Protecting your data is especially important during tax season, when sensitive information about your business and your employees is susceptible to attack by would-be identity thieves. Faux calls and emails from attackers posing as representatives of the IRS or even managers within your organization are commonplace and can lead to the theft of information from unsuspecting employees. Luckily, there are steps you can take to bolster your security during this time of increased vulnerability. [See Related Story: Best Tax Software for Business in 2017]
As Eric Cernak, U.S. cyber and privacy risk practice leader at Munich Re, noted, W-2 phishing attacks are just one popular method of thievery amongst digital ne'er-do-wells. Ransomware is also increasingly popular amongst hackers, he said. In a ransomware attack, hackers generally infiltrate a system and encrypt large swaths of a company's data. They then demand a payment in cryptocurrency, usually Bitcoin, in return for decrypting and returning the stolen data.
"These types of attacks can be costly for a (small business) in terms of productivity and dollars," Cernak said. "Additionally, with the current value of virtual currency, ransomware attacks are costing small businesses more and more in terms of real dollars, not to mention the interruption to their business income and cost to restore files should they decide not to pay the ransom."
While these types of attacks are particularly prevalent during tax season, cybersecurity is no seasonal game – it's a 24/7/365 defensive slog, said Adam Levin, chairman of data protection company IDT911, which is now known as CyberScout. He added that small businesses might feel as though they aren't a prime target because of their size, but that hackers often target small businesses to gain access to bigger companies they work with. As a result, every business large and small must remain vigilant.
"As a business you are a defender, and as a defender in the cyber world we live in, you have to get everything right," Levin said. "As an attacker, you just need to find one point of vulnerability that might only be open for a moment or two, but then you're in."
How to protect your business
It sounds scary, and indeed it is, that a breach of your business' system could lead to a complete destabilization of your entire company and, in the worst case, its total failure. That's precisely why developing a culture of security, constant monitoring, testing for vulnerabilities, retesting and constantly adapting is so important. As hackers are always evolving and adapting new techniques, so too must businesses in order to adequately defend themselves.
"The first thing a business has to develop is a culture of security from the mailroom to the boardroom," Levin said. "That involves employee training, and a sense of employee responsibility for security."
While implementing secure systems and utilizing effective monitoring tools is a must, Levin said, humans are often the easiest vulnerability for hackers to exploit. Educating employees, then, is imperative.
"This has to be an almost daily event," Levin said. "The system is only as good as the weakest link, and humans tend to be the weakest link."
By keeping several best practices for security in mind, you can reduce the odds that your business becomes a victim of a cyberattack. Moreover, you can implement policies and technology to mitigate the damage of any successful attack, turning a potentially catastrophic event into nothing more than a minor irritation.
Based on our expert sources' insights, here are eight steps you can take to better secure your business data right now.
1. Secure your computers: Using up-to-date software and effective monitoring tools is essential to maintaining a secure browser. Ensure that software updates are installed promptly when available.
2. Use two-factor authentication: Multi-factor authentication is a key strategy to avoid falling victim to an attacker using stolen credentials. Oftentimes, two-factor authentication means the employee logging in will receive an additional authentication request, often via smartphone, to confirm their identity.
3. Avoid recycling passwords: Once you change a password, change it for good. Browsers often store passwords insecurely, and reusing a password increases the risk that a user's credentials will be compromised.
4. Train your employees: Create a culture of security. Make sure each employee understands where they fit in the big picture. Security is not just something for the IT department to worry about, but should rather be a team effort.
5. Always encrypt data: Encryption thwarts many would-be snoopers and hackers because they cannot access your encrypted data without the proper keys. Encryption and other services, like virtual private networks, are important aspects in protecting your information.
6. Back up data: You'll want to back up your data in case of a ransomware attack. However, it's important to note that the devices storing the backed-up data should not always be connected to your network. Otherwise, they could be compromised during an attack. If your system is attacked, you can wipe your hard drives and then download your backed-up data, avoiding a catastrophic incident.
7. Manage portable media: When employees use their own mobile devices on your company's network, it creates new opportunities for hackers. Mobile devices are also more likely to be lost or stolen outside of the workplace, further increasing the odds of security being compromised. If you're a BYOD workplace, ensure employees are conforming to your company's security protocols. Minimize mobile device use, or ensure all data stored on these devices is encrypted.
8. Destroy unnecessary information: Make sure you destroy any sensitive documents you no longer need. Hard copies of tax documents or financial information can be used to determine possible avenues of infiltrating your system. Any connected devices in your office should be secured and routinely cleared to ensure safety.