Data security is a serious and ever-growing issue for businesses big and small (not to mention the affected consumers). Threats such as data breaches, identity theft and fraud, and large-scale credit card leaks are never far from the latest business news. In recent months, we have seen high-profile data breaches at the following companies:
To put the above Companies in a real-world context beyond the headlines: the Marquard & Bahls attack led to the closure of over 200 gas stations across Germany; the Cash App leak affected a whopping 8.2 million customers; the Crypto.com attack led to stolen money amounting to $33 million, while Ronin’s led to losses of $600 million.
The Risk for Small Businesses
While the above large companies are more capable of weathering these storms, the same is not true of small businesses; Small businesses frequently experience attacks — a phenomenon that experiences underreporting in the news. The consequences can be devastating, with 60 percent of small companies going out of business within six months of falling victim. In addition, 42 percent of small businesses experience at least one cyber attack annually; yet worryingly, nearly 87 percent of small business owners believe they are not at risk from data breaches.
Small businesses face additional hurdles because they often lack the time, resources, and knowledge to protect themselves efficiently. They will also take longer to detect a breach. In their annual survey, Generali Global Assistance (GGA) published the following research:
- Two-thirds of Americans are concerned about their personal information becoming compromised in a data breach while shopping.
- Nearly four-fifths of customers would be concerned about doing business with a company that had previously experienced a data breach.
- Over three-fifths of shoppers indicated that data breaches of online merchants are the biggest threat to their identity security.
How Small Businesses Can Protect Themselves
Following these guidelines will assist in improving security:
- Create a robust cybersecurity policy and ensure employees are aware of it. Boost awareness with risk education and training.
- Invest in good cybersecurity protection. Only collaborate with providers that demonstrate experience and a strong commitment. Regularly update.
- Identify weaknesses in your systems through related security assessments. Implement strong authentication and mandate complex passwords for all system access.
- Follow established protocols when managing confidential data such as payment details. Comply with the Payment Card Industry Data Security Standards (PCI-DSS).
- Follow wireless security protocols. Wireless networks afford many positives for business operations, but insecure backdoors can function as gateways for threat actors.
As for the signs and symptoms of suspicious activity, small business owners should be aware of the following and know how to identify them:
Strange database activity: This could be new users, changes to permissions, or unusual data growth.
Abuse of account privileges: This includes altered audit information, sharing account access, or unwarranted access to sensitive information.
Unexplained user access changes: Signifies that a hacker is trying to access your network.
Unexplained changes to system files: This includes modifications, replacements, additions, and deletions.
Abnormal network behaviors: These can include unexpected changes in network performance or unexplained scans.
Data Breaches & Identity Fraud
Identity theft affects individuals and businesses alike. In 2020, identity fraud reached $56 billion (USD) in losses. What is most concerning is that, when it happens, victims often have no idea that their identity is compromised — until the respective company/group announces the data breach. At the same time, the theft of an email address or redirected URLs is a favorite tactic of phishing scammers.
The Steps to Take
- Instead of traditional one-password logins, opt for two-factor authentication. Guard the passcodes closely and never divulge them — even old codes.
- If secure addresses become compromised and you come to find the information is shared online, you can contact the relevant platform to have it removed.
- Secure your social media accounts; The Identity Theft Resource Center (ITRC) has reported that scammers are hacking Instagram and Facebook accounts. Remember that while a valid social security number goes for just $2 on the dark web, hacked Instagram and Facebook accounts go for $45 and $65, respectively.
- Freezing your credit: if your financial information becomes compromised, you can freeze your credit to restrict access. Doing this will shut down one route for thieves to open accounts in your name.
- Track down and delete old accounts you are no longer using. Reducing your accounts will minimize the potential routes for thieves to achieve their aims.
- You should sign up to account alerts from any platform where you store your data. Most companies provide this simple service.
What If I Think Someone Has My Social Security Number?
A Social Security number (SSN) is the single most significant government-issued identification document American citizens can have. For this reason, it is a highly prized target for criminals involved in data theft. With your SSN, a thief can do several things, from opening bank accounts and credit cards in your name to stealing your money and property. In 2019, the Social Security Administration estimated $7.9 billion in fraudulent payments, which equates to an average cost of identity theft of over $1,000 per citizen.
The Steps to Take
- Log in to your personal Social Security account and check your account statements. If there are concerns, contact the Social Security Administration immediately.
- Place a “fraud alert” on your credit reports. You can request your free credit report via annualcreditreport.com from one of the three credit-reporting agencies: TransUnion, Experian, and Equifax.
- Visit IdentityTheft.gov to report the fraud to the Federal Trade Commission (FTC) and get help with the next steps.
- File a police report. Be sure to retain records of communication and copies of the report.
- Report your identity theft to the Internet Crime Complaint Center. They will distribute your report to local, state, and federal authorities and create an official statement.
In severe cases of SSN fraud, it is possible to receive a new number. It is, however, a complex, lengthy, and complicated process. The primary issue is that your new number will have an empty credit history, leaving you and your business on a years-long road to recovery.
In summary, while big companies often hit the headlines regarding data security, small businesses are at even greater risk. It is therefore essential to educate and inform yourself and your employees of potential data threats. Security should be paramount, as well as knowing how to identify risks. Prevention beats the cure — we should act, rather than react — or, to flip an old phrase: the best offense is a good defense.
Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, our cybersecurity platform protects 500,000+ organizations and 250+ million individuals across clouds, networks, devices, and endpoints. Trend Micro Initiative for Education
Copyright © 2023 SCORE Association, SCORE.org
Funded, in part, through a Cooperative Agreement with the U.S. Small Business Administration. All opinions, and/or recommendations expressed herein are those of the author(s) and do not necessarily reflect the views of the SBA.