Legendary bank robber Willie Sutton supposedly said that he robbed banks because that was where the money was. Many small business owners follow this logic when it comes to computer system security, believing that cybercriminals target only large corporations. That assumption is misleading: organized criminal groups and fraudsters often target small firms because they are easier marks.
Experts estimate that one in five small businesses do not use antivirus software, 60% do not encrypt data on their wireless networks, and two-thirds lack a data security plan. Those gaps make small firms attractive to attackers who look for weak or unprotected systems.
There are several practical steps business owners can take to reduce risk and limit losses. In addition to technical safeguards, small businesses may want to consider purchasing computer fraud and employee theft coverage, including policies such as Fidelity (Crime), to help recover losses that still occur.
Protection steps
- Use two-factor authentication. Require users to provide more than a password — for example, a password plus a regularly changing numeric token or an authenticator app — so stolen passwords alone cannot give attackers access.
- Watch for banking Trojans and malware. Some malware waits for users to visit financial sites and then captures login credentials or redirects transfers; keep systems and endpoint protection updated to reduce this risk.
- Be on guard against phishing e‑mails and pop-ups. Messages that ask you to “verify” or “update” account details can be fraudulent; instruct staff to ignore links in unexpected messages and verify requests by contacting the company directly.
- Arrange alerts from your bank. Ask financial institutions to notify you of unusual or large transactions so you can respond quickly to suspicious activity.
- Install firewalls, encryption, and intrusion detection. Block uninvited access to servers, encrypt data on public networks, and use monitoring tools to detect hacking attempts.
- Be cautious with e-mail attachments. Do not open attachments from unknown senders; attachments can carry viruses or Trojans that steal credentials or corrupt systems.
- Limit insider risk. Deactivate credentials for former employees, restrict access to systems only to those who need it, and use sound accounting controls for financial transactions.
Small retailers and storefront businesses should pay special attention to point-of-sale security and employee controls; resources for retail firms are available, for example, through Retail Insurance.
Technology reduces friction for customers and staff, but it also introduces risk. Talk with your IT provider about basic hardening steps and consider layered defenses rather than relying on a single control.
One of our professional insurance agents can help you evaluate coverage options and limits; you can talk to an agent to review your needs and the protections that make sense for your firm.
Frequently Asked Questions
What is two-factor authentication?
Two-factor authentication requires two types of proof to log in, typically something you know (a password) and something you have (a code from a token or authenticator app), which makes unauthorized access harder.
How can I recognize phishing e-mails?
Phishing messages often urge immediate action, contain misspellings, or use suspicious sender addresses; verify requests through a separate known contact method rather than clicking links.
Should my small business buy computer fraud insurance?
Insurance can help cover losses from cybercrime and employee theft; consider policies that match your business size and exposures and ask an agent about available options.
How do I protect customer payment data?
Use encrypted connections, secure payment processors, limit who can access payment systems, and follow industry best practices such as PCI guidance where applicable.