In light of recent warnings from the IRS about the significant increase of “phishing scams” and other cyberattacks, it is incumbent upon all businesses, large and small, to take a serious look at cybersecurity. While such threats may increase during tax season, business owners need to understand that they are always in the crosshairs of hackers and cybercriminals, and cybersecurity must be a part of your corporate culture all year long!
So called “phishing attacks” remain the most common, as they are relatively simple to perpetrate, and easy for victims to fall prey to.
In the typical phishing attack, the sender will attempt to trick you by sending a crafted message with malicious attachments, or links to malicious websites. Email is one of the most popular avenues for the attacker to use, however, phishing attempts have been successful via telephone with the goal of acquiring personal and financial information. Often an email will be “spoofed” by the cybercriminal and will appear to come from a name the receiver will recognize. In some of the most recently documented attacks, the spoofed email address belongs to someone in authority in the company, such as a CEO or CFO.
Cybercriminals are constantly working to find new ways to deceive and trick others into falling victim to phishing emails. Your company policy should be, to always confirm activities such as requests for money or requests for confidential information, through independent channels other than email.
While phishing attacks are on the rise, they are not they only way you are at risk. Here are some tips to lessen your overall vulnerabilities to cyberattack.
Risk Assessment – In order to better protect your data, you must identify vulnerabilities and accurately evaluate risks. Risk assessment should include input from all critical departments handling vulnerable data; IT, Human Resources, and Operational Accounting. Forensic accounting should also figure into your risk assessment, to analyze your data for potential threats, as well as compliance issues.
Upgrade Your Computers – Many smaller businesses may be running outdated or no longer unsupported operating systems or security software, due to budgetary issues. It does not pay to be “pennywise and pound foolish” when it comes to investing in the latest IT. Simply put, the older an OS is, the more vulnerable to hacks and breaches it is.
Training and Personal – Cybersecurity must become part of your culture, and all employees and personnel need to take it seriously. You may need to periodically bring in outside consultants to train your people on how to recognize and avoid common phishing scams, viruses, malware, and ransomware. In fact, many recent studies have found that your biggest cybersecurity threat could be the actions or inactions of your own employees.
Create a Responsible Party – If you do not already have a responsible party in place, you should create a particular team, or committee that is specifically responsible to address and mitigate your cybersecurity concerns and vulnerabilities. The committee should meet regularly to assess risks, review any past incidents, and improve both proactive and reactive countermeasures.
Cyber Insurance – Cyber-crime is rampant and there are no guarantees to prevent an incident; even if you are taking all of the appropriate steps to protect your organization. Since each state has different requirements when a breach occurs, compliance after an incident can be extremely costly. Most general business insurance does not include coverage for cyber-crimes so it is important to reach out to your insurance agent to review your current policy and consider purchasing a separate cyber policy.
Practice and Drills – Once you have developed a cybersecurity plan, it is important to test and evaluate it through the use of drills and simulated attacks. These kinds of incidence response exercise should indicate the strengths of your mitigation solutions, as well as expose weaknesses and gaps that need to be addressed through the organization.
What Action Should You Take Right Now?
The bottom line is, businesses can no longer take a “who would want to hack us,” approach, and must make cybersecurity a priority. Any company, large or small, “for profit,” or nonprofits, needs to understand that they are targets, and the threats are real. The IT and system specialists with MBAF can help you asses your risk and implement mitigation solutions compatible with your needs and budget.
Contributing author: Stefanie Lawless