Legendary bank robber Willie Sutton supposedly said that he robbed banks because that was where the money was. Many small business owners follow this logic when it comes to computer system security. They believe that people who rob with a mouse and a keyboard rather than a gun target large corporations because those businesses have the most money. This leads them to the misguided belief that cybercriminals will not bother them. In fact, the NACHA – The Electronic Payments Association – reports that Eastern European criminal syndicates have targeted small businesses precisely because they have allowed themselves to become easy marks.
Experts in the field estimate that one in five small businesses do not use antivirus software, 60 percent do not encrypt data on their wireless networks, and two-thirds lack a data security plan. This failure to take precautions makes a small business easy pickings for computer hackers. However, there are several things business owners can do to protect themselves.
- Use two-factor authentication. This is a mechanism that requires the user to do more than one thing for authentication. It ordinarily has two components — one thing the user knows (such as a password), the other a randomly generated number that the user must input. The number comes from an electronic token card, which generates a new number every few seconds. If the user enters a number that the system is expecting, the system will authenticate the user.
- Inoculate systems against the Clampi Trojan virus. This virus resides on a computer, waiting for the user to log onto financial websites. It captures log-in and password information, relays it to servers run by the criminals, instructs the computer to send money to accounts that they control, or steals credit card information and uses it to make unauthorized purchases. The Trojan monitors more than 4,500 finance-related websites.
- Be on guard against “phishing” e-mails and pop-up messages. These messages purport to be from legitimate businesses with which the recipient does business. They ask the user to update or verify information, often threatening negative consequences if she fails to do so. Clicking on the links in the messages brings the user to an authentic-looking Web site. However, it is actually bogus; the site collects personal information that the collector can use to steal the user’s identity. System users should ignore these messages.
- Arrange for financial institutions to alert the business owner should they spot unusual activity involving the firm’s accounts.
- Install firewalls and encryption technology to block uninvited visitors from uploading to or retrieving data from the firm’s servers and to protect data sent on public networks. Intrusion detection systems can inform the business owner of attempts to hack into the network.
- Be cautious about opening attachments to e-mails, especially if the sender is someone unfamiliar to the user. Attachments may contain viruses or Trojan horses that can steal login information and passwords or corrupt a system.
- Protect against intrusion by disgruntled former or current employees. Deactivate passwords for former employees, erect barriers to keep employees from accessing systems unrelated to their jobs, and implement sound accounting procedures for financial transactions.
In addition to these safeguards, small businesses may want to consider purchasing computer fraud and employee theft insurance. These policies will protect the business against those losses that still occur; insurance companies are likely to offer favorable pricing to businesses that take precautions against cybercrime. A professional insurance agent can give advice on the appropriate types and amounts of coverage.
Modern technology gives businesses unprecedented abilities, but it also presents significant risks. Every business owner must take steps to keep the cybercriminals out.