Turns out, it was a phishing scam.
Security breaches like these are becoming more common, and the people factor is perhaps the hardest to control. Criminals are becoming more sophisticated in their attacks. Every day, employees unwittingly click on links to “documents” that install malware on their laptops and gain access to company systems.
Attackers can even create fake emails from fake accounts that appear to be from your boss or a colleague. Many employees install “rogue apps” on their phones that aren’t approved by the company’s IT department—and they don’t pay attention to the level of access they’re granting those apps. Did you know that every photo taken on your cellphone is “geotagged?” Do you even know what “geotagging” is? It’s metadata attached to the photo file detailing EXACTLY where on the planet the photo was taken. Wonderful stuff when used as intended. Not so wonderful in the hands of a rogue app developer. If an app has access to your photos or your camera, it can track your location and spy on you without you even knowing that it’s happening. Shady dealers can use that insight to send emails claiming to be your CFO—who just happens to be on a business trip in India—with the message that “I’m using my personal email account because I’m having trouble getting access to the company network here.”
Who wants to say no to their boss, right? No one. But who wants to tell their boss that they wired $75 thousand because they had a rogue application installed on their phone? Oops.
Yet this is a skill that SMBs need to teach their employees, if they want to keep the business secure. Employees must regard all requests for money, financial records, customer data, or any other confidential information with a skeptical eye. Anything remotely suspicious should raise a red flag.
Smaller businesses are some of the biggest targets for cybercriminals—often because they are easier to break into. Nearly half of cyber attacks are directed at companies with fewer than 250 employees. Consider some of the ways in which SMBs are at risk:
The consequences of a data security breach can be disastrous—and expensive. You’ll need to notify any and all parties whose data might have been compromised. You could face fines, lawsuits, or even charges of negligence from regulatory bodies. And your insurance costs can go through the roof.
More importantly, there will be a loss of reputation and future business. Customers are reluctant to work with a company that has been the victim of a finance data breach; the National Cyber Security Alliance found that 60 percent of small companies victimized by cyber attacks go out of business within six months.
One of the first onboarding tasks that any employee should perform is security training. Make it a mandatory part of your hiring routine. Teach every employee, from the CEO on down, about the basics of data security: how to avoid email scams, do’s and don’ts for mobile devices, backing up data, etc. A culture of cybersecurity can go a long way toward protecting against threats.
The type of technology your SMB uses also has a huge role to play. In the early days of the cloud, one of the major objections was around data security. Today—depending upon the provider you’re working with—the cloud can be one of the most secure ways to manage finance data.
Large cloud providers have far more resources to invest in security than your SMB does. They work closely with regulatory bodies and accounting organizations (such as AICPA) to meet national and international security standards. They build data centers around the world to comply with region-specific data residency requirements. They have specialized teams that keep up to date on the latest regulatory changes, and they regularly update their finance cloud applications to comply with new guidelines.
They can also build world-class security models into their cloud software, so that your SMB gets the same level of protection as Fortune 500 companies.
But not all clouds are created equal. Smaller providers of finance software might not have the resources at hand to provide the same level of protection. Be sure to ask questions about how much of their staff is dedicated to security, regulations and compliance. AICPA has done security best practice reviews and developed standards concerning SOC (Systems and Organization Control) reports. Ask your cloud provider for these SOC reports to ensure that the cloud provider is in compliance with established standards.
With cyber attacks becoming increasingly sophisticated, the job of protecting sensitive data has grown beyond the scope of most SMBs to manage. By properly educating your staff and choosing the right cloud, your SMB—and, more importantly, your customers and future clients—can be confident that your finance data has the best security you can provide.