As a business owner, you have access to more data than most individuals, and that can make you a target for hackers and cybercriminals. Cybercrime can put you, your business relationships, employees, and reputation at risk. The following information can help you avoid what almost 50 percent of small businesses across the U.S. have already experienced — a cyberattack.
What’s new in cyber scams?
Hijacking an email account or email server to intercept wire transmissions and redirect payments has become a favorite tactic of cybercriminals. According to the FBI, the scam is known as BEC, or business email compromise, and it’s a global threat. How can you protect yourself?
- Verify changes in vendor payment locations. Confirm requests for fund transfers, by phone with a trusted individual if possible.
- Thoroughly check email addresses for accuracy. Watch for small changes that mimic legitimate addresses or hostname (e.g., email@example.com versus firstname.lastname@example.org).
- Inspect the corporate email control panel for suspicious redirect rules. An unexplained redirect rule that sends incoming email from specific addresses to third-party systems could indicate a potential compromise.
- Never use the same password across multiple platforms.
- Use up-to-date anti-virus software that regularly scans your computer for malware. Malware should be immediately removed and all passwords changed. If you have any questions or doubts about an email you receive, contact your IT department.
Security dos and don’ts
Experts in online security agree that people are the weakest link in any security chain. Here are some security dos and don’ts that may help you and your employees prevent a cyberattack:
- Strengthen and regularly change passwords and security questions that provide access to account information.
- Train employees to avoid making critical cybersecurity mistakes, such as clicking on fraudulent links included in phishing scams. If they encounter something suspicious online, encourage them to report it.
- Limit access to personally identifiable information (PII) and protected health information (PHI). Only employees whose job responsibilities explicitly require access to PII and PHI should be granted it.
- Secure your computer and mobile devices using an updated operating system and the latest anti-spyware and anti-virus software.
- Pause before clicking that link! Are there typos, spelling errors, incorrect grammar, or oddly worded phrases in the message? Does the URL contain unfamiliar characters or misspellings? These are clues that a hacker might have written it.
- Don’t download software from the internet or click on internet links that launch websites or web ads, especially if the URLs don’t appear to come from a trusted source.
- Don’t respond to emails, open email attachments, or click links embedded in emails that include typos, spelling errors, incorrect grammar, or pop-up windows. Beware of suspicious subject lines and “urgent” calls to action. These are all telltale signs that an email might contain viruses or other malicious software.
- Don’t enter personal or financial information into web forms that don’t come from a trusted source.
- Don’t respond to the IRS by email or social media. The IRS does not initiate contact with taxpayers by email or social media. Any unexpected calls from someone claiming to be from the IRS, threatening arrest for failure to pay, is a scam.
Why cyber liability insurance may be your company’s best protection
Your current business insurance coverage may not include the range of expenses incurred by a cyberattack — from interruption of business operations and the need for customer notifications to comprehensive security upgrades and the effort required to restore your company’s damaged brand.
For these reasons, cyber liability insurance is well worth considering, as part of a broader information security plan and in tandem with your regular business insurance and employment liability policies. Key elements of any cyber liability insurance coverage should include:
- Coverage of all devices that might get lost or stolen
- Protection against hacking and viruses
- Liability for slanderous blog content
- Data corruption and/or theft
- Crisis management, including public relations and brand-rebuilding assistance
- Preventive and risk management policies
An effective policy can enable you to create strong firewall protection, craft appropriate social media practices, offer business interruption protection, and cover legal fees incurred by judgments or settlements. Contact an insurance representative to learn more about this type of coverage, or speak with an independent agent with experience in this area.
Despite everyone's best efforts, cybercriminals might still gain access to data through third parties. Paychex has a dedicated fraud call center, and we may be able to help you or your employees if you are victimized.