It’s been said before and now it’s being said again, in spades: small businesses—banks’ best customers—do not protect themselves as much as they should against fraud.
Bank of the West, a $64 billion-asset financial institution based in San Francisco, recently surveyed 803 small business owners and found that, while 95% take steps to prevent fraud, only 18% use two-person controls.
There’s more: Less than half secure documents properly and 49% neglect to conduct regular checks of the business’ financial and inventory departments. While 61% of businesses have experienced payment fraud, only 33% use centralized payroll and approved vendors, and only 30% use fraud prevention services such as positive pay.
Not surprisingly, the research found that in general, when the owners have been victims themselves they are more likely to be extremely or very concerned about the potential for fraud (62% of victims vs. 45% of nonvictims).
Conversely, small business owners who have not been victims of fraud are:
- More likely to believe their payment collection accounts are not at all vulnerable to fraud (47% of nonvictims vs. 24% of victims).
- Less likely to take additional steps in the next year to prevent fraud (32% vs. 50%).
- Are significantly more likely to perceive fraud risk as low (49% vs. 15%).
Why is all this important to banks? “Often, owners expect banks to protect their transactions. While banks play a large role in safeguarding businesses, businesses also have responsibility for taking steps that will counter these increasingly sophisticated security attacks and make themselves less vulnerable,” says David Pollino, fraud prevention officer and senior vice president at Bank of the West.
Other observers have noted the disconnect among businesses between recognizing the threat and doing something about it. PwC, in conjunction with CIO magazine and CSO magazine did a global survey of 9,600 executives and found the number of security incidents detected in the last year increased by 25% over the previous year. However, the number of respondents who do not even know how many incidents occurred has doubled over the past two years.
“The Global State of Information Security Survey 2014” found, for example, that while 47% of respondents use cloud computing, only 18% include provisions for cloud in their security policy. While most respondents have implemented traditional security safeguards, such as firewalls and encryption, they are less likely to have deployed tools that monitor data and networks to provide real-time intelligence about today’s risks.
“You can’t fight today’s threats with yesterday’s strategies,” says Gary Loveland, a PwC Advisory principal focused on cybersecurity. “What’s needed is a new model of information security, one that is driven by knowledge of threats, assets, and the motives and targets of potential adversaries.”
The main roadblocks to improving security are insufficient capital funding, a lack of vision on how future business needs will impact security, and a lack of leadership from the CEO or board, the survey concludes.
Which is all pretty surprising, given the analysis by LexisNexis of the “true cost” of fraud. Not only does this analysis find that one in three victims of identity fraud choose to avoid specific merchants after falling victim to fraud, but, after accounting for chargebacks, fees, and interest, they incur a $279 loss for every $100 of fraud losses.
To be sure, the business community certainly deems all this to be of vital concern. The Security for Business Innovation Council argues in a new report that information security needs to become a cross-organizational function, with security functions embedded into business processes, and security teams working closely with business units on information risk management and cyber threat mitigation.
“For this transformation to be successful security must be seen as a shared responsibility that requires active partnerships to manage the inherent risks to the business in the ever-evolving threat landscape. It is imperative that organizations can develop a security team with the right expertise needed to get the job done,” says Art Coviello, executive vice president, EMC, and executive chairman, RSA, The Security Division of EMC.
To help organizations build a state-of-the-art extended security team, the council drafted a set of seven recommendations:
- Redefine and strengthen core competencies—Focus the core team on increasing proficiencies in four main areas: cyber risk intelligence and security data analytics; security data management; risk consultancy; and controls design and assurance.
- Delegate routine operations—Allocate repeatable, well-established security processes to IT, business units, and/or external service providers.
- Borrow or rent experts—For particular specializations, augment the core team with experts from within and outside of the organization.
- Lead risk owners in risk management—Partner with the business in managing cybersecurity risks and coordinate a consistent approach. Make it easy for the business and hold them accountable.
- Hire process optimization specialists—Have people on the team with experience and certifications in quality, project or program management, process optimization, and service delivery.
- Build key relationships—Develop trust and influence with key players such as owners of the “crown jewels,” middle management, and outsourced service providers.
- Think out-of-the-box for future talent—Given the lack of readily available expertise, developing talent is the only true long-term solution for most organizations. Valuable backgrounds can include software development, business analysis, financial management, military intelligence, law, data privacy, data science, and complex statistical analysis.
All good advice bankers ought to somehow convey to their business customers.
Sources used for this story include: