Protect your business: IRS highlights cybersecurity measures for small businesses
During this year’s National Small Business Week, running from April 28 to May 3, the Internal Revenue Service (IRS) emphasized the importance of implementing vigorous data security measures to safeguard financial, personal and employee information from cyber threats.
According to the agency, the IRS has observed a concerning trend where small businesses, among others, fall victim to various financial and identity theft-related schemes orchestrated by cybercriminals. These schemes aim to acquire sensitive information that can be exploited to file fraudulent tax returns, drain business bank accounts and perpetrate identity theft.
Common tactics employed by cybercriminals include phishing and spearphishing scams, which target small businesses, tax professionals and individual taxpayers. Small businesses are particularly vulnerable to Form W-2 scams, where identity thieves deceive company leaders into divulging sensitive data.
“Each year, the IRS sees thousands of attempts trying to attack small business owners and other taxpayers. Those who are victimized by these schemes can see serious financial consequences,” said IRS Commissioner Danny Werfel in a news release. “Cybercriminals are relentless, and anyone can be a target. The best way business owners and individuals can protect themselves is to stay well informed on the latest scams, continuously protect their computers and smart phones and install data security at home and in the business to protect sensitive information.”
Cybercriminals operate around the clock, exploiting vulnerabilities in human behavior and computer systems to pilfer financial and personal information. Small businesses that fail to adequately safeguard their data and educate their staff become easy targets for cyber attacks, potentially resulting in financial losses and reputational damage.
To mitigate the risk of cyber threats, the IRS advises small businesses to deploy comprehensive cybersecurity measures, including encryption of sensitive data, multi-factor authentication and regular staff training on security best practices. Additionally, businesses are encouraged to report IRS-related scams to phishing@irs.gov.
The IRS also highlights the “Dirty Dozen,” an annual list of prevalent scams and fraudulent schemes posing threats to small businesses and taxpayers. This year’s list includes warnings about aggressive promoters of questionable claims for the Employee Retention Credit (ERC), which could lead to penalties and criminal prosecution for ineligible claimants.
One particularly insidious scam highlighted by the “Dirty Dozen” is the “New Client” spearphishing scam, where cybercriminals masquerade as potential clients to deceive tax professionals and business owners into divulging sensitive information.
Small business owners are urged to remain vigilant against these scams and take proactive measures to protect their businesses and customers. By prioritizing cybersecurity and staying informed about emerging threats, entrepreneurs can safeguard their investments and preserve the trust of their clientele.
The IRS provides resources such as Form 14039-B, Business Identity Theft Affidavit, for businesses to report possible identity theft incidents promptly. Additionally, reporting scams to the IRS helps identify new threats and supports efforts to combat cybercrime effectively.
For more information on cybersecurity best practices and how to report scams, small business owners can visit the IRS website or consult the Federal Trade Commission’s resources on cybersecurity for small businesses.
Cybersecurity basics
The IRS urges small business owners to familiarize themselves with cybersecurity best practices, even if they outsource day-to-day information technology protection. The IRS recommends implementing the Best Practices outlined by the U.S. Federal Trade Commission (FTC). These practices, though often common-sense, are crucial for safeguarding business data and devices.
To protect business files and devices, owners should:
- Update software regularly, including apps, web browsers and computer operating systems, with automatic updates enabled.
- Secure important files by backing them up offline, on external hard drives, in the cloud and securely storing paper files.
- Require passwords for all laptops, tablets and smartphones, and avoid leaving these devices unattended in public places.
- Encrypt devices and other media containing sensitive personal information, such as laptops, tablets, smartphones, removable drives, backup tapes and cloud storage solutions.
- Utilize multi-factor authentication for accessing areas of the network with sensitive information, requiring additional verification steps beyond password entry.
For safeguarding the business wireless network, owners should:
- Secure the business router by changing the default name and password, disabling remote management and logging out as the administrator after setup.
- Ensure at least WPA2 encryption is used, protecting information sent over the network from unauthorized access.
Adopting smart security practices as part of routine operations involves:
- Requiring strong passwords, consisting of at least 12 characters with a mix of numbers, symbols and capital and lowercase letters and avoiding password reuse and sharing.
- Conducting regular employee training to create a culture of security, staying informed about data security risks, and considering blocking network access for employees who disregard security measures.
- Having a comprehensive plan for data preservation, business operations and customer notification in case of a data breach, referencing resources like the FTC’s Data Breach Response: A Guide for Business.
For further guidance on protecting investments, customers, and employees from cyber threats, small business owners can access information provided by the FTC’s Cybersecurity for Small Businesses initiative.