October is National Cybersecurity Awareness Month. The FBI’s Internet Crime Report from March 2021 shows that the cost of cybercrimes reached $2.7 billion in 2020 alone. The top three crimes reported were phishing scams, non-payment/non-delivery scams and extortion. Victims lost the most money to business email compromise scams, romance and confidence schemes, and investment fraud.

Notably, 2020 also saw the emergence of scams exploiting the COVID-19 pandemic. The Internet Crime Complaint Center (IC3) received more than 28,500 complaints related to COVID-19, with fraudsters targeting both businesses and individuals.

Cyberattack Costs

The following are some of the most obvious costs and those that can still have a big impact but remain hidden:

Explicit (visible) costs:

• Technical investigation
• Customer breach notification
• Post-breach customer protection
• Regulatory compliance
• Attorney fees and litigation
• Improving cybersecurity going forward

Hidden costs:

• Increase in insurance premium, raising debt
• Operational disruption/destruction impact
• Loss of contract revenue
• Impact on trade name
• Loss of intellectual property stolen
• Loss of customer trust and relationship
• National security/impact to the economy

Source: Deloitte Webinar -Quantifying Cyber Risk to Chart a More Secure Future

Small Business Impact

Information technology and high-speed Internet are great enablers of small business success, but with those benefits comes the need to guard against growing cyber threats. As larger companies take steps to secure their systems, less-secure small businesses are easier targets for cyber criminals. According to a recent Small Business Administration (SBA) survey, 88 percent of small business owners felt their business was vulnerable to a cyberattack. Yet many businesses can’t afford professional IT solutions, have limited time to devote to cybersecurity or don’t know where to begin. The National Cyber Security Alliance reports that 60 percent of small and midsize businesses that face a severe cyberattack go out of business within six months.

CPAs can assist in keeping clients’ data safe. Implementing a security-first culture helps to keep a company secure. Here are some tips on how to keep small businesses safe from cyberattacks:

• Learn how to protect your business by paying attention to cybersecurity training and tools.
• Realize the threats that companies should expect in the hybrid working mode and how to prevent risks.
• Understand how the importance of security has changed since COVID-19.
• Recognize the most important steps to take when integrating security into a company’s DNA.
• Know how Secure Software Development Lifecycle (SDLC) is being implemented by security experts in different industries and companies.

Avoiding Threats

Smart cybersecurity has a promising role to play in identifying, filtering, remediating and neutralizing cyber threats. By harnessing the smart automated enterprise tools such as artificial intelligence and machine learning, enterprises will be more readily able to meet future challenges.

A cybersecurity risk assessment can identify where a business is vulnerable and help clients create a plan of action — which should include user training, guidance on securing email platforms and advice on protecting the business’s information assets.

Best Practices

The following best practices can be followed by both CPAs in their own organizations and at their small business clients:
 

• Train employees on emails (a leading cause of data breaches for small businesses):
  
  • Spot a phishing email
  • Use good browsing practices
  • Avoid suspicious downloads
  • Create strong passwords
  • Protect sensitive customer and vendor information
  • Maintain good cyber hygiene
• Use antivirus/antispyware software and keep it updated
• Secure your networks
• Use strong passwords
• Implement multi-factor authentication
• Protect sensitive data by:
  • Backing up data
  • Securing payment processing
  • Controlling physical access

Additional Resources and Tools

• Consider contracting for dedicated IT support.
• The Federal Communications Commission (FCC) offers a cybersecurity planning tool to help you build a strategy based on your unique business needs.
• The Department of Homeland Security’s (DHS) Cyber Resilience Review (CRR) is a non-technical assessment to evaluate operational resilience and cybersecurity practices. You can either do the assessment yourself, or request a facilitated assessment by DHS cybersecurity professionals.
• DHS offers cyber hygiene vulnerability scanning free for small businesses. This service can help secure your internet-facing systems from weak configuration and known vulnerabilities. You will receive a weekly report for your action.
• Developed by the DHS’ Cybersecurity and Infrastructure Agency (CISA), the Supply Chain Risk Management Toolkit can be used to help shield businesses’ information and communications technology from sophisticated supply chain attacks.