Because businesses frequently have more account transactions, with higher dollar values, the FFIEC recognizes these as riskier transactions, and has identified a steep rise in online account takeovers and unauthorized online fund transfers related to business accounts in the last five years.
Recently, small to medium-sized businesses have been primary targets as cybercriminals have recognized that the security controls they have in place are not as robust as that of larger businesses. Analysis indicates enhanced controls over administrative access and functions related to business accounts and layered security using multiple and independent controls would help to reduce these types of crime.
FFIEC Guidance on Enhanced Controls for Businesses:
- Business customers should be encouraged to periodically perform a self-identified risk assessment to evaluate the effectiveness of the controls they have in place to minimize the risks of online transaction processing.
- The password, website, computer and network tips above provide a starting point for this process and the web resource links provide additional detailed information.
- Business customers should understand the security features of the software and websites they utilize and take advantage of these features. Segregation of duties—the process of separating duties so no one person can perform all steps of a transaction—is an example of a very important security feature.
- Layered security options that may be available to business customers doing online transactions include transaction thresholds, out-of-band verification (such as telephone or email verifications), fraud detection and monitoring systems, and IP reputation–based services.