I'm responsible for holding corporate information security training at our company, and, considering the recent
scourge of banking Trojans that started with the Zeus botnet and is still going strong, I'm wondering what you would recommend I tell them about online banking: Should it be allowed on the corporate network? Should I recommend our users just not bank online at all?
Zeus and other malware attacking online banking have been covered in many previous questions, but the question of if it should be allowed on the enterprise network is indeed an interesting one.
From the perspective of an organization and how the organization’s network is used for personal online banking, review your acceptable use policy for personal use restrictions to see if personal online banking is allowed, but ultimately it may be difficult to block personal online banking given the number of different potential methods to bypass proxies blocking Web access.
A better approach may be to educate users about the numerous online banking security issues that may result from careless or insecure use. Consider augmenting your security awareness training with information about the dangers of online banking to help your users understand the tradeoffs they are making by banking online; ultimately the convenience it offers does expose users to varying degrees of risk. The additional security risks to your enterprise’s systems from users conducting personal online banking are minimal if they are already allowed to browse the Web.
Your organization may be more concerned about using online banking for managing its financial accounts. The financial protections in place for online banking for businesses are not as strong as for consumer accounts. Many business online financial accounts do use two-factor authentication and other strong authentication mechanisms, but malware already targets many online financial accounts using strong authentication. You could block access to your organization’s online financial accounts from all except for secure, approved systems. This could potentially limit the risk to your online financial accounts from being abused while still providing authorized, convenient access to corporate online banking resources.
Dig deeper on Security Awareness Training and Internal Threats
Related Q&A from Nick Lewis, Enterprise Threats
Expert Nick Lewis explains how to avoid a detrimental VPN bypass flaw that allows malicious apps to infiltrate Android devices.continue reading
Expert Nick Lewis explains how to keep call center employees from getting duped by social engineering scams and pretexting.continue reading
Researchers reportedly succeeded in extracting decryption keys using sound-based attacks. Is this a threat enterprises should worry about?continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.