IT Blog

News & Events Quick Tips

Avoid the scam: Small business owners shouldn’t skimp on cybersecurity

Managing cybersecurity for your small business can feel overwhelming. You might think hiring a third-party vendor or investing in a “Software as a Solution” (SaaS) program to handle your cybersecurity is enough.Or, perhaps you’re one of many businesses that delegates all cyber-related responsibilities to your IT guy. Those are both sound ways to start building out a cybersecurity infrastructure, but they are far from comprehensive.

Cybersecurity attacks are a scammer’s way of trying to steal money or data from your business — or from your customers. A scammer’s success could be a business’ demise.

The Better Business Bureau warns it is paramount for small business owners to implement necessary cybersecurity policies and practices. And they must also take the time to educate themselves and their staff — not just so the IT person doesn’t have to go it alone, but because everyone in a business plays a role in security. To better guard your business and hire the right people to help, you need to understand the risks.

Some questions and answers:

What types of cyberthreats are plaguing local companies in Washington?

The top business scams in Washington, reported on the BBB Scam Tracker, are phishing, online purchasing and tax collection.

Phishing scams are disguised in an email asking the receiver to open an attachment or click on a link. By doing either activity, the scammer can download malware to your computer and steal your business information.

Online purchasing impacts a business when it purchases from an unknown entity. Via a fake website, the scammer receives business and financial information, which can result in money loss.

The tax collection scam starts with a business receiving a call from a government imposter indicating it owes taxes and will have its license suspended if it doesn’t pay.

What do cyberattackers and hackers want? What’s their goal, typically?

Many times, it’s money or access to accounts. But more valuable than that is a businesses’ data: the information of the business owner, as well as the personally identifiable information of customers and clients. In addition to stealing money, a hacker would likely want the credit card information of the customers.

What’s most important to note is that hackers don’t always care about a business’ data. They only want its accounts because they know it’s valuable to the business. So the question is, how valuable is the data to the business owner, and what is it willing to pay to get that data back? This tactic is a common cyberattack we call ransomware.

What does the Better Business Bureau view as the greatest cyberthreat?

It’s not just one cyberthreat that wreaks the most havoc. All cybersecurity breaches cause damage to business owners. The breach can cause damage financially or to the businesses’ reputations once the attack is made public. For business owners, probably one the BBB sees the most of is malware, which is sent via a link or attachment to an employee’s email. When it’s opened, a virus is downloaded onto the computer system, compromising the business data in some way or giving the scammer access. Therefore, it’s critical to train employees.

For consumers’ cybersafety, BBB warns that cellphone numbers are now the key to our online identity. Think about all the accounts your cellphone number is associated with when it comes to logins. In a growing scam called SIM Swapping, con artists port your number onto their cellphones. In doing so, they can bypass two-factor authentication efforts and get into your social media or banking accounts.

What are the possible outcomes for a Washington business whose data has been breached?

Financial losses; loss of account information; compromised systems; loss of access to software, accounts and information on its computer; reputational risk; and loss of customers.

Are small -and medium-size businesses just as vulnerable as large businesses to cyberattacks?

Last year, the BBB released a Small Business Scam survey to 1,200 small businesses in the United States. The study aimed to shed light on what scams small businesses know about and where the BBB can step in to offer more education and advice to keep businesses safe. The survey found that many business owners know about common scams targeting them, bank/credit card imposters, fake invoice/fake suppliers, and tech support. The majority of these scams happen online; 50% of survey respondents said they received this type of email.

Small businesses, like individuals, are susceptible to scams. Con artists rely on gaps in knowledge, awareness and preparedness among small-business owners and their employees to successfully perpetrate scams. The limited research available on the topic, mostly from outside the United States, suggests small businesses are particularly vulnerable to scams. Small businesses do not report scams, are likely to be subject to repeat attacks, and are particularly susceptible to online fraud.

Nine out of 10 businesses reported having some cybersecurity measures in place, according to the BBB 2017 State of Cybersecurity Among Small Businesses report. These measures included antivirus, firewall software and employee education. Additionally, BBB Accredited Businesses are almost three times as likely to include cybersecurity insurance. The financial risk of cybersecurity incidents can be transferred to insurance companies, a move that makes sense when the insurance cost is less than providing additional cost-effective protections.

In our study, approximately 15% of businesses had cybersecurity insurance in place to cover, primarily, payment data, personally identifiable information and incident response. Cybersecurity insurance is one way to keep companies both small and large insulated from the egregious effects of cybercrime.

Tools such as an information security framework can act as a “blueprint” to manage risks and reduce vulnerabilities in cybersecurity. It consists of a series of processes that an organization uses to define procedures and policies for the implementation and ongoing management of cybersecurity controls.

Does the Better Business Bureau offer any advice, resources or tools to help local businesses protect themselves against cyberthreats? What are the best practices that you recommend for small businesses in Washington?

The Better Business Bureau offers many tips, tools and advice to small businesses to help protect them again cyberthreats. Those resources include the BBB Cybersecurity Program. This program aims to help businesses better manage cyberattacks and learn from industry best practices while assisting small businesses to explore the real and perceived risks of cyberattacks. This program also offers education and awareness. At the BBB, we understand that cybersecurity is a complex topic for businesses and the community.

Cybersecurity is not only about adding layers of security technology. It starts with an understanding of managing cybersecurity risks. The BBB has developed a 5-Step Approach to Better Business Cybersecurity to help business owners do just that. This model helps business owners understand how best to identify and protect vital data and technology assets, learn to detect and respond to cybersecurity threats, and recover from a cybersecurity incident.

The five-step approach to cybersecurity, along with other helpful resources, can be found on our website at


How do business protections differ from the steps an individual might take to protect their data and identity?

While an individual is trying to protect just themselves, businesses not only are protecting their information but the information of all their clients and customers.

What should local employees be on the lookout for to protect their employer?

The three T’s are crucial for businesses to reference in helping their employees protect the company:

  • Transparency: Make transactions a transparent event, where a manager or employee must check with others before making a significant transaction or releasing information.
  • Train: Businesses must train employees on scams and how to handle the situation; this is not static but an ongoing need.
  • Talk: Continuous talk and implementation of procedures will help keep employee, business and customer information secure.

Do you know what the financial cost range might be for a small business whose data has been breached?

According to Kaspersky Labs, a single data breach has a financial impact of $86,500 on small to medium-size businesses. But the cost to a company of a data breach is much more than simply dollars; these violations erode consumer trust and can have long-reaching impact.

A solid, cybersecurity program is imperative for all businesses to safeguard their information and the information of the consumer.