Securing Financial Information

By Diane M. Calabrese / Published September 2019

Some of us learn about skimmers the hard way. We receive a fraud alert from our credit card issuer seeking verification of a plane ticket purchase in Dhaka, Bangladesh.

Having a credit card skimmed at the grocery store, gas station, or ATM is not a thing of the past. As skimmer-thwarting technology improves, skimmers change, so much so that the Northwest Community Credit Union in Oregon offers a 2019 guide to spotting skimmers at card entry slots complete with photos at www.nwcu.com/learn/how-spot-atm-skimmer.

Misalignment or unusual resistance to the card are two clues someone has tampered with a reader. But if you miss a skimmer, then a replica of a genuine card—pin extracted and all—may soon be in use in the community or across the world. It’s difficult for retailers to sort the real from the replica. Sellers can be left with a significant loss if a purchaser has a pilfered card.

CETA members were recently alerted to a pressure washer purchased with a stolen credit card. Even the best efforts to verify the identity of a purchaser and the integrity of a card can fail.

Daunting is the first word that comes to mind when we confront the task of securing financial information. Business owners have layered obligations on the security front given they must protect their company data, which includes customer data.

Begin the ongoing task by not overlooking the obvious. “Changing passwords multiple times a year is basic to security,” says Brenda Purswell, president of Alklean Industries Inc. in Pasadena, TX.

Be proactive whenever possible. “On all company credit cards, I require that I get a notice when cards are used to ensure charges are legitimate and not fraudulent,” says Purswell. “Financial documents are always sent via a secure site.”

There’s no way to overstate the importance of adopting the most robust security protocols possible. “Use strong security for your computers and data,” says Purswell, emphasizing ‘strong.’ “Ransomware is very dangerous and can wipe out your data, which is very costly.”

Seek and rely on expert help. “I depend on my IT contractor to protect us—he is a good source on how to best protect yourself,” says Purswell, noting that IT contractors should also be good sources of assistance in security matters.

Keep employees focused on security. They may not be handling financial information, but a lapse by one of them can provide an entryway for a malicious actor.

“Failing to update online passwords regularly will cause major problems,” says Roy G. Chappell, CEO of Chappell Supply and Equipment in Oklahoma City, OK. “You have to train key employees on how to communicate sensitive information.”

Chappell shares a good piece of advice he got from a financial expert and that he follows. It involves securing accounts used for wire transfers by not mixing incoming and outgoing funds.

“Using separate banking accounts to receive and send wire transfers enhances security,” explains Chappell. “You take out the funds as soon as they come in and wire funds out as soon as you put funds into the account.”

Individuals seeking to steal financial information, money, or products take a methodical approach, says Chappell. Stopping them requires a methodical approach to match theirs.

“People looking to help themselves to your money don’t just come in and do so,” explains Chappell. “They come into your store and look for your weaknesses. They may come in four or five times before they help you with a write-off due to theft. They look for your weakness and the employee who doesn’t follow the rules.”

The scenario Chappell describes in a real world setting also plays itself out in the digital world. An employee who does not follow the rules online often provides the access point for a hacker.

Never make it easy to access financial information. Generally, the more individuals who have access to the information, the weaker security becomes.

“There are a couple of things we try to do when protecting information,” says Chad Rasmussen, CFO of Royce Industries L.C. with corporate headquarters in West Jordan, UT. “One of them is that nothing generated by our accounting software or that has our logo can go in the garbage can. Everything is shredded.

“Another protocol to follow is to lock your data and only make it accessible to people who need to view it to do their job well,” continues Rasmussen. “This might be a physical lock on a filing cabinet or password protected folders on your server.”

Also, take a wide view. Not all threats to financial information come from individuals who would be thieves. There is also Mother Nature.

“Backing up data is overlooked too often,” says Rasmussen. “You never know when fire, flood, theft, or virus is going to cause you a huge headache. When disaster strikes, backups can save the day.”

What are good ways to back up data? “I recommend a combination of on-site and off-site automated backups,” says Rasmussen. “Doing so gives some flexibility when something goes wrong, and it gives you a place to start over. I would do multiple backups each day.”

Getting It Done

The Federal Communications Com-mission (FCC), the U.S. Department of Homeland Security (DHS), the U.S. Department of Commerce, and the Small Business Administration (SBA.gov) offer an abundance of free material, including training material, on how to secure financial information. It’s a natural bit of outreach: Small businesses account for almost half the private sector output in the country.

The stronger and more resilient businesses of all sizes are, the more easily healthy economic activity can be maintained. Disruptions to business through the theft of financial information cause ripples and waves that move the impact of the disruption well beyond its source.

The FCC document on Cyber-security for Small Business includes a “10 Tips” section (https://www.fcc.gov/general/cybersecurity-small-business). Make that ten excellent (our word) tips.

The first tip is to train employees in security principles. The training should be coupled with enforcement via penalties for violating a company’s cybersecurity policies.

No one reading these words could go wrong by taking the time to read and review the ten FCC tips (about one page with amplification) and verifying that each of the ten recommendations is in place. The second tip, for example, recommends setting antivirus software to run a scan after each software update.

There is a recurring theme that runs through the ten FCC tips: Restrict. Employees should not be able to access financial information from laptops carried in the field. They should not be able to add software without permission. Identity of a company’s wireless access point or router should be protected, and its network name (SSID, service set identifier) concealed. High-level security protection should be installed on any mobile device that can connect to a company’s system. That’s a short list.

Finally, the FCC suggests using authentication to achieve a higher level of security. It adds steps. In a short version, after a password is entered, an employee accessing a server from a remote location gets a call with a one-time code to enter to gain access to the system.

“Small Business Information Security: The Fundamentals” from the National Institute of Standards and Technology (at Commerce) is as thorough as it is readable (https://nvlpubs.nist.gov/nistpubs/ir/2016/nist.ir.7621r1.pdf). Take a look at the document’s table of contents (pages iii and iv) to get a quick refresher on points to consider when safeguarding information and working safely and securely.

Among the tips for protection that the NIST text offers (in addition to those cited from the FCC tips) are safe disposal of computers and electronic devices and encryption of sensitive information. Both NIST and FCC advise that personal and business activities not be conducted on the same device. Both recommend strong background checks of employees.

DHS provides a list of tip sheets and guides to protecting information that was produced by a variety of government entities. See list (and links) at the DHS ‘StopThinkConnect’ page (https://www.dhs.gov/publication/stopthinkconnect-small-business-resources).

The elements of securing financial information are as varied as the motives of those who try to steal it. Best, then, to forget about sorting out intent and stick to the fact that achieving security is a dynamic process.

The adage about building a better mouse trap and getting a smarter mouse still applies. The June 5, 2019, edition of The Wall Street Journal (WSJ) included a special section on the topic of cybersecurity. Among the alarming concerns detailed: quantum computing will enable machines to break current encryption, and image-recognition filters can be circumvented.

The special WSJ section also includes a debate by pro- and con- voices for the creation of a cabinet level department focused on cybersecurity. The need for better organization is the subject of the pro stance offered by Ted Schlein, a partner at Kleiner Perkins.

Agree or disagree regarding the worth of a new federal entity, we all must be better organized to do the most we can to avert loss of financial information (and other valuable data).

Update. Scan. Clean. Shred. Verify. Organize.