About 42 percent of small businesses reported being victims of cybercrime last year; the average take totaled $32,020, according to a December 2015 survey by the National Small Business Association.
When business owners are hit by cybercrime, they’re often surprised to learn that they don’t have the same legal protection that consumers have: Federal fraud regulations protect personal financial accounts, but not business accounts.
In light of this, all small business owners should consider accessing the Department of Homeland Security’s C³ Voluntary Program Small and Midsize Business Toolkit for vital resources to help their businesses recognize and address cybersecurity risks.
Here’s a closer look at some key steps you can take to keep your business secure.
1: Protect Your Network — Installing a firewall is a critical first step. A single hardware-based firewall can help protect the computers on your network.
Also, equip your computers, smartphones and other mobile devices with antivirus and anti-malware software. Back up critical data on all computers and servers daily. Restrict the use of removable media devices like DVDs and USB drives, and block access to social networking sites from company computers.
2: Strengthen Your Passwords — Every year, SplashData, a security software company, publishes a “worst passwords list.” And every year, “123456” and “password” are the most commonly used passwords on the list.
To keep your accounts secure, each should have a unique, strong password that has at least eight characters in a random collection of uppercase and lowercase letters, symbols and numbers. Change that password every two to three months.
You can keep track of all your passwords securely with a password manager, like Keeper Password or Dashlane, which installs on your computer as a browser plug. Many password managers will sync across all your devices and some will generate new passwords for you.
3: Beware of Phishing — Phishing is the practice of sending emails that appear to be from a credible source with the goal of gaining access to sensitive data. The emails ask you to click on a link that sends you to a reputable-looking website, where you’re asked to update account information, or the link will install malware onto your computer.
Business Email Compromise (BEC) is a sophisticated scam that starts with phishing: Criminals target companies that work with foreign suppliers and/or regularly wire payments. The criminals research their victim’s website so that they can send authentic-seeming emails to get you to wire funds to a legitimate-seeming account — that of a supplier or business partner, for example. The funds actually go to a foreign bank account, most often to an Asian bank in China or Hong Kong, where they’re quickly transferred again. According to the FBI, BEC fraud has increased by 270 percent since January 2015.
To protect your business from phishing and BEC, be sure you and your employees scrutinize emails. Some fraudsters can actually hack into an executive email, meaning a fraudulent email could be coming from a legitimate email address. In other circumstances, a fraudulent email may take the form of an address that looks very similar that of an executive’s. For example, these addresses may be missing a letter, or may include an extra letter or hyphen. Never open an attachment or click on a link from an unknown sender and delete any suspicious-looking emails.
4: Protect Checking and ACH Account Numbers — A criminal needs only an account number and a bank routing number to execute a fraud. Keep the numbers secure and identify fraudulent activity right away.
- When you order checks and deposit slips, require a signature upon receipt.
- Store checks securely.
- Verify routing and account numbers of outbound payments.
- Require dual approval on monetary transactions, as well as administrative changes.
- Reconcile your accounts daily.
5: Partner with Your Bank — Talk to your banker about programs and services that safeguard you from unauthorized transactions. For example, your business accounts should have a two-factor authentication, which requires a username and password plus another method of identification, often an access code sent by text message.
Ask about fraud mitigation products such as check positive pay, teller positive pay, payee verification positive pay, reverse positive pay, check block and automated clearing house (ACH) positive pay. These can provide filters and/or blocks, approval processes and information reporting to help you identify fraud quickly to reject the fraudulent item(s). While no such products are foolproof, these products are believed to reduce the risk of loss to you from fraud.
Finally, if you discover suspicious activity, contact your bank immediately. Stop all online activities and change your passwords. File a police report and note what happened and when. The sooner you identify a cybercrime, the more likely you are to minimize your losses.
The Huntington National Bank, Member FDIC