We sat down with the Identity Theft Resource Center CEO Eva Velasquez and asked her what small-business owners can do to be prepared for ID theft, fraud, and data security issues this holiday season. The transcript below has been lightly edited for length and clarity.
Why do we hear less about data breaches at small businesses?
Just because you're not hearing about it doesn't mean it's not happening.
Small businesses have the same risks [as larger ones]. They may even have a little more risk because small businesses don't tend to have the resources to put toward cyber security.
Data breach notification laws vary state-by-state [editor's note: see our sister site TechInsurance's notification guide]. Many of them have a threshold. If that threshold is 500 records, a small business may not meet that threshold. The businesses may be notifying their customers, but it doesn't make it into the media because it's not a massive public notification.
How can small-business owners protect their business from theft and fraud?
Our advice is always to go to your financial institution and ask what fraud deterrent services they offer. After that, the protections you use will really depend on the size of your business and the types of transactions you conduct.
For example, in order to do wire transfers, some large organizations have a tokenization method where a token is generated every hour. You have to get two tokens. Two people have to authorize every wire transfer.
Consumers can put an additional password on their account (in addition to their PIN). Businesses can do the same. All those different layers of security are available to both businesses and consumers. The business owner just has to ask.
What do the holidays mean for identity theft and cyber security issues?
The biggest thing we see is that your focus is shifted. You're not necessarily paying attention to accounts statements and credit reports. You're shopping more. And during the holidays, you may be shopping at a lot of different places, which makes it harder to keep track of your statements and recognize transactions that aren't yours.
How do businesses respond to increased concerns about security?
For the most part, businesses have been trying. But it's important to remember that there are simple things you can do.
Say you run a CPA firm, and you have two CPAs and a couple of assistants. Do you ever take work home? Do you ever take a laptop or mobile device out of the office with data on it? Work devices that are reported lost or stolen count as data breaches. And that is really something you can control. You can have a policy that data doesn't leave the office.
How should small-business owners handle complaints about data breaches, identity theft, and data privacy issues?
Business owners need to investigate claims. They need to take it seriously. They need to have resources for consumers. Of course, I'm going to recommend the ITRC (because we're free).
But the other thing is that these business owners may have benefits written into their insurance. Is there something in their insurance they can refer their customer to? [Editor's note: Cyber Liability Insurance can offer credit monitoring and identity theft protection benefits for your customers.]
The business owner needs to take these incidents seriously. They need to investigate. Start tracing it back. Was your point of sale compromised? Was your network compromised? Talk to your IT person. Talk to your financial institution and ask if there’s been any compromise or if anyone has tried to access your account.
The overarching message is if you get a complaint, take it seriously.
How does your organization help small businesses and consumers?
Our primary mission is to provide victim assistance to consumers throughout the United States at no cost. We also help concerned consumers. We help people who’ve had an ID theft issue and know their identity has been stolen and we help people who have received a data breach notification and want to know what they should do to minimize their risk.
What other resources are available to small businesses to help them learn more about theft and fraud?
The Federal Trade Commission is very consumer focused, but they have resources for small businesses (see its business center). And the Better Business Bureau has a program called Data Security Made Simpler.
Tips for Protecting Your Small Business from ID Theft and Fraud
- Know what tools you already have. Talk to your bank about extra security protections you have for your accounts. Know what Cyber Insurance benefits you have.
- Take all complaints seriously. Investigate all complaints about fraud and ID theft.
- Pay attention to your bank accounts. The holidays are busy, but don’t drop the ball. Pay extra attention to your bank statements and make sure you don’t miss any fraudulent charges.