COVID-19 has brought cybersecurity risks and threats to the forefront for small businesses everywhere. The focus on technology isn’t new for businesses, but our sudden and dramatic shift to a more virtual business world in response to the pandemic has made the importance of cybersecurity undeniable.
Leaders from cybersecurity solutions company Sontiq spoke at Deluxe Exchange 2020 on the challenges organizations face from cyberthreats in general – and identity theft in particular – and what banks and other institutions can do to help. It’s a timely lesson – one that financial institutions can apply to help their customers with a growing, critical issue that bank clients can’t afford to ignore.
Rich Scott, Sontiq’s Chief Revenue Officer, and John Evans, Sontiq’s Executive Vice President of Sales, shared that identity theft is one of the most prevalent and painful cybersecurity risks. There are four typical sources for these identity threats:
The growing threat of identity theft
The surface web and social media
This is what we all know and experience every day with the web – social media channels, search engines, news outlets and shopping sites. By engaging in this public forum, people are sharing information about themselves that in some cases they shouldn’t be.
Accidental data spills
We all read about these regularly in the news: Personally identifiable information being inadvertently exposed by some of the world’s largest companies. There are many more less publicized losses of sensitive personal data from smaller companies as well.
While their motives vary from altruism to personal gain, hackers work around the established systems and safeguards on the web to achieve their goals. Private personal information is often collateral damage and may be made public by these hacktivists and “bad actors.”
The dark web and black markets
According to Scott, only 4% of web activity is on the surface web. The rest is the dark web – an online marketplace for identities, credit card numbers, bank account numbers and contraband like firearms and illegal drugs.
Evans said that business is booming in the dark web, with millions of transactions completed each year. Transactions increased 112% from 2018 to 2019. When a data breach occurs, personal data is sold on the dark web, and the purchaser then creates fraudulent activity from there.
COVID-19 is making it worse for small businesses
One of the major impacts of the COVID-19 pandemic is the shifting of so many businesses from physical shops to online entities. This shift creates a much larger attack surface for identity thieves – a risk compounded by the fact that in many cases, these changes are being made very quickly by business owners and managers that have little experience in the online world. IT systems are overloaded. The odds of a security gap exposing businesses to identity theft are high.
Top targets for identity theft
Scott points out that cybercriminals are focused on these gaps in security and targeting specific groups of people. And while it starts with people, identify theft spills over into the companies they work for or do business with.
Two thirds of individual victims are eight years old or younger. Because of the increase in information on social media, the younger population is now more exposed than ever. A birth certificate includes enough personal information to get a good start on a synthetic ID. Since kids’ identities aren't really monitored until they open a bank account, synthetic IDs based on their personal information can be exploited and go unchecked for years, racking up debt and poor credit ratings.
Senior citizens are the fastest-growing target of identity theft, accounting for $37 billion in losses in 2018. Older people tend to be less savvy when it comes to technology, or not online at all. Often seniors are reported as deceased, and thieves file the paperwork to take over their assets and identity.
Small- and medium-sized businesses
Evans states that 70% of all cyberattacks target SMBs. Small businesses often lack online infrastructure and are heavily focused on their day-to-day tasks. Security is a lower priority, unless they have been victimized by a cybersecurity incident.
Mobile phones have become ingrained in our everyday lives. Because phones are a central part of what we do every single day, they are an attractive opportunity for identity theft. Hackers are targeting mobile phones through back doors, crypto mining malware and fake trojan banking apps.
Evans said that 47% of breaches result from human error. Cybercriminals know this and use tactics like phishing emails to exploit employees that aren’t trained or vigilant about cyber threats. One of the biggest threats is from employees bringing their mobile devices onto the company network.
All of these cyber targets were attractive to perpetrators before COVID-19 and remain just as attractive as people (and businesses) shift their behaviors to be more online.
A cautionary tale: the story of a breach
Mobile devices are one of the biggest threats for companies because they bring together vulnerabilities of individuals and businesses. According to Scott, one in three data breaches in the last five years was caused by a mobile phone. Criminals entice or trick users into installing malware on their phones with something as simple as clicking on an email.
From there, thieves can monitor personal data, steal account logins and take over a person’s identity. A victim’s work email is often compromised as well. The criminals can get access to company PII data and breach the entire organization. It can cost a company thousands of dollars because one person clicked on an email link on their phone.
The costs of identity theft
Evans said that it costs a small business an average of $200,000 to fully recover from a data breach. For small businesses, that’s such a large hit on their business that the odds of them recovering are low. But the impact goes beyond just money:
Evans surveyed various industry reports and estimates that a typical identity theft incident impacts a business for six months and costs 100-200 hours in lost productivity.
Identity theft is a literal invasion of privacy that can affect people deeply. According to the Identity Theft Resource Center, 77% of identity theft victims reported increased stress levels.
All of the disruption and deception that comes with an identity theft incident adds up to a steep financial toll. Javelin Strategy & Research estimates the average loss per identity theft incident to be $1,343. The Ponemon Institute says that a data breach costs businesses an average of $1.4 million.
In addition to these tangible costs, the impact on business reputation and brand can be even higher. Data privacy laws have recently changed, requiring businesses to report every breach and act on it. There is no longer an option to sweep incidents under the rug. Businesses have no choice but to learn to deal with these attacks. As organizations move more of their operations online in response to the current crisis, the impact grows even further.
7 ways financial institutions can help
How can banks help their customers with this challenge?
Financial institutions are well-positioned to assist their customers here. Scott says that 60% of customers look first to their bank in the event of a fraud incident. That’s because typically businesses often first realize they’ve been breached when they see something wrong in their financial accounts. When they reach out to a financial institution, there are several valuable services that can be provided or pointed to that will help clients recover – and be more prepared for the future.
Small businesses need protection beyond what’s available for individual consumers. While an individual’s identity is made up of things like a social security number, an email address and a date of birth, a business has its own identity that is independent of the owner’s personal identity. A business identity consists of state EIN, state registration numbers, tax document numbers, a web domain and business credit cards.
For Sontiq, there are 11 components in a typical business identity. Banks have an opportunity to offer this business-specific protection to their clients.
Here are seven ways a financial institution can help their clients with preventing and recovering from identity theft:
Business credit monitoring
Provide services designed to keep an eye on business credit. Include automated scanning of credit scores and reporting. This is a more sophisticated form of monitoring than is typically offered to an individual.
Business Dark Web monitoring
Offer scans of the dark web for threats to the business. Data breaches are increasingly common; it's not a matter of if, but when businesses are going to experience a data breach. The same goes for their information being found on the dark web. Being proactive in monitoring that information is key to preventing business identities from being compromised in the future.
Fraud restoration services
Offer full identity theft restoration services for small businesses. This holistic service is valuable because it saves the business from having to figure out all of the actions required to fully recover from an attack. They aren’t experts and can’t afford to get it wrong.
You could link the restoration service offer to a payroll system, a business credit card or a business checking account. You could offer it as a standalone service as well. It's high value, can help with retention and is a key differentiator in the market. Small businesses are an underserved population; you can give them a scalable high-tech and high-value solution to protect their businesses from an event that could so easily happen to them.
Mobile device protection and monitoring
This service monitors mobile devices for malware. When periodic scans show a compromised malware app or malware running in the background of an employee’s phone, it alerts the employee to take action.
It also provides a dashboard to allow an administrator to monitor everyone’s phone. If the employee ignores the alert, that alert would still go back to the administrator to take action, including locking down the phone and disconnecting the employee from the network.
Secure payment processes
Payment processes are increasingly digital and more prone to cyber threats than ever before. Invest in your digital payment platform and process to ensure you are eliminating vulnerabilities to fraud and identity theft.
Paper checks can be made more secure as well. Secure check programs like the one offered by Deluxe provide peace of mind to customers while tightening the security of your financial systems.
Employee identity theft protection
Individual employee identity theft quickly bleeds into damage to the business. Offer employee identity theft protection services to help them protect everyone on their team. It’s good for the company but also good for each employee.
Training employees is the most important action a business can take to reduce their risks of identity theft. Organizations need to educate their teams so that they stop clicking on emails, stop downloading apps and stop using unsecured Wi-Fi networks.
Offer training programs and resources, including webinars, videos, data sheets and live training. Brand them to your organization so that you can show more value to your customer.
Provide more value for your customers
Identity theft isn't something new. According to Evans, your customers have been spending $4 billion annually going out on their own and looking for services to protect their identity themselves. Now, as businesses everywhere pivot online, identity theft is an even bigger threat. You have an opportunity to help them solve this problem in a more integrated way, with a partner they trust.