Larry runs an import distributor that specializes in high-end balsamic vinegars, sherries, and olive oils from Spain, France, Italy, and Morocco. His customers are mostly restaurants and caterers in the Albuquerque metro. He has slowly grown his business in the last 19 years, and last year had $8 million in sales and $400,000 in profit.
Larry does no conventional marketing, relying on word-of-mouth and tastings with customers to drive sales. Customers personally know Larry or their sales rep, and Larry prides himself on the trust they’ve cultivated. They mostly pay him with checks; Larry does not accept credit cards.
Larry has 7 full-time employees: two sales reps, one office manager, two delivery drivers, and two warehouse workers. He also has a part-time accountant, and uses an IT company to support the computers, phones, website, and the onsite inventory system. He uses Trinet for HR benefits and Quickbooks Online for finance. The sales reps have laptops but mostly work from their cellphones. His office manager sends out invoices, answers the phone, and watches inventory, spending all her time on the computer. The delivery drivers have only phones, and the warehouse workers share a computer to print out pick lists and update inventory.
Most of Larry’s pain comes from his suppliers.
- Shipments are sometimes weeks late because of customs issues
- Product is sometimes spoiled or broken.
- Shipping insurance claims take about 50 hours to file and the most competitive rates come with a large deductible.
To address these, he consolidates his shipments into a couple every year, using a trusted distributor in Spain to stage and safely pack the products into a shipping container. To cover each shipment, he takes out a short-term loan, usually about $2 million. He pays each distillery and his shipper using a wire transfer.
Larry's Security Plan
Money: The biggest risk to Larry’s business is someone stealing his money. If someone drained the account within a couple weeks after he deposits a shipment loan, it would take him years to recover from a $2 million loss. There are two main possibilities:
- someone guesses or steals his online banking password, logs in as him, and sends themselves all the money in his account
- someone who knows his bank account number can pull the money out through an ACH transfer. The bank may notice it, but maybe not.
In either case, if no one catches the fraud within 3 days, the money is gone.
Secrets: While he does have billing information and phone numbers for his customers, that information isn’t really secret. It’s not worth his time to protect.
Reputation: Larry also has no public marketing or image that someone could steal or impersonate. All of his customers would call him if they suspected anything odd.
- Many people know the bank account number because they get paid with checks. Anyone who knows the account number could try an ACH transfer against it.
- If someone stole some money, no one may notice until it’s too late.
- If someone stole all the money, payments to vendors may bounce and cause frustration and time to fix the mess.
Larry chooses three fixes to make it harder for someone to drain his bank account.
- Use Transferwise to pay his international suppliers and sets it up to only allow payments to their bank accounts.
- Creates a second bank account to hold most of his loan money, and restrict it to only permit transfers to Transferwise and his existing bank account.
- Sets up automated texts to him, his accountant, and his office manager if a new payee is added to Transferwise or his new bank account. If that happens, they can quickly research and cancel any fraud. Also set up an automated text if the settings for automated texts are changed.
These changes might take 5 hours of Larry’s time, and conservatively 15 hours for his office manager. Once Larry has made these changes, it will be really hard for anyone to steal that $2 million.
- Almost no one knows the number for the new bank account, so ACH fraud is almost impossible.
- If anyone breaks into the online login to the new bank account or Transferwise, any attempts to steal money will alert three people.
- No change to the security of the old bank account. If someone drained it, Larry might still be out $101k and there would still be a big mess of bounced checks and angry vendors.
- If the office manager or Larry started to get fast and loose about adding new distilleries to Transferwise without first telling the others, they might get used to the alerts and ignore them in the case of real fraud. Larry could probably fix this most easily by following a predictable process for adding new distilleries – for instance, only Larry does it, and only on the 1st of a month between 10 AM and 2 PM.
Ideas for Later
Larry also notes that the following could help protect him, but are lower priorities:
- Larry and his office manager convert to password managers, lowering the risk of someone breaking into any of their accounts or falling for a phishing attempt.
Estimated cost: 10 hours to convert. Bonus time saved: 2 hours/week thereafter from not worrying about passwords anymore.
- Adding a second factor of authentication to Quickbooks, the password manager, and the online banking. This will lower the risk of someone breaking into those accounts.
Estimated cost: 2 hours, and the annoyance of needing his phone when logging into the bank account.
- Change Larry’s laptop to a Chromebook. This will make it much more difficult for him to get infected with a virus that could steal his banking password. Also immune to ransomware.
Estimated cost: $500 and the time it takes to learn it.
- Replace the inventory system with an online service. This would make that service immune to viruses and ransomware.
Estimated cost: could be a major project, and recurring monthly payments. Bonus cost savings: pay the IT company less because they don’t need to work on it anymore.