We never know where the threats are going to come from. They are presented sometimes as emails, phone calls, oor requests that appear to be legitimate but the sender or caller is very likely sitting in a location somewhere across the globe trying to fraudulently access a company’s business records.
From 2019 to 2020, the U.S. experienced a 311% increase in ransomware attacks, with victims paying out a total of $350 million. Experts believe one important contributing factor for this kind of attack is the number of employees working from home. The COVID-19 pandemic forced the country to work remotely, creating the perfect storm for hackers.
Related: Employers’ interest in identity theft protection on the rise
“When you are working from home, you are not behind the castle walls anymore,” said John Hammond, a cybersecurity researcher at the security firm Huntress. “You are working with your own devices, away from the safe perimeter of corporate networks.”
According to the Consumer Sentinel Network, reports of identity theft more than doubled from 650,000 in 2019 to nearly 1.4 million in 2020.
Growing a business is challenging enough today. Protecting your business, your customers and your employees from data breaches, attackers impersonating your business to disguise and deceive your customers is a growing concern. Failure to do so could ultimately destroy your business and reputation, as well as damage your customers and employees.
Identity theft can harm a business in two distinct ways. The first is business identity theft, which is also called corporate or commercial theft. This method involves the impersonation of the business itself. The second is consumer identity fraud (the data breaches that we hear about more frequently in the news) in which there is an attempt to gain personal information about consumers in order to impersonate an individual.
Business identity theft
Businesses are becoming increasingly targeted by hackers because of their larger bank accounts, the ease with which they can open a credit account with higher credit limits, and their greater purchasing power. Businesses using invoicing systems that allow for delay of payment create a window of opportunity for cybercriminals to receive goods, services, and/or money before becoming detected. Many additional windows of opportunities exist for illegally accessing information as many businesses do not have sophisticated IT departments installing security systems, protocols and training employees on how to be vigilant to the thief’s tactics.
With much information (employer identification numbers EIN’s, business registration information including owners’ names and in some cases signatures which could ultimately be forged, sales tax numbers, etc.) legally available through public information access or available for a fee, businesses have another layer of vulnerability.
According to Nav, an organization that works with small and mid-size businesses to address the complexities of business finances, it suggests the following ways that a business can work to protect itself:
Go digital: Receive bank statements, credit cards bills and other financial information digitally instead of through the mail
Shred documents, and use a quality shredder to ensure documents cannot be restored
Keep records secure: If storing paper documents, ensure that they are in a locked filing cabinet, secure in safe or vault and limit access
Monitor your business credit report: Just as a consumer would, look for signs of unusual activity which may indicate fraud
Follow best practices for digital security:
- Strong firewalls
- VPN for outside access
- Secure offsite data storage
- Scheduled virus and malware scans
- Automatic Windows and other software updates
- Secured wireless networks
- Limited software installation abilities for employees
- Train employees in digital security best practices
- Protect physical access to company computers
- Use strong passwords
- Limit file sharing to those employees with need to access
Consumer identity fraud
In contrast to business identity theft, consumer identity fraud is about the data security breach, theft by an employee and consumer theft through the loss of personal information. Cybercriminals can access or hack into a company’s system and take away sensitive information. According to TrendMicro, a breach is accomplished in the following manner:
Research: The cybercriminal looks for weaknesses in the company’s security (people, systems, or network).
Attack: The cybercriminal makes initial contact using either a network or social attack.
Network/social attack: A network attack occurs when a cybercriminal uses infrastructure, system, and application weaknesses to infiltrate an organization’s network. Social attacks involve tricking or baiting employees into giving access to the company’s network. An employee can be duped into giving his/her login credentials or may be fooled into opening a malicious attachment.
Exfiltration: Once the cybercriminal gets into one computer, he/she can then attack the network and tunnel his/her way to confidential company data. Once the hacker extracts the data, the attack is considered successful.
What to do if systems are breached
Businesses need to know what their state breach notification laws require if their system has been breached. Failure to comply may result in fines being assessed.
The Federal Trade Commission publishes guidelines to follow if your data is breached. In addition, if your business is covered under the Health Insurance Portability and Accountability Act, there are specific measures that will need to be followed if Protected Health Information (PHI) is breached. Businesses may even be subject to fines for weakly or unprotected protect data. The Department of Health and Human Services outlines these instructions.
While no one can completely eliminate identity theft, businesses and organizations that regularly monitor their accounts, bills, and credit reports can lower their risk. Yes, it can be overwhelming to consider the consequences of fighting something so ambiguous and complex, but if a business thinks it’s the victim of identity fraud, work with the FTC to restore accounts and get on the road to recovery.
Bobbi Kloss is director of human capital management services for Benefit Advisors Network, an exclusive, national network of independent employee benefit brokerage and consulting companies.