Did you know that the trash your cleaning company removes from your facility every day is a target for identity thieves? Communal trash cans often hold receipts, notes, and other paperwork that can expose critical information to criminals. Modern thieves are skilled at piecing together seemingly harmless information into data attacks.
Between 2013 and 2015, the percentage of small businesses that dealt with identity and fraud attacks increased from 18 to 31 percent. Business identity theft cost the U.S. economy $15.3 billion in 2016, up from $13 billion the year before.
Research shows that while business owners are becoming more aware of cybercrime in general, they’re not addressing critical flaws right within their own buildings. Fully 71% of small business owners are not actively taking steps to address security risks.
Let’s take a closer look at how you can protect your business against this kind of crime. It starts with identifying your riskiest zones.
#1 Danger Zone
Try to guess which part of your business is the most vulnerable to identity theft and cyber attacks. It’s not computers or credit card machines: It’s your employees. Employees are the #1 cause of company security breaches.
Most of these breaches are unintentional. As your workers go through their normal routines, they probably don’t think about all of the ways they expose your company to risk.
The Identity Theft Resource Center, a nonprofit dedicated to educating people about protecting sensitive information, examines how thieves steal data. Often, thieves trick employees in a process called social engineering: gathering clues and manipulating people.
Scenario 1: The Vendor Trick
For example, an identity thief might call your employee, posing as a new vendor who wants to earn your business. They request an email address and the name of your current vendor.
Later, the thief could send a spoofed (fake) email from that address to your actual vendor, requesting a password reminder. Using the password and email address, they can log into your vendor account, re-route deliveries, and steal your merchandise.
Scenario 2: The Trash Trick
As another scenario, imagine that one of your accounting employees jots down a password to your billing system on a sticky note. After taking a few moments to memorize the password, she crumples up the note and tosses it into the trash can.
When your cleaning company takes out the trash, the sticky note is placed in a large bag full of other company trash. There are scraps of information like employee names and the logo of your billing system. Suddenly an identity thief has everything they need to log into your billing system and wreak havoc: website, employee name, password.
Scenario 3: The Social Media Trick
Employees also accidentally reveal information on social media sites like Facebook and LinkedIn, which are a treasure trove for thieves. Social media users innocently reveal words they might use as passwords, like children’s names, pet’s names, and favorite bands.
Sometimes thieves send fake friend requests, either posing as someone you actually know or appearing as someone you might want to know, like a customer interested in your business. But they’re actually gathering pieces of data to use against you.
Locking Down Vulnerabilities
Your workplace also has a variety of potential vulnerabilities in its processes, systems, and equipment. The U.S. Small Business Administration warns businesses of these common cybercrime risks:
- CREDIT CARDS— Don’t give out your company’s credit card or credit card numbers. Switch to secure online ordering. Route all credit card bills to a P.O. box and give access only to one or two trusted employees.
- IT INFRASTRUCTURE— Use up-to-date software and the latest technology for your firewall, anti-virus, malware, and spyware protection. Safeguard your data with cutting-edge security.
- PASSWORD POLICIES— Establish a complex password protocol that requires frequent changes. Don’t allow the same passwords to be shared between systems.
- EDUCATION AND TRAINING— An untrained employee is a risky employee. Make data security a priority at your business. Train your employees how to protect sensitive company information. You can start with cybersecurity training tips from the Federal Communications Commission (FCC).
- BACKGROUND CHECKS— Do background checks during the hiring process, for all employees, not just accounting or IT. Make sure your background checks follow legal restrictions. Do drug screenings to avoid employees who steal due to an addiction.
Day-to-day document sharing is another source of information theft. In the normal course of business, employees share memos, spreadsheets, legal notices, and other sensitive documents.
Protect documents by using a secure electronic document storage and transmission system. Restrict access to certain high-security documents, and assign an approval tree of people who can allow access as needed.
Electronic systems usually have some sort of archive and tracking feature that allows you to review who’s accessing your documents. Assign someone to review this periodically for unauthorized users, like former employees.
Tracking Your Cash Flows
All thieves love getting their hands on cash. Yet cash continues to be one of the most loosely-monitored aspects of many small businesses. This is true of both actual currency and electronic cash flows. When a few dollars go missing here and there, it’s usually not viewed as a major problem.
Hackers sometimes use small transactions to test whether anyone is paying attention. If they find a way to deduct a small amount of money from your systems each week, and you don’t crack down on it, the thief has an easy flow of stolen money.
In fact, enterprising thieves resell credit card numbers and small-transaction revenue streams to the highest bidder. It’s like black market eBay, where the winning bidder gets your company’s sensitive information.
The Association of Certified Fraud Examiners recommends the following steps for locking down cash flows:
- Maintain strong internal controls
- Assign responsibility for approving all expenditures
- Install security cameras near cash boxes and registers
- Conduct surprise audits
- Take it seriously when small amounts go missing
- Enforce mandatory vacations that prevent theft
- Have a hotline for whistleblowers to report fraud
The Bottom Line
Most security experts say that if a hacker is absolutely determined to get sensitive information from your company, they have a good chance of doing it. But that doesn’t mean you can’t affect the odds.
Prevent fraud and identity theft by hiring good people, establishing security rules, and making sure that when your cleaning company takes out the trash, they aren’t taking your company secrets with it!