5 Tips for Protecting Your Business From Data Breaches & Fraud
Organizations of all sizes face an increasingly threat-laden security landscape. But while business leaders are growing more aware of the potential for data breach and other incidents to undermine their success, many are losing confidence1 in their ability to understand, assess, and measure cyber threats.
For small- to medium-sized companies, a lack of preparedness to prevent cyber attacks can reap a devastating impact.
Not only are the costs of a data breach higher2 for small companies relative to their size – averaging around $3,5332 per employee for organizations with between 500 and 1,000 employees – but their risks of experiencing one are often greater, given the smaller budgets they have for cybersecurity. 43%3 of data breaches occurred at small businesses last year.
Maintaining strong cybersecurity is key to protecting sensitive information and, more importantly, maintaining customers’ trust in your company. Adhering to the following best practices as part of your overall security policy is key.
1. Diligence Both the Opportunistic & the Strategic
Employee security training at smaller organizations sometimes centers on avoiding so-called “opportunistic” security threats – like not clicking links in the kinds of “spray-and-pray” spam emails that used to be commonplace. More diligence is needed, however, to understand and prevent the effects of more sophisticated, targeted attacks on your most valuable personnel.
Financial social engineering attacks are on the rise, and C-level executives are 12 times more likely3 to be the target of security incidents than other employees. The ‘Vendor Email Compromise’ attacks that get them are often months in the making: Cybercriminals may use an opportunistic email, for example, to get a low-level employee’s click, then use their resulting access to company information to determine which leaders to target and what tactics could fool them – like sending the CFO or controller ‘spoof’ invoices that appear to come from an existing vendor, or requesting sales records from a Revenue Officer using an email that only looks like an internal address.
Companies need to address the full threat landscape by recognizing how these opportunistic and strategic threats play off each other, and educating employees at all levels with differing training depending on the attacks they’re most susceptible to.
2. Slow Down to Focus on Validation
In the invoice example above, considerations of speed add to the severity of the threat. Imagine if the vendor-company relationship had involved a time-sensitive offer, for example, or was related to an expiring contract around a partner deal. If so, the need to pay it may seem immediate – and wiring the funds may make them permanently irretrievable.
Racing for straight-through processing (and soon enough, real-time payments) creates security vulnerabilities. Confirming changes before acting on payment requests or instructions is always warranted, most especially when wire transfers are involved, as Cybercriminals are growing more confident that businesses don’t validate them with significant attention, so adding verification steps to your internal processes is hugely important to your security strategy.
Wire transaction is not the only payment method to diligence, either. While criminals have significantly increased fraud attempts on wire transfers in recent years, check fraud remains the most commonly targeted payment vehicle – affecting a full 70%4 of organizations that experienced fraud last year.
ACH and commercial card fraud are rapidly growing, as well, so verification processes should be added wherever instant payment actions are taken. Internal requests require scrutiny, as well. Whenever sensitive customer or organizational information is on the line, employees should take a second look at email signatures, at minimum, with calls to verify any unexpected asks.
3. Use Emerging Tools Cautiously
Security threats often lie in emerging products, services, or business opportunities. As a small-to-medium-sized company grows or expands, the choices it makes on what to offer customers and employees (and how) can add to their vulnerabilities.
We recommend using corporate cards for the way in which they can extend your working capital, as well as the way they help reduce risk compared to checks. But it is still important to monitor their activity and be aware of potential threats just like any other payment method you use, as they could pose threats your organization may not have considered. Not only do receipts for expenses tend to pile up internally – allowing illegitimate expenses or unwarranted use to often go unnoticed at length – but card-specific features may also be exploited for illicit gains: Enabling international use options, for example, can make it possible for cybercriminals to use corporate cards in hard-to-spot online scams overseas.
When it comes to new technologies, organizations should also be careful to understand the security provisions, and potential gaps, of the solutions they utilize from service providers.
Public cloud storage technologies, for example, come with extensive protections that are sufficient for most internal and customer data. Still, by hacking the credentials of privileged users, attackers could be able to compromise a cloud environment (and around half of organizations recognize5 they don’t have a security strategy in place that could always prevent that from happening).
4. Watch Mobile-Device Use & Network Access Carefully
The tools and processes your teams use every day are a part of their routine, and those routines are what criminals monitor to find and exploit opportunities. Research shows, for example, that individuals are more susceptible6 to social engineering attacks they receive on mobile devices.
Partly, that’s because of the distracting nature in which we utilize mobile phones (while walking, talking, driving, or doing other activities) and the restrictions or nuances of what mobile applications tend to reveal on-screen – like showing an email sender’s name but not their full address. The response-driven nature of mobile design adds to the susceptibility, as well, because it encourages taking on-the-go action instead of slowing down for verification.
The more diligent your organization can be about understanding mobile device behavior (and/or minimizing device use) internally, the more likely you are to avoid incidents.
Setting mobile-use guidelines and monitoring all device connectivity across your entire network is an important way to minimize vulnerability, as well. Research shows that network visibility is the biggest gap7 for most organizations’ cybersecurity.
5. Plan for When (not If) it Happens
Data breaches are occurring more often than ever, with 60%8 of businesses having experienced a serious security breach in the last two years (and 31% experiencing more than one). That’s especially troubling for small businesses, as the majority (60%) fold within six months of a cyberattack8.
Companies can only cause more damage (or create new vulnerabilities) by believing data breaches won’t happen to them or handling breaches poorly when they do.
A well-developed response plan for fraud and security breaches should be in place at every organization and should be a well-understood part of the organizational disaster recovery framework. Trusted advisors from your legal, accounting, and banking partners should help you develop a plan complete with procedures that 1.) immediately address and triage the incident; 2.) assess the breadth and scope of the breach; and 3.) mobilize efforts to meet regulatory and legal guidelines and manage the situation with customers in a way designed to maintain their trust – with clear communication about the incident and its impact.
And since the extent of that impact will depend on the severity of the attack, companies may want to prepare for the worst with commercial cybersecurity insurance. Coverage is expanding to meet evolving threats, but only 36%9 of organizations with revenue under $100 million have a cyber insurance policy.
Cyberattacks are an ever-present threat for businesses of any size, but small companies often put themselves at undue risk by ignoring the security gaps that make them most vulnerable.
Business leaders at small- to medium-sized organizations must continually invest in the employee training it takes to use all digital systems properly, which is necessary to limit any potential for sensitive data to be exposed. Business processes should be regularly re-evaluated to ensure proper verification methods are in place, with appropriate monitoring of who has access to what systems, for what ends.
Appropriate prevention also takes the help of expert partners capable of helping you understand, assess, measure, and mitigate cyber threats.
The best place to start is with a call to the professionals at First Midwest Bank. As your trusted advisors, we can help implement a workable plan that can be tested annually to reduce risk.
Head of Treasury Management
First Midwest Bank
To speak to a First Midwest Treasury Management Officer call 847.670.3080 or email TM.CustomerService@firstmidwest.com.
1) CIO Dive: Cybersecurity confidence rattled by continued investments, small results
2) IBM Cost of a Data Breach Report 2019
3) Cybercriminals Favor Targeting Top Executives, Small Businesses, Money: Verizon Data Breach Report via Forbes
4) 2019 AFP Payments Fraud and control survey report, underwritten by JP Morgan.
5) CyberArk Global Advanced Threat Landscape 2019 Report
6) Verizon 2019 Data Breach Investigations Report
7) SANS 2019 Incident Response Survey
8) 1E Getting Your House in Order Survey
9) Microsoft 2019 Global Cyber Risk Perception Survey