“Who’d go after a business like mine?”
That’s a common misperception: that cyber thieves only go after big targets, such as Equifax Inc., the Pentagon or, yes, Target. Those massive data breaches might convince you that your company can escape notice.
Not true. Cybercriminals go after the firms that haven’t boosted their data defenses – and more than 70 percent of cyberattacks target small businesses, according to the National Cyber Security Alliance.
While cyber thieves still covet your bank account, banks utilize advanced fraud-protection systems to thwart them. So, criminals keep developing sophisticated ways to go after your data directly. They use social engineering – playing off an honest person’s trust – to trick you into sending them your hard-earned money or data.
Today’s hackers are not only information technology savvy, they’re also smart businesspeople. Cybercrime is their full-time job, and their business model is finding new ways to attack yours. Sometimes they penetrate your systems and wait for six months before they strike.
No wonder why 60 percent of small and midsized businesses fail six months after a data breach, according to the National Cyber Security Alliance. The economic and reputational fallout can even be worse than the breach itself.
Cybersecurity isn’t an IT issue. It’s a business issue. And the cost of prevention is minimal compared to the cost of recovering from a cyber fraud event.
How can you plan head? Like any security issue, you need levels of mitigation.
At home, your doors may have a bolt lock, a chain and an electronic alarm system – three layers of protection. A burglar will skip your house and go where the back door is unlocked.
The same principle holds true for your business: The more levels of mitigation you prepare, the more likely a cybercriminal will look elsewhere.
Start by forming your own cyber awareness advisory council of key players:
• Your IT manager, to make sure you have:
• An off-site, segregated network for your intellectual property and financial information
• A systematic process to back up files to that site
• A protocol for changing passwords regularly (keeping them somewhere safer than a desk drawer)
• Your accountant, who can help review your internal controls and safeguards, especially determining who has – and needs – access to your banking and other important records
• Your insurance agent, to provide liability coverage for a breach – not to mention business-interruption costs and recovery fees
• Your lawyer, to make sure you report an attack according to disclosure laws
• Your public relations adviser, who must be ready with an action plan to manage the blow to your business’s reputation
• Your banker, who should know your plan and how it can dovetail with the bank’s own protections
You’ll also want to ensure your bank offers a positive pay service. It enables them to compare the checks you write against the data in their system. Most banks offer a form of positive pay. If yours doesn’t, that’s a red flag.
A successful Cyber Awareness Plan requires training, refresher courses and regular drills to keep employees up to speed on the emerging threats. In a data breach, you’ll all have a carefully thought-out and well-practiced plan.
With the advisers and resources at hand, you can take steps now to make your business more secure.
Laurance A. “Larry” Selnick is the director of treasury and payment solutions sales at Webster Bank.