Expert Advice for Medium and Midsize Businesses

How to Keep Your Finance Data Safe from Cyber Attacks

Ken Judd
Chief Financial Officer
When you’ve worked in finance for as long as I have, you hear some horror stories. One that stands out vividly to me is the story of a small-to-medium business (SMB) employee who wired out $75 thousand to someone based on an email received from their CEO.

Turns out, it was a phishing scam.

Security breaches like these are becoming more common, and the people factor is perhaps the hardest to control. Criminals are becoming more sophisticated in their attacks. Every day, employees unwittingly click on links to “documents” that install malware on their laptops and gain access to company systems.

Attackers can even create fake emails from fake accounts that appear to be from your boss or a colleague. Many employees install “rogue apps” on their phones that aren’t approved by the company’s IT department—and they don’t pay attention to the level of access they’re granting those apps. Did you know that every photo taken on your cellphone is “geotagged?” Do you even know what “geotagging” is? It’s metadata attached to the photo file detailing EXACTLY where on the planet the photo was taken. Wonderful stuff when used as intended. Not so wonderful in the hands of a rogue app developer. If an app has access to your photos or your camera, it can track your location and spy on you without you even knowing that it’s happening. Shady dealers can use that insight to send emails claiming to be your CFO—who just happens to be on a business trip in India—with the message that “I’m using my personal email account because I’m having trouble getting access to the company network here.” 

Who wants to say no to their boss, right? No one. But who wants to tell their boss that they wired $75 thousand because they had a rogue application installed on their phone? Oops.

Yet this is a skill that SMBs need to teach their employees, if they want to keep the business secure. Employees must regard all requests for money, financial records, customer data, or any other confidential information with a skeptical eye. Anything remotely suspicious should raise a red flag.

Why SMBs Are More at Risk than Big Companies

Smaller businesses are some of the biggest targets for cybercriminals—often because they are easier to break into. Nearly half of cyber attacks are directed at companies with fewer than 250 employees. Consider some of the ways in which SMBs are at risk:

  • Uncontrolled Access – A disgruntled employee could plug a flash drive into a laptop, steal sensitive data and sell it to a competitor. Or, they could just walk off with the laptop.
  • Paper – Paper is a huge issue within SMBs. Finance professionals print out large numbers of spreadsheets when running analysis or working on the financial close. Such paper is often improperly disposed of, or filed away in unlocked cabinets. Unscrupulous actors could use this information for insider trading in advance of earnings announcements.
  • Infrequent backups – What if a key financial analyst loses a laptop? If there was no backup of the files, then you’ve lost some important company records. What if your CFO’s laptop crashes? Or, if your CEO gets stuck overseas due to a visa issue, will there be another copy of your SMB’s strategic plans inside the office?
  • Complex contracts – Many big accounts (the kind that most SMBs dream of landing as clients) put specific, non-standard requirements into their contracts. How do you keep track of these terms and conditions? Is that information safe from loss or theft?
  • Overseas expansion – Data protection rules in other countries can be very different from those in the United States. Some countries won’t allow certain data to reside outside of their own borders. How do you keep that data in-country when you have limited budget and resources?
  • Lack of talent – SMBs typically lack the staff to keep track of the multitude of rules and regulations around data security. Their small IT staff might be mainly focused on supporting employees, and don’t have the expertise (or the time) required to understand and implement complex security rules.

Solve the biggest issues your growing company faces in the new year.


The Consequences of a Breach

The consequences of a data security breach can be disastrous—and expensive. You’ll need to notify any and all parties whose data might have been compromised. You could face fines, lawsuits, or even charges of negligence from regulatory bodies. And your insurance costs can go through the roof.

More importantly, there will be a loss of reputation and future business. Customers are reluctant to work with a company that has been the victim of a finance data breach; the National Cyber Security Alliance found that 60 percent of small companies victimized by cyber attacks go out of business within six months.

Protecting Your SMB Against Cyber Attacks

One of the first onboarding tasks that any employee should perform is security training. Make it a mandatory part of your hiring routine. Teach every employee, from the CEO on down, about the basics of data security: how to avoid email scams, do’s and don’ts for mobile devices, backing up data, etc. A culture of cybersecurity can go a long way toward protecting against threats.

The type of technology your SMB uses also has a huge role to play. In the early days of the cloud, one of the major objections was around data security. Today—depending upon the provider you’re working with—the cloud can be one of the most secure ways to manage finance data.

Large cloud providers have far more resources to invest in security than your SMB does. They work closely with regulatory bodies and accounting organizations (such as AICPA) to meet national and international security standards. They build data centers around the world to comply with region-specific data residency requirements. They have specialized teams that keep up to date on the latest regulatory changes, and they regularly update their finance cloud applications to comply with new guidelines.    

They can also build world-class security models into their cloud software, so that your SMB gets the same level of protection as Fortune 500 companies.

But not all clouds are created equal. Smaller providers of finance software might not have the resources at hand to provide the same level of protection. Be sure to ask questions about how much of their staff is dedicated to security, regulations and compliance. AICPA has done security best practice reviews and developed standards concerning SOC (Systems and Organization Control) reports. Ask your cloud provider for these SOC reports to ensure that the cloud provider is in compliance with established standards. 

You should also look at the terms of use. What are your data control rights under the proposed contract? Does the provider have the right to mine your data—and if so, can they guarantee that it will be fully anonymized, stripped of any identifying markers? And if you’re planning to open an office overseas, does the provider have a data center in that region to meet residency requirements?

With cyber attacks becoming increasingly sophisticated, the job of protecting sensitive data has grown beyond the scope of most SMBs to manage. By properly educating your staff and choosing the right cloud, your SMB—and, more importantly, your customers and future clients—can be confident that your finance data has the best security you can provide.  

An Inc./Oracle survey discovered the financial concerns keeping SMB leaders up at night. Read the ebook to learn how you can transform your financial challenges.




Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.