Arm your business against data thieves
According to a 2024 report from IBM, between March 2023 and February 2024, data breaches by cybercriminals cost global businesses 10 percent more than they had during the previous 12 months. The average cost of these incursions topped out at $4.88 million, the biggest jump since the start of the pandemic. Obviously, a multi-million-dollar loss would be significant for a business of any size; for a small or medium-sized business, it could be catastrophic.
Other indices illustrate this extensive and fast-growing problem. For instance, according to the Identity Theft Resource Center (ITRC), 26 percent of businesses overall experienced data breaches, and the number of small businesses reporting illicit access to their systems jumped by 8 percent since 2023.
Fortunately, there are actions you can take now to keep bad actors from accessing your important private data, things you can do to mitigate the damage if a breach occurs, and ways to offset some of your losses.
Tips and steps to take
First, ask yourself...
Does your company maintain any of the following information on its networked computer systems?
- Employee and/or customer addresses
- Employee and/or customer Social Security or driver’s license numbers
- Copies of checks or credit card receipts
- W-9 forms
- Personal employee health plan records
If the answer is yes to any of these, and you don’t have an active data-protection plan in place, then you are exposed.
Trust, but verify
Cyber-attacks on business systems don’t only stem from hackers who use coding skills like crowbars to commit their break-ins; they’re also enabled by lost, discarded, or stolen laptops, smartphones, and portable memory devices; acts by disgruntled employees; and procedural errors.
Most often, though, these criminals rely on “social engineering” to win them the access they need. They will troll through social media accounts and use various types of deception — such as fake emails and phone scams (phishing) — to leverage passwords, banking information, highly sensitive employee and customer information, or other compromising data. They can use this information to invade a company’s systems or to induce company employees to do their bidding.
One increasingly common tactic is a request that comes from outside of the typical chain of command, often taking the form of an alleged communication from the company CEO, CFO, or other top executive. The request may ask a lower-level employee for sensitive information such as their W-2. Because there are very few legitimate circumstances under which company leadership will ask for such information, these are among the easiest scams to detect and thwart.
However, artificial intelligence — AI — has put other tools into the scammers’ hands that can make these tactics more effective, enabling them to create emails that spoof use an executive's email address and mimic their syntax. There are also “deep fake” pictures, audio, and even video that can seem legitimate. Employees receiving unusual requests from executives, vendors, or business partners should always follow up — at the very least — with a phone call to confirm the request.
Check your website
Corporate websites are often a route cybercriminals take to access businesses’ systems. These can include contact and biographical information for top executives and customer-facing personnel. Too much information on a website can help scammers identify and target weak links.
This is why your IT team should conduct periodic sweeps of company websites to ensure that the wrong sorts of employee contact details — especially for lower-level personnel in finance — are not available publicly. Thieves often target employees who are most likely to have wire-transfer capabilities.
Be wary of urgency
Scammers’ messages also often convey a great sense of urgency in order to provoke an unsuspecting employee to respond now, think later. The scammers will try to convince the employee that they will be reprimanded or even fired if they do not immediately do as instructed.
Encrypt your communications
Many cyber incursions can be prevented through the simple expedient of device encryption. According to one survey conducted in 2021 by Statista, only 56 percent of enterprise respondents said they were making extensive use of encryption technology in their internet communications, and only 27 percent of respondents were using even partial encryption as a part of their internet communications protocols.
Keep things patched up
Staying on top of the latest available software security patches and moving to automated patch management is another easy way your firm can fend off breaches. Bad actors are constantly probing your most-used software packages, looking for vulnerabilities. Staying abreast of the latest versions of your software and installing patches whenever they come out is one way you can spoil their plans.
Keep your passwords complex
Cybercriminals have numerous tactics they use to get around your firewalls. For instance, they can set up systems which sort through possible password combinations at lightning speed. Make sure you steer clear of easy-to-crack passwords such as your children’s names and birthdates and use multi-factor authentication wherever possible.
Don’t overshare
Double-checking the contents of any messages you send out and files you attach, then scrubbing any potentially compromising data (particularly when you’re sending data to outside vendors) is another best practice. Be sure, too, that your employees know what you consider to be “sensitive.”
Check your credit
An easy and proactive way to find out if your business’s bottom line is being compromised is to routinely monitor your profile with all three major business credit bureaus, Experian, TransUnion, and Equifax. The Consumer Financial Protection Bureau (CFPB) recommends you use a credit monitoring service to take the guesswork out of the process.
Protect your papers
These days, maintaining paper files might seem like an old-fashioned notion, but there are still instances where a hard copy is indispensable. You should be sure to store these sensitive documents in a secure place, but you should also invest in a shredder to dispose of documents you no longer need that could contain confidential information. What if the worst happens?
Education and training should be your company’s first line of defense against cybercrime. Social engineering may be criminals’ go-to method for breaking into your systems, but a well-briefed, well-trained workforce is your best way to stymie it.
If cybercriminals do break into your network, you should act quickly. Resolving a data breach issue can involve lots of legal fees and requirements.
For instance, 47 states have breach notification laws, and more and more of them specify that companies must notify the state attorney general’s office if there’s an incident. Many of these laws also include a ticking clock. To avoid frantic document-gathering in the event something does happen, it’s important that you review your state’s requirements ahead of time.
First, you should move immediately to eject the criminals from your systems and assess what kind of damage they were able to do. Even if your business is too small to have a dedicated IT staff with the skills it will take to do this, there are forensic IT specialists you can hire who can take these steps for you.
Still have questions?
We created our Cyber Liability and Breach Response FAQ to help Grinnell Mutual policyholders to navigate the often-bewildering landscape of cybersecurity. It’s a great place to start.
Or, visit our Cyber Liability page and learn more about data breaches, how your business may be exposed to them, and what we can offer.
Sources: comparitec.com; www.idtheftcenter.org; www.consumerfinance.gov
The information included here was obtained from sources believed to be reliable, however Grinnell Mutual Reinsurance Company, SI, and its employees make no guarantee of results and assume no liability in connection with any training, materials, suggestions, or information provided. It is the user’s responsibility to confirm compliance with any applicable local, state, or federal regulations. Information obtained from or via Grinnell Mutual Reinsurance Company, SI, should not be used as the basis for legal advice and should be confirmed with alternative sources.
2/2025