Imagine getting a call from the Ukraine asking you to set up a Bitcoin account so that you can transfer $50,000, in order to get the business-critical data on your computer un-encrypted.
This just happened to a friend of mine. It's that time of year.
With US tax filing deadlines fast approaching, finance, payroll and human resources departments in midsize and small businesses are especially vulnerable to cyber attack and identity theft. Documented cases show a significant and steady rise year-over-year. This is especially true during tax filing season, when there is a higher level of data being transmitted back and forth between companies, employees, tax agencies, and third-party providers.
While attacks on large, high-profile companies appear frequently in news headlines, cyber criminals have learned to focus on small to medium businesses that tend to have fewer safeguards in place.
The stakes are high. According to the Ponemon Institute, the average price for a midsize business to clean up after they’ve been hacked stands at over $1 million; for small business, $690,000. The U.S. National Cyber Security Alliance reports that 60 percent of small companies are unable to sustain their businesses more than six months after a cyber attack.
Whether payroll taxes are handled internally, or through a third-party provider, this is a good time to consider potential vulnerabilities. Let’s face it, security investments aren’t always the top investment priority for customers, vendors, or government agencies. This is a good time of year to consider gaps in systems and technology, especially when multiple players are involved.
Midsize and small businesses often outsource payroll tax filing to a third-party, like ADP, Ceridian, or Ultimate Software. Even if password-protected data is keyed directly into vendor-provided systems, it’s hard to know where your data goes after you press the “send” button. Despite assurances, a consistent number of fraud and security incidents occur every year in the payroll industry. Few customers have one true system of record or one highly-secure firewall and protection plan across finance, payroll, benefits, and human resources.
What to do? Especially during the tax filing season, consider focusing some attention on the following three areas.
At any level, people in your organization are probably not fully aware of what they might be doing to create vulnerabilities. Consider providing a short refresher course of how to evaluate incoming phone and email communications. In a common ploy, called “phishing,” criminals pose convincingly as a known authority asking for identity data, such as copies of W2 forms.
The IRS only accepts one tax return per social security number. Filing early safeguards against the chance of fraudsters jumping ahead with false information and rerouting tax refunds—a practice which increased by 50% in the 2015 tax year.
Shred documents containing critical identity information. If the employer is required to keep copies, such as a request for direct deposit, ensure this data is protected and secure.
It’s hard to know what happens to your data when it is in the hands of someone else. Even with the best intentions, most organizations today deal with the realities of separate software applications for what are traditionally viewed as separate functions—and securing multiple systems can be costly.
The best protection is to use the most recent technologies and encryption devices. Perhaps more importantly, use one integrated suite of application across as many functions as possible—including finance, payroll, benefits, and human resources—to ensure you have real-time oversight and control over your data, access, and business processes, and to keep security costs down.