for small businesses. Some research that we have shows that small businesses are a target of fraud. According to a study by the ACFE, small businesses comprise the highest rate of fraud at 31.8 percent and also have the largest median loss. In our study, we saw that 85 percent of small business, a principal was still responsible for fraud prevention, but over the next year only 22 percent of them plan to take additional action from what they're doing today. That concerns me as a fraud prevention professional.
KITTEN: What ranked the highest among the fraud concerns that were collected?
POLLINO: Interestingly enough, the majority of small businesses - 28 percent - cited credit card and debit card fraud. That was followed by viruses and malware at 23 percent, and then phishing and business identity theft at 11 percent. Interestingly, only six percent cited internal or employee fraud.
KITTEN: One in three small businesses does not use any type of fraud protection service, such as ACH Positive Pay or ACH block. What does this tell us?
DI GANGI: I think there are a few different things. It could mean that some owners aren't really familiar with these services - that they think they're too expensive or they don't know how to use them. In all instances, I suggest that small business owners do talk to their bank or other service providers and trusted advisors who can help them make informed decisions about steps that will make the most sense for their own business.
KITTEN: Ninety-four percent of the small business owners say they do plan to take advantage of online fraud prevention tools, such as antivirus security, firewall protection and online browsing protection. Do you think these businesses plan to rely on their banking institutions for these types of services?
POLLINO: We do not ask that question specifically, and we know that each small business has their own unique set of needs when it comes to these types of protections. The common advice that we give to our customers is they really should have professional help in ensuring that their security needs are up to what's appropriate for their business and that they stay up-to-date with operating system patches and also the security protections so they can remain protected.
KITTEN: More than half of the businesses that were surveyed say they have monetary protections built into their contracts or agreements with the banking institutions with which they work. Are small businesses leaning too much on these contract protections?
POLLINO: Small business owners should really review the contracts that they have in place to understand what protections are offered. Typically, the consumer protections are different from the protections that are offered to small businesses. I think that it's important for each of the small businesses to know how they're protected and how they need to partner with their institution to ensure they're doing the right things to protect themselves from fraud.
Lack of Written Policies
KITTEN:The survey also found that only two in five small business owners have written policies concerning remote networking, e-mail and Internet security procedures for their companies. Given what we know about remote access vulnerabilities, especially those at retailers, how concerning is this finding?
POLLINO: It's important for small businesses, regardless of what area we're talking about, that they document what the right thing to do is for their employees. If there's not documentation telling them what they should be doing, then it's left up to the employee's individual judgment, and they may not be doing what's responsible for the business. We've all seen a significant increase in the bring-your-own-device environments, whether it's home computers, tablets, or computers, and they also need to make sure that the right thing to do in those environments is going to make sure that the company is protected because in many cases the protections and the tools that individuals put on their computers will be different than what are on the business's computer. So it's important to document what they want their employees to do and then find a way to see to it that it takes place.
KITTEN: Are small businesses doing enough to protect themselves from insider threats?
POLLINO: We're glad to see that 95 percent of small business owners are taking some steps to protect themselves from fraud. Only 18 percent are utilizing dual control or controls that involve two people to be involved in a transaction. We know that in many cases small businesses play a number of roles. They wear a number of hats at the business. They need to make sure that they're documenting what the right thing to do is for their companies; they're utilizing these controls where it makes sense for their business; and if they only have a limited amount of time to spend on fraud prevention efforts, they're putting it in those areas that are most critical at protecting their business. We really believe that dual control is one of those areas that can help protect against internal fraud.
KITTEN: Is identity theft a concern for small businesses?
POLLINO: Small businesses have been targeted by cybercriminals specifically for identity theft or account takeover. We've seen that they've been identified by the criminals as a specific target, they've been spear-phished in some instances, and they really need to make sure that they're protecting themselves and their business's good name from fraud.
Small Business Trends
KITTEN: Would you say that the findings of this survey reflect trends that are impacting small businesses throughout the country?
DI GANGI: Small businesses are particularly susceptible to fraud, and they tend not to have a lot of resources to deal with it. That, coupled with our survey findings, found that they're very focused on things like cash management, succession planning and hiring, all really important priorities, but that the focus on fraud can take second seat to those concerns. These folks have a lot on their plate, and a lot of it falls onto the small business owner's shoulders.
Fortunately, there are precautions that they can take, and some of those things are fairly simple to execute upon. Things like even just checking account balances and account activity at least on a weekly basis, if not more often - ideally on a daily basis - can catch fraud activity early and really nip it in the bud. Then there's lots of products and services that can help as well. I think there are things that owners can do that are fairly easy to help them, even though they do have a lot on their plates and a lot to deal with.
KITTEN: What should banking institutions take away from these results?
DI GANGI: We all know that small businesses are such a critical part of what drives our economy, really the lifeblood of our country. As bankers, we work very closely with them and we're in a position to help advise and educate. I think we have an obligation to do that so that they can better protect themselves from the rising risk of fraud.
POLLINO: I also believe that financial institutions should view their customers as partners when it comes to securing their businesses. They should offer advice on what the right thing to do is and what the common scams are that are out there. Having a partnership and an ongoing dialogue with the customer is really going to be important for protecting everybody.