This information originally appeared in an article by Ken Tysiac in the MiCPA News in November 2014.

Although large companies tend to make the biggest headlines when they’re hit by data breaches, it’s a mistake to assume that hackers don’t target small businesses as well. Small business leaders can be lulled into a false sense of security by thinking hackers would rather attack large businesses, and leave themselves open to attack as a result.

Lack of resources can also be a problem for small businesses. They might employ just one IT professional – or use an outsourced provider – who is completely occupied by keeping the company’s machines running and has little time to devote to maintaining a secure environment.

The biggest issues contributing to breaches are:

1. Weak passwords that are used repeatedly. One IT contractor set up a password of “Password1” for a client. Such passwords can be easy prey for hackers. Using the same password for multiple accounts is also a major problem.
2. Phishing. Despite being trained not to do it, company employees are often tricked into clicking on emails that contain malware, a gateway that allows hackers into company networks.
3. System vulnerabilities. Many company networks lack adequate firewalls and patches that keep hackers from stealing important information once they get inside.

Cyber-security breaches are on the rise. The total number of security incidents reported by respondents to a recent survey rose 48% from the previous year.

Finance leaders have an important role to play in cyber-security. One particular area that’s catching the attention of finance leaders is corporate account takeover schemes. In these schemes, hackers steal corporate bank account information rather than customer credit card numbers or personal data. The hackers then use the company account information to send wire transfers to themselves.

Regardless of the scheme, small businesses can take the following steps to protect themselves:

1. Install proper network and work station controls. A technical person is needed to make sure firewalls are properly configured. Make sure current patches have been applied to anything and everything you own. Also determine that the most current anti-virus software is active on anything and everything you own at all times. It’s important to make sure that only the right people have access to your information.
2. Establish a culture of security. Employees should use passwords that are complex, and the company should require passwords that expire. The company should also block access to certain sites in the name of security.
3. Train employees. Everybody with access to company machines needs to understand why they can’t visit certain sites. They need to learn how to spot phishing emails, why employees should not click on these messages, and how one wrong click can result in a major breach.
4. Monitor vendors. Companies need to ask whether vendors have access to company data and whether data is secure after being accessed or obtained by the vendor.
5. Conduct periodic testing. Test at least yearly to identify vulnerabilities. Depending on the size and industry, some companies undergo more frequent testing.

Employee mobile devices represent an additional emerging threat to businesses. Because people don’t tend to think of them as computers, they don’t realize the need for anti-virus software. These devices need patches and updates, and are susceptible to malware.

Cyber-security risks appear to be increasing, with published reports of vulnerabilities that have not been exploited yet. Small businesses are especially at risk because they often don’t have the time or resources to stay current on the most recent developments.

As always, if you have questions about any of the information listed above, please feel free to contact us here at Mierendorf. We’re always happy to help!