Every small business should be aware of these 5 IT security risks

by: Louis Loparo, CPA, CITP

As the latest news stories have shown, no company is safe from security breaches and data risks.  Even small businesses are susceptible to hackers looking for easy ways to dig into company databases.  However, many small and midsize businesses make the mistake that they are too small to be a target.  

So, the question remains as to why we are writing about IT security risks? The answer is two-fold… first, small businesses have to focus even more on the protection of their data, and second is because CPA firms have access to the most valuable information in your organization. It is up to us to ensure it is protected.  Below is our list of the top 5 IT security concerns that every small business owner should know:

1. Where is my data?

Business owners need to have a firm understanding of where all the company data is housed, how it is protected and how it is backed up.  The current trends of utilizing cloud providers and allowing staff to “Bring Your Own Device” can make these tasks a challenge. Our recommendations to minimize your risk of data loss or security breaches are to:

• Do your due diligence when selecting cloud providers, if you are not technically equipped to handle it, hire someone who is.
• Do not rely on written company policies to protect your data.  While written policies are important to have, you should also have safeguards in place to protect your data with less reliance on the end users compliance.  For instance, if it is a company policy to encrypt all  data that is emailed from your business, you should have a tool that will automatically encrypt the data instead of relying on the end user to do it.
• Have a disaster recovery plan and test it.  A disaster plan includes everything from accidentally deleting data to the building burning down.  Have a written plan in place.  By documenting the plan, it will force you to really think about where your data is stored, how it is backed up and how long it will take you to restore it.
• Have security measures in place to protect your data onsite including firewalls, spam filters and antivirus software.
• Buy a Cyber Insurance Policy.  While you want to have security measures in place to prevent data loss, if it still occurs, it can be very costly.  A Cyber Policy is the last layer of protection to help business owners limit their costs in the event a significant data loss event occurs.

2. Don’t Click on That!

To prevent malware and virus threats teach your employees to ask before they click.  If a user gets a pop-up that says they need to install a new antivirus that they have never heard of, chances are it is malware.  Last year we saw malware hidden on reputable websites disguised as advertisements.  In addition to user education you need to invest in a good antivirus software.

3. Social Engineering

Social engineering is the manipulation of people in order to get confidential information from them.  This could be everything from the Nigerian prince scam, to a fraudster impersonating IT staff attempting to get a user’s password.  This past year some of the ugliest social engineering scams we have seen were:

• Imposter emails that appeared to be sent from management to the accounting department to try to get them to forward sensitive information or wire money.
• Phone calls from the “IRS” trying to collect taxes due.
• New “customers” sending fraudulent bank checks overnight  to companies in exchange for inventory to be sent immediately before the check clears.    

Scammers have been around forever.  They are more prevalent today because the advancements made in technology have given them a platform to hit a large number of people in a short period of time.  There is only one solution to avoid these scams and that is to educate your staff.  You should have regular training and communication to the staff to avoid anyone being compromised by a fraudster.

4. Unpatched Devices

HP’s 2016 Cyber Risk Report stated that, the top 10 vulnerabilities exploited overall continue to be those that are more than a year old and 48% are five or more years old.   

What does this mean?   

It means that if the computers that were exploited were patched regularly there would have been no occurrence.   

How do you fix it?    

You need to use an enterprise tool to ensure all the computers on your network are patched properly.  At Hobe & Lucas, we contract with an excellent managed services provider to insure this is done.

5. Disposal of Old Devices

When it is time to buy new devices and dispose of the old, you should think twice about giving away or selling old devices.  A not so savvy tech person can retrieve data from a hard disk, even if it has been reformatted.  The best practice is to destroy the hard drives from the old devices, then dispose of or recycle the remaining carcass.

In many cases, we have seen “operator error” as the biggest risk a company faces.  It is important to continually educate your staff and put in place the proper precautions and policies to avoid unnecessary security breaches.  We have been involved in numerous engagements assisting clients after a data loss and it is usually very costly.  Minimize your exposure now so you don’t have to scramble when something does happen.  

We are one of the very few accounting firms to have a Certified Information Technology Professional.  Our team has the expertise to guide your IT roadmap and recommend strategies that will help your business operate faster and better.  Prepare for the technology of tomorrow by partnering today.  Contact us or give us a call at 216.524.8900.