Published June 01, 2012
Small business owners may think the size of their company precludes them from being targets of identity theft, not realizing they are more at risk than the larger companies.
Unlike big businesses that can afford an army of IT professionals focused solely on security, many small business owners don’t have the time to plug vulnerabilities in their computer systems. While they think their small size means they aren’t on the radar screens of hackers, the security holes is exactly what’s attracting the criminals.
“The excuse we hear a lot from small businesses is they are too small to be noticed but that’s not how it works,” says Neal O’Farrell, Executive Director of The Identity Theft Council. “They (hackers) use automated tools to look for vulnerable websites and computers.”
Identity theft can be costly to any sized business but for small businesses it can be devastating. If the small business’s customer data is breached at the very least it can shake the confidence in the business and at the worst mean lost customers forever. If the owner is the target he or she can see the bank accounts wipe out and their cash flow disappear.
“Small businesses don’t get how vulnerable they are and how devastating the crime can be,” says O’Farrell. To criminals, small businesses are the low hanging fruit, he says.
For many small businesses there isn’t much if any separation between their information, employee information and customer data. If a hacker infiltrates the system, it could be a windfall of identifying information the criminal can sell on the black market, use to steal money or create fraudulent identities. According to Farrell if a hacker gets into a small business owner’s bank account they can wipe it out leaving that business with little recourse because unlike how consumers are protected from fraud, banks don’t extend that same protection to business accounts. The biggest surprise to small business owners is they are on the hook if their bank account is cleaned out, says O’Farrell. “Small business owners are amazed they don’t have the liability protection like consumers,” he says.
Protecting from Identity Thieves
While identity theft is huge problem for small businesses the ways to protect from it aren’t. The main defense against it is to make sure the computer systems are safe and secure. That can be as simple as installing security software and making sure the software is updated and all the patches are installed. It also means having policies in place so that employees don’t visit dubious sites, click on suspicious links or inadvertently share information with the wrong person. It also pays to have strong passwords on all the systems and to make sure the data is encrypted.
“It doesn’t matter what other security if they break through all the defenses and the computer is encrypted that data is useless,” says O’Farrell. “It’s the simplest and most powerful measure.”
Securing the computer systems doesn’t have to cost a lot either. If a small business has zero budgeted for security there are a bunch of free security software that can be found on the Web. “Free is just as good as the paid version. When you look inside the antivirus packages companies are making free and the paid versions they are both using the same thing just with added bells and whistles that in most cases you don’t need,” says O’Farrell.
What to Do If the Business is Infiltrated
If the business is breached and personal customer data falls into the wrong hands how the small business responds could make a world of difference. The Federal Trade Commission recommends small business owners notify law enforcement immediately instead of waiting days or weeks. That’s because the sooner the authorities know the better the chances of catching the criminal.
Same goes for the customers and other businesses that are impacted. Alerting customers and other affected businesses early on gives them the chance to reduce the potential misuse of the information. It also demonstrates the business is taking the incident seriously. According to the FTC when deciding if notifying customers is necessary the small business should look at the type of compromise, the information stolen, the chances of the data being misused and the potential damage.
Small business owners also have to be cognizant that they are targets and act accordingly. “Small businesses don’t think its going to happen to them,” says O’Farrell. “Creating a security plan that lists the commitments to security…goes a long way in preventing attacks.”