Cybercriminals are constantly evolving their tactics for defrauding businesses and tend to increase these efforts during times of public confusion and crisis, such as the world has experienced over the last 18 months.

In 2020, the FBI Internet Crime Complaint Center (IC3) fielded 791,790 complaints of suspected internet crime – more than double the number from 2019 – and reported losses exceeding $4.2 billion impacting businesses and individuals. The cybersecurity consulting firm CyberEdge also reported that last year more than 86% of organizations they surveyed weathered successful cyberattacks.

In this environment, companies need internal responses that are grounded in solid cybersecurity policies. But they must also go further, encompassing executive oversight, carefully crafted control procedures and the human resources needed to carry them out. Fortunately, there are many effective steps organizations can take to mitigate cybersecurity threats. Some of these best practices are discussed below.

Strategy 1: Document critical online banking processes for your company – and stick to them
To protect your company’s funds and individuals’ personal identifiable information, it’s important to document carefully the processes your company uses for critical banking processes. These should specify who has access to the company’s accounts – with updates if these people change – and outline, in detail, steps to be taken if those people aren’t available.

Strategy 2: Protect against Business Email Compromises
Business Email Compromise (BEC) fraud is one of the most financially dangerous categories of phishing cybercrime and a massive threat to U.S. businesses. BEC criminals use emails to trick recipients into initiating a fraudulent financial transaction, often by impersonating a high-ranking executive or a vendor/supplier. Most often, BEC scams target employees, such as financial directors and accountants, who typically are authorized to initiate a wire transfer.

According to the FBI, phishers have stolen over 5.3 billion dollars in these scams. To protect your business against BECs:

  • Use the fewest number of dedicated computers necessary for critical online banking functions – and limit their use as feasible.
  • Don’t use email to store personally identifiable information.
  • Train all employees to avoid clicking URLs in suspicious emails or open documents from unknown senders. Malicious emails usually have some telltale identifiers, like unusual grammar, spelling, punctuation, syntax errors and/or email addresses that you can’t identify. If there’s any doubt about the legitimacy of an email, the recipient should call the sender to verify before opening.
  • If someone on your team falls prey to a BEC crime involving your bank account or other financial information, immediately contact Western Alliance Bank or other institutions that might be involved.
  • Next, notify the FBI’s Internet Crime Complaint Center as soon as possible, ideally within 72 hours.

Strategy 3: Back up critical data regularly
Do this at least once a week or as often as it is applicable for your organization. Assign responsibility for this task to someone and keep at least two copies of backed up data in two different physical locations.

Strategy 4: Get the most out of the cybersecurity tools you already have in your systems
Maintain the tools that protect your computers and servers from viruses and malware and update them regularly.

Strategy 5: Take advantage of cybersecurity banking tools from the financial institutions you bank with
Western Alliance Bank is strongly focused on maintaining and supporting security practices that keep our clients’ information secure at all times – and we have services to help you identify and mitigate against fraud, including positive pay, payee positive pay, reverse positive pay and ACH debit filter. Your relationship banker can tell you more if you have questions.

Strategy 6: Run tests on your own cybersecurity measures to make sure they’re working as they should
Investigate firms that can test your cyber controls with a service called pentration testing. These firms act as white hack hackers and will attempt to access your environment, and then report to you on its weaknesses. You can also find vendors that provide tools for phishing testing or phishing simulation. These vendors and tools can send your team emails that simulate a phishing attack. They will then report back to you with a list of employees who are prone to click on suspicious emails.

Strategy 7: Periodically review your cybersecurity processes
Review your critical banking process and your cyber control with all stakeholders to ensure they’re still relevant to your business and industry best practices. Make sure all levels of management and employees know their role in the process. Adjust the plan when you onboard or off board vendors, suppliers or employees.

Strategy 8: Protect your personal and company iPhones
In addition to processes aimed at protecting your internal servers and systems, mobile security is an important component of comprehensive cybersecurity for businesses and individuals.

Here are some key measures impacting iPhones, specifically. Current models contain powerful features to increase device security and privacy, but not all are turned on by default. The following, focused on iPhone iOS 14, are the most important actions to take to configure iPhones for better security.

  • Create a unique PIN/passcode for your iPhone.
  • Use passphrases instead of simple passwords on your online accounts – and use a different, unique one for every single account.
  • Allow “Install iOS Updates” and other automatic updates to your iPhone.
  • Use the multi-factor authentication (MFA) features on your iPhone. Find these under Settings > Passwords and Security.
  • Review your app permissions: Understand what permissions you have given to apps on your phone and only keep those you know and trust. To review, go to Settings > Privacy and choose the appropriate category.

Other helpful protections for your iPhone

  • Enable Biometrics Face ID in Settings > FaceID and Passcode.
  • Protect your iPhone from “juice jacking:” Use a USB data blocker (available on Amazon) when charging your phone with shared USB charging outlets, such as those at airports and other public places.
  • Before selling or trading in your iPhone, back up and then delete the data on it following Apple’s recommended procedure.
  • If your business allows employees to access company email and data using their personal phones, use a Mobile Device Manager. While there are no one-size-fits-all solution for every business, the actions described here can go a long way toward helping any business increase data security and protect their data and assets.

View the webinar recording of the full presentation below or download the slides here.

 

###

Victor Vinogradov serves as the first-line Chief Information Security Officer for Western Alliance Bank. Previously, he was the bank’s Chief Security Officer for second-line management of cyber and fraud risk.