Protect your business

Customers should perform a periodic risk assessment of your computing environment.

Commercial online banking customers should perform a periodic risk assessment and controls evaluation on their computing network environment. At minimum this should be done on an annual cycle.

• List the ways the business collects, uses, and stores customer and business information. Document how employees access customer and business information, including remotely.
• Identify how information can been compromised, stolen, or exploited. Include assessment of risk to customer information, as well as business proprietary information including intellectual capital.
• Document the controls that are in place to protect your computing network environment.
• Identify additional controls that are needed. Document whether each is an approved project, and if so, when it will be implemented, and if not approved, what is the status.
• Record any "security incidents" that occurred since the last risk assessment. Identify what happen, what the impact was, and what current controls were breached, if any, and/or what controls will be implemented to prevent repeat events.

Your employees can be the strongest or weakest link in your security plan. Follow our tips to help them become your strongest security allies.

You can install firewalls on every computer, update your software and backup your data, but if your employees don't follow good security practices, your business is vulnerable to a wide range of threats. Help them understand why you have a security policy and why they should take it seriously. The security of your business rests in their hands.

Employee Security: Find Your Weak Spots

It's important to include employees when you create or modify your security plan. They'll feel part of the process and be motivated to follow and enforce your policies. They may even identify vulnerabilities you're not aware of.

• List all the ways your business collects, uses and stores customer and business information.
• List and restrict who has access to customer and business information, and enforce a Clear Desk policy.
• Train everyone on your list to protect sensitive information. Reward employees who alert you to vulnerabilities.
• Keep employees updated on new risks and threats. Create a culture of security awareness.
• Before you hire new employees, conduct background checks on anyone who will have access to sensitive information.
• If your needs are complex, get expert help. Ask your IT department, industry peers or Chamber of Commerce.

Workplace Security: Keep Business Confidential

Simple steps every business should follow every day.

• Lock your laptop. Don't give thieves an open invitation to copy your files or steal your computer. Store it in a locked cabinet.
• Handle documents with care. Put them out of sight when you're away from your desk. At the end of the day, lock them away.
• Better shred than read. Don't let dumpster divers turn your trash into cash. Use a shredder or specially designed receptacles for business documents.
• Pick up your mail. Don't leave it in pick-up boxes overnight. Someone could be snooping while you're snoozing.
• Keep voicemail short. Avoid leaving detailed messages involving sensitive information. You never know who might be listening at the other end.

Computer Security: Teach them the basics

The following are the top cyber security practices from the National Cyber Security Alliance.

• Protect your personal information. Don't give it to anyone you don't trust, especially if the request is urgent.
• Know who you're dealing with. Don't open unsolicited emails. Don't open attachments from people you don't know. Don't click on pop-ups.
• Use anti-virus software. Anti-virus software is the best way to protect your computer against viruses, worms and Trojan horses. Keep it updated and scan regularly.
• Use a firewall. You should install a personal firewall on every computer and remote device to block Internet intruders.
• Use strong Passwords. Use a combination of upper and lower case letters, numbers and symbols. At least eight characters in length.
• Back up important files. Copy them onto a disk or flash drive and store them in a secure place in a different building. Just in case there's a fire, flood or other disaster.
• Learn what to do if something goes wrong. Scan for a virus. Report fraud to the appropriate authorities. Follow your security policy.

• Use antivirus software on all servers, desktops and laptops. Check for new virus definitions daily and scan your system weekly.
• Stay up to date with software and security patches.
• Use a firewall on every computer (check your software to see if it's built-in) and, as an additional line of defense, install a network firewall.
• Use a Password to prevent access when you're away from your computers.
• Use a virtual private network (VPN) over a wireless network to prevent hackers from intercepting your data.

Guidelines for Good Passwords

• Change default Passwords. (They're easily guessed and often exchanged in hacker chat rooms.)
• Use upper and lower case letters, numbers and symbols.
• Try abbreviating a phrase that's memorable only to you (include numbers and symbols).
• Use Passwords that are at least 8 characters long.
• Change Passwords at least every 90 days.
• Don't share your Passwords.

Threats to watch out for

Be aware of these emerging threats from cyber thieves.

• Hackers exploiting IM and text messaging to unleash viruses through backdoors in security software.
• Phishing emails that target a group of people within a company or organization. Often, they appear to come from someone in the HR department.
• Phishing attacks on cell phones and PDAs.
• New viruses that spread from phones to PCs through Bluetooth connections and mobile messaging services.
• Theft of PDA smart phones. Keep an eye on yours.
• Attacks on voice over IP (VoIP) systems. Criminals are exploiting security holes in this hastily deployed technology.

Your privacy policy is everyone's business. Let your customers know how you protect their data.

Building trust with your customers is good for your business. In fact, a recent study showed that a majority of consumers say they'd recommend a business if they were confident that business followed its security and privacy policies. Your customers want to know how their personal information will be used and protected. It's your responsibility to tell them.

Guard your customers' privacy

Creating a clear privacy notice is the first step in building customer trust. The following tips are recommended by the Better Business Bureau.

• Create a privacy policy statement that's easy to read and understand.
• Post your privacy policy statement on your web site.
• Tell consumers how they can opt-in or opt-out.
• Honor consumer requests not to transfer their information to third parties for marketing purposes.
• Use encryption whenever card or other sensitive data is transmitted.
• Restrict access to consumer data only to employees who need it.

Phishing: Get your company off the hook

A study commissioned by the Anti-phishing Working Group found that 90 percent of participants couldn't tell the difference between a legitimate website and a good knockoff. Why does phishing matter? Because it damages the trust customers have in your business. To protect your business' reputation, follow these tips:

• Let customers know you will never send email messages requesting personal information, Passwords, or User IDs.
• Tell customers how to verify whether a suspect communication is genuine.
• Provide an email address where customers can send spoof emails.
• Educate your employees about phishing. Help them recognize fraud.
• Monitor "bounced" email messages. A large number may indicate that a phishing attack is underway.

Follow these important steps to help limit damage and disruption to your business.

It's vital that you have a plan in place for dealing with security incidents so you can take immediate steps to limit damage and disruption to your business. Part of your plan should include backing up important files and software programs. It'll save you time, money and allow you to keep your business running while you resolve the problem.

Report Fraud

If fraud is associated with an HSBC account, call the number on your statement or visit the Report Fraud page for more information.

For non-HSBC fraud related to your business:

• Notify customers as soon as possible if their personal information has been exposed.
• Report theft to local law enforcement.
• Notify the national credit bureaus:
  Experian 888.397.3742
  Equifax 800.525.6285
  Trans Union 800.680.7289
• Notify other businesses that may be affected.
• Consult your attorney.

Recovering from Fraud

Take steps to secure your business systems and customer information.

• Check the system log to identify computers that have been compromised.
• Disconnect hacked or infected computers from the Internet and scan them with updated security software.
• Notify your Internet Service Provider (ISP) and, if possible, the hacker's ISP.
• Encourage your customers to monitor their credit reports and notify you if they suspect identity theft. They should also file a police report and contact one of the national credit bureaus.