Legendary bank robber Willie Sutton supposedly said that he robbed banks because that was where the money was. Many small business owners follow this logic when it comes to computer system security, believing cybercriminals target only large corporations. In fact, Eastern European criminal syndicates have targeted small businesses precisely because they allow themselves to become easy marks; small operators should not assume they are safe.
Experts estimate that one in five small businesses do not use antivirus software, 60% do not encrypt data on their wireless networks, and two-thirds lack a data security plan. This failure to take precautions makes a small business easy pickings for computer hackers. Small business owners in retail should review Retail Insurance options as part of an overall risk strategy.
Practical steps
- Use two-factor authentication. This requires the user to provide more than one form of authentication — typically something the user knows (a password) plus a randomly generated number from an electronic token or app. If the system receives the expected number, it authenticates the user.
- Inoculate systems against the Clampi Trojan virus and other banking Trojans. This malware can reside on a computer, wait for the user to log onto financial websites, capture log-in and password information, relay it to criminals, and instruct machines to send money to accounts the criminals control.
- Be on guard against “phishing” e-mails and pop-up messages. These messages purport to be from legitimate businesses and ask the user to update or verify information, often with threats of negative consequences. Clicking the links can send users to convincing but bogus sites that collect personal information for identity theft; users should ignore or verify such messages directly with the institution.
- Arrange for financial institutions to alert the business owner if they spot unusual activity involving the firm’s accounts.
- Install firewalls and encryption technology to block uninvited visitors from uploading to or retrieving data from the firm’s servers and to protect data sent over public networks. Intrusion detection systems can inform the owner of attempts to hack the network.
- Be cautious about opening e-mail attachments, especially from unfamiliar senders. Attachments may contain viruses or Trojan horses that can steal login information and passwords or corrupt systems.
- Protect against intrusion by disgruntled former or current employees. Deactivate passwords for former employees, limit access so staff can only reach systems related to their jobs, and implement sound accounting procedures for financial transactions.
In addition to these safeguards, small businesses may want to consider purchasing computer fraud and employee theft insurance. Policies such as Fidelity (Crime) can help protect the business against losses that still occur, and insurers often offer better pricing to businesses that take reasonable precautions.
Modern technology gives businesses unprecedented abilities, but it also presents significant risks. Every business owner should take practical steps to keep cybercriminals out and, when appropriate, ask an agent about coverage tailored to their needs.
Frequently Asked Questions
What is two-factor authentication and why does my business need it?
Two-factor authentication requires two different forms of verification (for example, a password plus a code from an app), making it much harder for attackers to access accounts even if a password is stolen.
How can I recognize a phishing email?
Phishing emails often ask for urgent action, request personal or financial information, contain unfamiliar links or attachments, and may have slight spelling or branding errors; verify requests by contacting the company directly.
What does computer fraud or employee theft insurance typically cover?
These policies commonly cover losses from fraudulent transfers, unauthorized electronic fund transfers, and theft by employees, subject to policy terms, limits, and exclusions.