Three things to learn from the New York Fed hack

The hackers, whose "footprints" indicate they operated from outside of Bangladesh, transferred the money to casinos in the Philippines, according to the Reuters article.

 

The fact that large transfers were being requested by private entities, not other banks, finally raised red flags at the NY Fed and prevented the transfer of $850-$870 million.

 

But you operate a small business and don't have billions sitting around in bank vaults. Surely your company doesn't have to worry about a hack, right?

 

Wrong. A quick read of the Fed hack reveals several elements that hold true for your business as well:

 

As we reported recently, the days of getting an email from a Nigerian prince are gone — the kind of threats you are most likely to face, phishing, come from trusted sources that have been compromised, whether that's an email from your boss or your best customer. 

 

Most phishing hacks target employees, who unwittingly click on a suspect link, opening the door to thieves.

 

In this case, human error worked for the bank, since hackers made a typing error, misspelling Foundation as Fandation. This triggered a human to question what was going on and saved the Fed and the Bangladesh Bank almost a billion dollars.

 

Takeaway? Turn your biggest weakness into your front-line offense by training employees to question anything that looks off. 

 

According to a Bloomberg report, there is disagreement over whether the Fed followed procedures when it received the transfer orders. From their coverage: 

A Fed spokeswoman said instructions to make the payments from the central bank’s account followed protocol and were authenticated by the SWIFT codes system. There were no signs the Fed’s systems were hacked, she said.

A Bangladesh official said the Fed should’ve checked the payment orders with the central bank to ensure they were authentic, even if they used the correct SWIFT codes.

That one missing step in verification, checking with the central bank, cost both banks big time.

But before you get too judgmental, consider what might be missing in your process. Still using a fax machine? Do employees ever get impatient with encrypted email and just send something out to clients on an unsecured line? Do any of your employees use a wireless mouse or keyboard? 

The size of your business or your business' bank account is no indication of the number of attacks being directed your way. Often the most valuable thing you have to offer is the data residing in your files.

Consider that in 2015, almost 1 million new malware threats were released every day, according to CNN Money. 

The bottom line? Treat the possibility of a cybersecurity attack as an if, not when, scenario, and learn from the mistakes of others.