Legendary bank robber Willie Sutton supposedly said that he robbed banks because that was where the money was. Many small business owners follow the same logic when it comes to computer system security.
They assume cybercriminals target only large corporations because they appear to have the most money. In reality, industry reports show organized criminal groups often target small businesses precisely because those firms present easier opportunities.
Experts estimate that one in five small businesses do not use antivirus software, about 60% do not encrypt wireless data, and roughly two-thirds lack a formal data security plan. Those gaps make small firms attractive targets, but there are practical steps owners can take to reduce risk.
Use two-factor authentication. Require more than a password for access to sensitive accounts. Combining something the user knows (a password) with a second factor such as a time-based numeric token reduces the risk that stolen credentials alone will allow account takeover.
Inoculate systems against banking Trojans such as the Clampi Trojan. These types of malware can sit on a computer and wait for a user to log in to a financial website, capture login credentials, and relay them to attackers or instruct the machine to send money to criminal-controlled accounts.
Be on guard against phishing e-mails and fake pop-up messages. Phishing messages impersonate legitimate businesses and ask recipients to verify or update information, often with a threat if they don’t comply. Clicking links can lead to convincing but fraudulent websites that harvest login and personal data.
Arrange for account alerts from your financial institutions. Ask banks and payment processors to notify you when they detect unusual activity on your business accounts so you can respond quickly to potential fraud.
Install firewalls and encryption. Use firewalls to block unauthorized access to servers and encrypt data sent over public networks. Intrusion-detection tools can also alert you to attempted break-ins.
Be cautious with e-mail attachments. Attachments from unknown senders can contain malware such as Trojans that steal credentials or corrupt systems; only open files from trusted sources and scan them first.
Limit employee access and manage departures. Deactivate accounts for former employees, restrict access so staff can only reach systems required for their jobs, and enforce sound accounting and transaction controls to reduce insider threats.
In addition to these safeguards, small businesses may want to consider purchasing computer fraud and employee theft insurance. Consider policies such as Fidelity (Crime) to protect against losses from internal and external theft.
Small retailers should also review available Retail Insurance options to ensure coverage addresses both physical and cyber risks specific to storefront operations.
One of our professional insurance agents can give advice on appropriate types and amounts of coverage — talk to an agent.
Frequently Asked Questions
How does two-factor authentication help protect my business?
Two-factor authentication adds a second proof of identity (like a one-time code) beyond a password, which makes it harder for attackers to access accounts with stolen credentials.
What is a banking Trojan and how can I reduce the risk?
Banking Trojans are malware that capture credentials and redirect transactions; keep systems patched, use reputable antivirus, and avoid opening unknown attachments to lower the risk.
What steps should I take if I detect unusual account activity?
Immediately notify your bank, change affected passwords, review recent transactions, and consider involving your insurer and IT professional to investigate and contain the issue.
Will insurance cover losses from employee theft or cyber fraud?
Many crime and cyber policies cover employee theft and certain cyber losses, but coverage varies, so review policy language and limits with an insurance professional.