cgma-cyber-security-510-x-221

Cyber-security: How big is risk to small businesses?


By Ken Tysiac

Although large companies tend to make the biggest headlines when they are hit by data breaches, it’s a mistake to assume that hackers don’t target small businesses.

“The small businesses, I think, are much more at risk than they realise,” said Lisa Traina, CPA/CITP, CGMA, president and owner of IT security firm Traina & Associates in Louisiana.

Small business leaders can be lulled into a false sense of security and think hackers would rather attack large businesses. Lack of resources also may be a problem for small businesses.

They might employ just one IT professional – or use an outsourced provider – who is completely occupied by trying to keep all the machines running and has little time to devote to maintaining a secure environment.

The biggest issues contributing to breaches, according to Traina, are:

  • Weak passwords that are used repeatedly. Traina said she recently encountered an IT contractor who set up a password of “Password1” for a client. Such passwords can be easy prey for hackers. Using the same password for multiple accounts also is a major problem, Traina said.
  • Phishing. Despite being trained not to do it, company employees often are tricked into clicking on emails that contain malware, a gateway that allows hackers into company networks.
  • System vulnerabilities. Many company networks lack adequate firewalls and patches that can keep hackers from stealing important information once they get inside.

Cyber-security breaches are on the rise. The total number of security incidents reported by respondents to a recent PwC global survey rose 48% from the previous year.

Traina said finance leaders have an important role to play in cyber-security. CFOs who have inquired with her firm know that they are at risk and that no one is dealing with the problem.

“They’re used to dealing with risk,” Traina said. “Those individuals are constantly looking to minimise risk, and this is just another risk area. The IT people may say, ‘We’re fine. We’re secure.’ But I think when that CFO opens his eyes and says, ‘Maybe we’re not so secure,’ they can have a big role in working to ensure the organisation has appropriate security measures in place.”

One particular area catching finance leaders’ attention is corporate account takeover schemes, Traina said. In these schemes, hackers steal corporate bank account information rather than customer credit card numbers or personal data.

The hackers use the company account information to send wire transfers to themselves. Regardless of the scheme, Traina said small businesses can take the following steps to protect themselves:

  • Install proper network and work station controls. “They need a technical person making sure they have a properly configured firewall,” Traina said. “They need to make sure current patches have been applied to anything and everything they own. They need to make sure they have current anti-virus software on anything and everything they own at all times.” She said it’s also important to make sure that only the right people have access to information.
  • Establish a culture of security. Employees should use passwords that are complex, and the company should require passwords that expire, according to Traina. She said the company also should block access to certain sites in the name of security.
  • Train employees. Everybody with access to company machines needs to understand why they can’t visit certain sites. They need to learn how to spot phishing emails, why employees should not click on these messages, and that one wrong click can result in a major breach.
  • Monitor vendors. Companies need to ask whether vendors have access to company data and whether data are secure after being accessed or obtained by the vendor.
  • Conduct periodic testing. Test at least yearly to identify vulnerabilities. Depending on the size and industry, some companies undergo more frequent testing.

Employees’ mobile devices represent an additional emerging threat to businesses, Traina said.

“Because people don’t think of them as computers yet, they don’t realise they need anti-virus software,” Traina said. “They need patches and updates, and they could get malware. And just the nature of what it is, it’s not recognised as a problem yet. Yes, they’ve left the building, and now you have to secure something that is going around in people’s pockets.”

Traina said cyber-security risks appear to be increasing, with published reports of vulnerabilities that have not been exploited yet. Small businesses are especially at risk because they often don’t have the time or resources to stay current on the most recent developments, she said.

“When you take all these things and put them together, there is this false sense of security that small businesses have, so they are at more risk than others from a resource perspective,” she said. “And it’s a difficult job to keep up with this stuff.”

Ken Tysiac (ktysiac@aicpa.org) is a CGMA Magazine editorial director.

Don't miss out on additional news and features from CGMA Magazine.
Sign up for our free weekly e-newsletter.