Protect the Privacy of Your Small Business
Computers have made our business processes efficient, transparent, and fast. The paperless revolution brought us lightning-fast communication, easily accessible, permanent records, and a whole new avenue of advertisement and customer outreach.
Of course, it’s not all peaches and cream.
If you’re a small business owner, chances are you’ve already been a victim of a cyber attack. Ponemon’s 2019 cyber security report says a whopping two-thirds of small businesses have been hit by hackers.
Hackers can harm a business in many different ways, including deleting its records or holding them for ransom, transferring funds from accounts, or just simply accessing privileged information and using it against the company. Companies that deal with their clients’ sensitive information put both parties at risk if they don’t have a good cyber security system.
In the era of remote work, when weeks and months can pass without any face-to-face communication between employees, email communication is indispensable. It is here where businesses are most vulnerable.
Maintaining privacy no longer means soundproofing your office. Employee training about phishing is paramount to keeping your business secure in the 21st century.
What is phishing and the different types of phishing
According to Purplesec’s list of cybersecurity statistics for 2019, 91% of data breaches are perpetrated through phishing emails.
Phishing is a form of social engineering. An unsuspecting individual is sent an innocent enough looking email. Inside it is a link. A single click on the dangerous link can put an entire operation in jeopardy.
There are many subgroups of phishing. Regular phishing sends out mass emails, hoping to catch at least one employee on the wrong foot. Spear phishing targets one individual particularly. Whaling involves going after the big targets in an organization, such as a CEO or CTO.
A business email compromise is one of the most dangerous forms of phishing. The hackers use a spoofed (or even a compromised, real) email account of a high-level executive to send legitimate looking requests to lower-level employees.
If the executive’s email address is john.smith@example.com, the hackers will change the address slightly, for example, johne.smith@example.com or johnsmith@exxample.com. An inattentive employee will receive a bogus invoice request from what looks like their boss’ email. They will transfer the funds directly to the attackers, and it might even take months to discover the fraud.
Transferring funds is only one of the malicious things they can do. They may even postpone their attacks a few months in order to hide their point of entry. All of this warrants precautionary steps.
How to protect yourself against phishing
Education is key. Hiring a cyber security company to train your employees about internet safety is your best bet. They will teach you and your staff something along these lines:
- Don’t share too much information on social media. Pet names, education facilities, family members, birthdays all help attackers answer security questions linked to your email account.
- Always double-check unsolicited emails. An out-of-character email from a higher-up might spell disaster. Re-read the email address, any URL in the body, and check for spelling. Scammers use our eyes’ predictive reading to fool us.
- Two-factor authentication is king.
- Always be suspicious of urgency. Hackers often pray on our panic instincts and insist something must be done right away.
- Always verify payment requests in person, especially ones that are not done frequently.
- Never open attachments from emails you don’t recognize. Never download anything in an unfamiliar file format.
- Never trust an email asking you to update your account information. Never give away your password to anyone.
Invest in security software
Phishers use spoofed emails to access your network. Still, they often need to implement some sort of script to do any kind of real damage.
Anti-malware software will protect you from malicious scripts phishers try to use against your network.
Security scans help determine the weak spots in your network before breaches even happen. A scan is mandatory after each computer update.
Firewalls help block outsiders from gaining access to sensitive information.
Protect your Wi-Fi network
A publicly available Wi-Fi network is an open invitation for bad actors to enter your cyberspace. A Wi-Fi network needs to be hidden, heavily regulated, encrypted, and password protected.
If an employee works from home, mandate the use of VPNs when handling business data in order to bury the trail of valuable information flow.
Have a good backup policy in case of a ransomware attack
A ransomware attack is one of the most common and malicious ways hackers can hurt a business.
After gaining access to your computer network, hackers start encrypting and locking you out of your files. They demand ransom in exchange for the key to decrypt your precious data.
There are only two ways of remedying a ransomware attack. One is paying the hackers, which is strongly discouraged by authorities. There is no guarantee the hackers will hold their end of the bargain, and it encourages them to continue their devious operation.
The other is ignoring them. The only real way to ignore them is to have multiple cloud backups of your most sensitive data. A regular backup policy will save you many headaches.
Cyber liability insurance
Seeing as though a data breach is almost an inevitability, investing in good insurance will at least mitigate the financial damage your business will suffer from a digital attack.
Reach out to your insurer and ask about their insurance policies for phishing, ransomware, and all other types of data breaches.
Conclusion
Data is the new currency. Your business’ financial information could be compromised by a single click. Gambling with your clients’ personally identifiable information is no longer tolerated by authorities.
There are ways to protect your software to an acceptable degree. However, as long as there are human beings operating the hardware, they will always be the most vulnerable link.
Invest in employee education. An accountant that is aware of possible vectors of entry will be much less likely to download a financial report with an ‘.exe’ file extension.