Small businesses might think they are little enough to escape cybercrooks’ attention, but they’re increasingly wrong.
Case in point: thieves in May took a mere few hours to vacuum $1.2 million out of the bank account of a mannequin maker and importer, according to the Wall Street Journal.
The cybercrooks used online transactions to fraudulently transfer the money from the bank account of Lifestyle Forms & Displays Inc., a 100-employee company in Brooklyn, NY.
The mannequin maker’s problems started when the head of finance couldn’t get a routine online payment to a foreign vendor to go through.
Repeated attempts to log into the company’s banking site with a secure ID token password only resulted in error messages.
The bank said it wasn’t a problem on its end. The three-person IT team at Lifestyle Forms & Displays suspected a virus, even though the anti-virus software was up to date.
By the next morning, after IT had cleaned up the computers, they discovered that the thieves had wired the $1.2 million through nine transactions of about $150,000 each to three major U.S. banks and one Chinese bank, the WSJ reports.
CEO Lloyd Keilson tried to claw that money back.
He was partly successful: within five days, the company’s bank, New York-based Signature Bank, managed to recover nearly $800,000 from two recipients of the stolen funds: Wells Fargo and J.P. Morgan Chase.
Keilson didn’t have such luck with Bank of America and Agricultural Bank of China, the latter of which the WSJ couldn’t even manage to reach for comment.
So Keilson set out to make a nuisance of himself: a productive strategy, it turns out.
He pulled the strings of his network. That got him in touch with the secretary to the CEO of one of the US banks.
Using such tactics, he regained a total of about $1.04 million of the stolen money within 15 days of the robbery.
Keilson told the WSJ that he’s now trying to figure out if his company’s bank is legally responsible for making up the balance of the funds, which are now unaccounted for.
Signature Bank has denied that the security vulnerability was on its part, however.
If the bank is truly without blame, Mr Keilson can likely kiss those funds goodbye, barring the FBI and/or New York Police’s success in tracking it down.
George Tubin, a senior security strategist for Trusteer Inc., a provider of cybercrime prevention technology, told the WSJ that courts don’t often hold banks liable in cybercrime cases that involve security breaches of their customers’ computers:
It comes down to what type of security a bank has in place to detect fraud and what the small business did for the hackers to be able to access its accounts. … As long as the bank provides commercially reasonable security, then the bank's not liable.
The WSJ reports that the theft is indicative of a growing trend wherein criminals are increasingly targeting small businesses.
That trend can be seen in figures from Verizon Communications, which found that about 72% of 855 data breaches analyzed in its 2012 Data Breach Investigations Report [PDF] were at companies with 100 or fewer employees, up from 63% of 761 data breaches analyzed in 2010.
Since the theft, Keilson has instituted a few important safeguards to protect Lifestyle Forms & Displays: 1) no more outbound bank transactions without verbal clearance from an authorized company executive, and 2) a $1 million insurance policy that costs $13,000 a year and will cover losses from cyber fraud.
Good moves. Not many businesses, small or large, have realized what a good deal cybercrime damage insurance currently is.
At the SOURCE:Boston security conference in the spring, Jake Kouns, director of cyber security and technology risks underwriting for Markel Corporation, noted that most companies assume their general liability or professional liability insurance will cover them in the case of cyber attack.
They, most likely, don’t.
Sony, for one, found that out following its huge PlayStation Network breach.
Sony’s insurer, Zurich American Insurance Co., contested any obligation to cover costs related to lawsuits filed over the breach, arguing that its policy only covered claims for bodily injury, property damage, or personal and advertising injury.
So, is $13,000 a lot for an insurance policy?
Think of the potential costs of a data breach:
- Lawsuits, including fines and penalties
- Transmission of malicious code to other networks
- Loss of the use of your network
- Cost to notify affected individuals
- Credit monitoring for customers
- Identity restoration services
- Security consultants
- Legal notices
- Restoration of system and data
- Extra expenses to remain functional, including new hardware and/or services
- Payment of extortion demands
- Lost time, lost monies, lost business
- Liability from defamatory content maliciously posted on your site, intensified by the search potential of the internet
That list is just for starters.
Is $13,000/year a lot to cover such costs?
Mr Keilson evidently thinks not. Perhaps other small businesses – and large ones too, for that matter – should follow his lead.
Lloyd Keilson image: Sarah E. Needleman/The Wall Street Journal.