Online banking offers many benefits for SMEs, but don’t rely only on your bank’s security systems. Here’s a guide to DIY protection.
While personal banking has largely moved online, many smaller businesses still undertake some form of physical banking at a branch, usually to bank cheques received for payment of services.
However, the growing use of payment by credit card, BPay, PostbillPay, and even the simple online bank account transfer, means that manual cheque receipting and deposits are becoming less and less common.
Electronic banking saves time and money by: automating processes such as payroll and supplier payments; making transfers of funds between accounts easier; reducing transaction fees and other costs such as postage; allowing the movement of funds into a higher interest account and quickly transferring amounts when needed; providing more timely access to records rather than waiting for monthly statements; and providing the ability to download statements to accounting software.
But such efficiencies shouldn’t be at the cost of maintaining the security of the business’ banking process. It is essential for all businesses transferring manual tasks to electronic banking to look at the controls in place and at ways of transferring them, or their equivalent, to the new system being introduced.
The security steps taken under the traditional cheque payment/banking system include:
* Not pre-signing cheques.
* Crossing cheques as ‘not negotiable’.
* Putting cheques in the mail in a plain not window-faced envelope.
* Keeping the chequebook in a secure place.
* Always using a pen, not pencil.
* Having co-signatories in larger organisations.
* Not going to the bank at the same time every day.
So, in the past, making payments by cheque meant that only one or two people within the business, who were authorised signatories, could make the final payment. Businesses now using e-banking in place of cheques to make payments should only give e-banking password rights to those people who had cheque-signing rights.
Other checks and controls might not seem as easily transferable, particularly as the technology seems to change so rapidly.
When electronic banking was first introduced to businesses, it was usually through bank-specific software being installed on the computer system. Many businesses still use this type of software to process payrolls and batch creditor payments. Transactions are entered, authorised, and sent direct to the bank via direct-modem connection, rather than over the internet. The security for this software is controlled by the software itself and the access for authorising transactions is provided to specific users by the bank.
Widespread use of the internet has broadened the means by which businesses can transact; not just with the bank, but also with their customers and suppliers. For example, credit card payments can now be processed via an internet site without the need for a terminal.
To make online business banking a safe experience, business owners can take a few simple steps:
Ensure the bank’s website is secure. Banks have a very high stake in making the online banking experience as safe as possible. After all, the more customers use online banking rather than branches, the lower their overheads. So they have spent a lot of time and money putting systems in place to make online banking secure.
A bank’s website should disclose the security methods it uses to protect customers’ data. Business owners should ensure their bank is using high-end encryption and that the user interface is a secure website. This means that the data being transferred over the internet is scrambled and only the intended receiver can use it. A secure banking site can normally be identified by a closed padlock icon on the bottom right hand corner of the browser and “https://”, rather than “http://” in the address bar.
Introduce multiple methods of authentication. Unfortunately, a secure website doesn’t rule out the possibility of online hackers intercepting passwords with a method called keystroke logging. This means that hackers can record the letters on the keyboard that are pressed when someone enters their password to access their banking system.
And so, many banks will also provide their business clients with a second layer of security. This additional security may be in the form of a series of passwords; two-factor authentication; or the use of digital certificates.
In its simplest form, a series of passwords makes it more time-consuming and more difficult for hackers, thus discouraging them. It is also possible to have two passwords so the security software uses random parts of each password at the start of an online session. This randomness provides an added dimension to the security.
Two-factor authentication commonly refers to a two-step login/authorisation process. For example, an electronic security ‘token’ is linked to an individual’s login ID and password. When activated, the token generates a one-off password, using a random algorithm, which is used as the second level of proof of identity.
A digital certificate is attached to an electronic message and used to authenticate transactions on the internet. It is an electronic ID which verifies that the sender of a message, or bank transaction request, is who they claim to be, and provides the means by which transactions can be encrypted and decoded only by the issuers and applicants of the certificates.
Change passwords regularly. While the security measures provided by banks may help protect their online banking clients, there is still much more the individual can do.
Use the security features of the banking software. If it provides the capacity to change passwords on a regular basis, take advantage of this feature. It may seem like a painful exercise to be asked to change a password in the middle of authorising a transaction, but keep in mind that it will help ensure the security of transactions.
Don’t keep a record of login IDs and passwords on or near the computer. Also, while many people think having the same password for all login IDs will make them easier to remember, this can make it very easy for a hacker to attack more than one account. Even if not asked to, change passwords regularly. For those who must keep a record, hide it somewhere.
Also remember that if a cheque with forged signatures is paid by the bank, it is the bank’s responsibility, but if an e-banking password is used by someone who shouldn’t have known it, it’s the business owner’s responsibility. Passwords must be kept secret and, when staff leaves, their banking authorities should be changed immediately.
Use and update antivirus and security software. Smaller businesses, and particularly those operating from a home environment, don’t have the luxury of a larger organisation’s IT infrastructure, which many employees (and often employers) take for granted. This is why many online banking attacks have been targeted towards home users and small businesses.
Make sure a computer is secure and that any business information is kept separate from other information on a shared computer. Install antivirus and security software on the computer, and keep it up to date. Back up business data and applications and keep the backups secure.
Be smart. The best protection is to be smart. The online world is no safer (or more dangerous) than the real world. Just as you wouldn’t give financial information to anyone on the street who asks for it, don’t give it to anyone who emails asking for it. This means not responding to any unsolicited email from banks asking for account details and, in particular, passwords. Even if the email seems legitimate, it’s worth phoning your bank to check. The cost of a phone call is a small price to pay.
Take responsibility. Ultimately, business owners should take responsibility for the security and safety of their banking processes. Take the time to understand the options and put in place security processes. For example, the Australian Government website www.staysmartonline.gov.au and the Internet Industry Association website www.security.iia.net.au have a number of resources on online security.
And, of course, sometimes there is no substitute for having that personal contact at the end of the phone with the bank’s client manager.
Common sense electronic banking controls:
* Two company officers to approve all payments/transfers.
* Secure passwords. They should be input without others observing, changed regularly, and never written down.
* Bank reconciliations completed by staff not involved in the payment functions, with bank statements reviewed independently.
* Security arrangements confirmed regularly with the bank.
* Bank authorities of terminated employees removed as soon as they depart.
* Carolyn Patman is a director in business services for accountants and business and financial advisers HLB Mann Judd Sydney.
Safety For Sellers
PayPal has introduced Seller Protection for Australian eBay sellers, meaning sellers no longer have to bear the costs of buyers reversing their payment because of an ‘item not received’ dispute.
“For the first time, Australian eBay sellers will have confidence in knowing they could be protected against losses they’re not responsible for,” says Andrew Pipolo, PayPal Australia managing director.
Sellers who’d like protection need to meet the eligibility criteria, including proof that the item was posted to the correct address.
“Although this type of problem is rare, this new level of protection provides greater confidence when selling on eBay with PayPal,” says Pipolo.
Do You Bpay?
Over the past 18 months Bpay has noticed an increase in SME billers, and is now developing an SME offering. While it is essentially the same service currently available through a bank’s internet site, it will have a simplified sign-up and evaluation process.
Here’s why some SMEs are turning to Bpay:
* Cash flow. Manually processed payments, or those in transit, can significantly reduce the cash position of a business. Bpay reduces the cost of administration and reconciliation, and eliminates costs associated with tracking dishonoured or returned payments.
* Cleared funds overnight. The proceeds of Bpay payments are deposited into the biller’s nominated account by financial institutions every business banking day—no dishonoured cheques or stopped payments.
* Fee structure. Payments are primarily flat fee transactions so there is no increase based on the amount being paid.
* Customer relations. Consumers can pay bills with a phone call or online.