I'm responsible for holding corporate information security training at our company, and, considering the recent...
scourge of banking Trojans that started with the Zeus botnet and is still going strong, I'm wondering what you would recommend I tell them about online banking: Should it be allowed on the corporate network? Should I recommend our users just not bank online at all?
Zeus and other malware attacking online banking have been covered in many previous questions, but the question of if it should be allowed on the enterprise network is indeed an interesting one.
From the perspective of an organization and how the organization’s network is used for personal online banking, review your acceptable use policy for personal use restrictions to see if personal online banking is allowed, but ultimately it may be difficult to block personal online banking given the number of different potential methods to bypass proxies blocking Web access.
A better approach may be to educate users about the numerous online banking security issues that may result from careless or insecure use. Consider augmenting your security awareness training with information about the dangers of online banking to help your users understand the tradeoffs they are making by banking online; ultimately the convenience it offers does expose users to varying degrees of risk. The additional security risks to your enterprise’s systems from users conducting personal online banking are minimal if they are already allowed to browse the Web.
Your organization may be more concerned about using online banking for managing its financial accounts. The financial protections in place for online banking for businesses are not as strong as for consumer accounts. Many business online financial accounts do use two-factor authentication and other strong authentication mechanisms, but malware already targets many online financial accounts using strong authentication. You could block access to your organization’s online financial accounts from all except for secure, approved systems. This could potentially limit the risk to your online financial accounts from being abused while still providing authorized, convenient access to corporate online banking resources.
Dig Deeper on Security Awareness Training and Internal Threats
Related Q&A from Nick Lewis
Latentbot malware has layers of obfuscation that makes it hard to detect. Expert Nick Lewis explains how its process works, beginning with a phishing...continue reading
A hard to detect type of Linux malware, Rekoobe, can download files to user systems. Expert Nick Lewis explains the malware's key functionality and ...continue reading
Pro POS, a new type of POS malware, has simple operations and is easy to obtain. How was it so successful against businesses? Expert Nick Lewis ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.