As small businesses work to get their taxes in order before April 15, they should also make sure their online financial information is secure from cyberattacks – after all, tax time is one of cybercriminals’ favorite times of the year. It’s crucial to protect this information from an attack: A recent survey of small businesses by the National Cyber Security Alliance found that after suffering a data breach, 10 percent of SMBs went out of business, 25 percent had to file for bankruptcy and 37 percent experienced a financial loss.
Small businesses can better protect themselves during tax time – and any time of the year – by following these tips.
Keep All Machines Clean
Whether you are filing your own personal or business taxes, having updated software on all devices that connect to the internet is critical. This includes security software, web browsers and operating systems for PCs and your mobile devices. Don’t forget about devices employees use at home or on the road as well. Having current software is a strong defense against viruses and malware that can steal login credentials or use your computer to generate spam.
Do a Deep Data Dive
Preparing for tax season is a great time to identify and document what data you create, collect, store, transmit, etc. Determine what information you handle or store out of business necessity and safely dispose of any unnecessary data. Keep in mind that this goes for paper documents, too. Also, consider encrypting data both in transit and at rest to protect it from cybercriminals. The Center for Internet Security shares tips for information disposal.
Get Savvy About Wi-Fi Hotspots
Do your employees work remotely? What about staff travel? These are realities of running a business. It is critical to keep in mind that wherever you are conducting business, public wireless networks are not secure. Cybercriminals can potentially intercept internet connections while you are filing highly personal information via public WiFi. Make it a rule for employees to access your business data from a secure network and establish clear expectations through policies and procedures for how and on what devices your team can access your network. Check out the U.S. Department of Homeland Security’s Cybersecurity While Traveling Tip Card.
When in Doubt, Throw It Out
Malicious emails are often the point of entry for cybercriminals to gain access to your business information. Tax season is prime time for scammers to ramp up their efforts. If an email looks suspicious – even if you know the source – it’s best to delete. Or, verify the legitimacy of the email via a different method of communication like a quick phone call or text. Train all employees on what to look for in a suspicious email -- ideally, prior to providing them access to email. Need help? Google recently released a free phishing quiz: https://phishingquiz.withgoogle.com/
Lock Down Your Login
Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking and social media. Be sure employees are not sharing passwords with each other. In addition, lock down access to sensitive data so that only those who need it can retrieve it.
Make Better Passphrases
If your passphrases are too short or easy to guess, it’s like giving a cyber thief your banking PIN. Longer passwords and those that combine capital and lowercase letters with numbers and symbols provide better protection. Place a strong emphasis on helping employees understand the makings of strong passphrases and why they are so important to keeping the company safe and secure. The National Institute of Standards and Technology (NIST) shares user-friendly guidance on creating strong passphrases.
Have a Plan in Place
Know how to respond if you are the victim of a security breach. Who do you turn to for assistance? What’s your state’s data breach notification law? Does your insurance cover losses from a cybercrime? Create and practice your response plan before you have an incident. The Federal Trade Commission’s Data Breach Response Guide and Department of Justice’s Best Practices for Victim Response and Reporting of Cyber Incidents guide will help you identify some response strategies.
CyberSecure My Business™ Monthly Webinars and Regional Events
In October 2017, NCSA launched CyberSecure My Business™. The program was created to help protect the cybersecurity in the small and medium-sized business (SMB) community. It does so by offering interactive training based on the NIST Cybersecurity Framework. You can join NCSA for monthly webinars and in-person events in regional markets.
Daniel Eliot is the Director of Education & Strategic Initiatives at the National Cyber Security Alliance