Another easily preventable cyber heist on small business (SMB) was reported this week by Brian Krebs. Primary Systems Inc. had $180,000 stolen from their coffers after thieves compromised their online banking by adding 26 “new” employees to the payroll and transferring funds ranging from $5,000-$9,000 per individual.
In reading the article, I find it simply fascinating that so many processes and controls that should have been in place were simply were overlooked, avoided or not understood at all. It made me immediately thing of the sinking of the Titanic and how it wasn’t just one issue (an iceberg in the ocean), but rather a series of unfortunate and avoidable events.
For Primary Systems and their bank, St. Louis-based Enterprise Bank & Trust, there are some simple, clear lessons that all small business owners AND banks need to understand.
- Train employees to be aware of phishing attacks. The attacks started when a Primary Systems employee clicked on a malware-infected email.
- Confirm IT staff has up-to-date cybersecurity training. Primary Systems staff relied on firewalls and antivirus systems to protect their corporation — a basic first defense, but hardly a proper layered security effort.
- Ensure banks have implemented advanced transaction-monitoring systems and the ability to detect unusual account activity. Enterprise Bank & Trust should have had systems that:
- Realized adding 26 new employees to the payroll, and executing a transaction in the middle of a Tuesday night, was not a typical transaction for Primary Systems (they execute payroll on Fridays)
- Flagged virtually every one of the new employees who had different out-of-state addresses; all Primary Systems employees were located in-state
- Inquire about a bank’s audit status with the FFIEC compliance standards. Enterprise Bank & Trust allows customer to transfer up to $200,000 with only username and password as security control. This seems to fly in the face of both the 2011 AND 2007 FFIEC guidance for online banking.
- Take advantage of positive pay or dual security controls offered by your bank. Unfortunately, Primary Systems declined to use the service offered by their bank.
- Understand your financial risk and liability as a small-business owner. Primary Systems assumed they were covered by EFTA Regulations “E” where banks are liable for losses due to fraud. Unfortunately, Reg. “E” only covers retail customers.
While I know that small-business owners wear many hats and are pulled in many directions, I hope they can take 15 minutes to do a little “homework” and benefit from the lesson Primary Systems learned the hard way.