Growing your business is challenging enough today. Protecting your business, your customers, and your employees is even more difficult with technology being used to breach your data, impersonate your business, and disguise and deceive your customers which could ultimately destroy your business, your business, and personal reputation, as well as damage your customers and employees.
Identity theft can harm a business in 2 distinct ways. The first is Business Identify Theft which is also called corporate or commercial theft. This method involves the impersonation of the business itself. According to the FBI what is at stake is the businesses’ brand, reputation, and trade secrets.
The second being Consumer Identify Fraud (the data breaches that we hear about more frequently in the news) in which there is an attempt to gain personal information about consumers in order to impersonate an individual.
Business Identify Theft
Businesses are becoming more at risk these days of business identity theft because of their larger bank accounts, the ease of which they can open a credit account with higher credit limits and greater purchasing power. Also, businesses use invoicing systems that allow for a delay of payment creating a window of opportunity for cybercriminals to receive goods, services, and/or money before becoming detected. Many additional windows of opportunities exist for illegally accessing information as many businesses do not have sophisticated IT departments installing security systems, protocols and training employees on how to be vigilant to the thief’s tactics. With much information (employer identification numbers EIN’s, business registration information including owners’ names and in some cases signatures which could ultimately be forged, sales tax numbers, etc.) legally available through public information access or available for a fee, businesses have another layer of vulnerability.
According to Nav, an organization that works with small and mid-size business to assist in dealing with the complexities of business finances, it suggests the following ways that a business can work to protect itself:
Go Digital: Receive bank statements, credit card bills, and other financial information digitally instead of through the mail.
Shred Documents: Use a high-quality shredder to ensure that documents can not be restored
Keep Records Secure: If storing paper documents, ensure that they are in a locked filing cabinet, safe, or vault, with limited access to only those with the need to retrieve them.
Monitor your Business Credit Report: Just as a consumer, look for signs of unusual activity which may indicate fraud.
Follow Best Practices for Digital Security:
- Implement strong firewalls
- Use a VPN for outside access
- Secure offsite data storage
- Scheduled virus and malware scans
- Automatic Windows and other software updates
- Secured wireless networks
- Limited software installation abilities for employees
- Train employees in digital security best practices
- Protect physical access to company computers
- Use strong passwords
- Limit file sharing to those employees with the need to access
Consumer Identity Fraud
In contrast to Business Identity Theft, Consumer Identity Fraud is about the data security breach, theft by an employee, and consumer theft through the loss of personal information.
A data breach is when a cybercriminal accesses or hacks into a company’s system and takes away sensitive information. This can be done through access to a computer or into the network. According to TrendMicro, a breach is accomplished in the following manner:
- Research: The cybercriminal looks for weaknesses in the company’s security (people, systems, or network).
- Attack: The cybercriminal makes initial contact using either a network or social attack.
- Network/Social attack: A network attack occurs when a cybercriminal uses infrastructure, system, and application weaknesses to infiltrate an organization’s network. Social attacks involve tricking or baiting employees into giving access to the company’s network. An employee can be duped into giving his/her login credentials or may be fooled into opening a malicious attachment.
- Exfiltration: Once the cybercriminal gets into one computer, he/she can then attack the network and tunnel his/her way to confidential company data. Once the hacker extracts the data, the attack is considered successful.
What to do if Systems are breached
Businesses need to know what their state breach notification laws require if their system has been breached. Failure to comply may result in fines being assessed.
The Federal Trade Commission publishes these guidelines to follow if your data is breached:
If your business is covered under the Health Insurance Portability and Accountability Act, there are specific measures that will need to be followed if Protected Health Information (PHI) is breached. Businesses may even be subject to fines for weakly or unprotected protect data. The Department of Health and Human Services outlines these instructions here.