Small and Mid-Size Companies: Beware of Increased Cybersecurity Threats of Sensitive Tax Information


Small and mid-size companies electronically transmit an increased amount of sensitive financial information via the Internet to comply with tax compliance obligations.

Small and mid-size businesses electronically transmit company and employee information throughout the year to their accountants and taxing authorities, and even more so now during income tax season.  Income tax withholding and reporting, sales and use tax remittance, and employee payroll tax reporting all require that companies release private, sensitive information via the Internet or other electronic portal.

Below we describe several cost effective measures you can take to help prevent a cyber attack.

Small and Mid-Sized Companies Have a False Sense of Security

Recent high-profile media coverage of large company data security breaches has caused a false sense of security for small and mid-sized companies.  According to a study by the National Cyber Security Alliance, 77 percent of small businesses think that they are safe from cyberthreats, and 87 percent of such businesses do not have a policy in place to try to prevent such attacks.

This false sense of security combined with the fact that smaller businesses generally have fewer resources to devote to combating cyber threats makes them an increasingly attractive target for attackers.  A recent Symantec Intelligence Report indicated that cyber attacks against small businesses are steadily increasing while attacks against large companies with more than 2,500 employees are proportionately decreasing.  Even though cyber attacks on small companies do not make the headlines, almost 20% of cyber attacks are on small companies with fewer than 250 employees.

Cost of Cybersecurity Breaches

The cost of these attacks is staggering.  According to a recent FCC report, the average annual cost of a cyber attack on a small and medium size business is a whopping $188, 242.  If sensitive financial information, the type of which is transmitted to accountants and taxing authorities, is stolen, it is likely the cost will be on the higher side.

This cost has a disproportionate effect on small and medium-size businesses.  A 2011 Business Insider report indicates that nearly 60 percent of small businesses shutter their doors within six months of a cyber attack.

What Can Small and Mid-Size Businesses Do?

First and foremost, you must implement and actively enforce a company-wide data security policy.  The scope of your policy will depend upon the size and nature of your business, but all small and mid-size businesses should, at a minimum, take the following cost-effective measures to potentially decrease the likelihood of a cyber attack:

  • Have and actively enforce a mobile device policy – At a minimum:  (1) limit the number of employees (“Authorized Employees”) who may remotely access sensitive financial information; (2) Authorized Employees’ mobile devices should be password protected, and Authorized Employees should be required to frequently change their passwords; (3) log Authorized Employees’ use of the remote access system; and (4) regularly review the logs to determine if the system has been attacked and that Authorized Employees are following corporate procedures.
  • Be on the lookout for phishing emails – Recently, phishers have increasingly attempted to acquire sensitive personal information (such as names, account numbers and financial information) by sending you emails that are allegedly from a trustworthy entity like the Internal Revenue Service (“IRS”), an accountant or a bank.  You should train you employees on how to recognize phishing emails.  If you or one of your employees suspects they received a phishing email, they should not:  (1) respond to the email; (2) click on any links embedded in the email; or (3) go to any websites mentioned in the email.
  • Install security software – Security software protects against malicious software such as viruses, spam, phishing emails and malware.   If you install and keep security software up to date, you will increase the security of your computers, servers and mobile devices and help protect malicious software or phishers from accessing the sensitive financial information stored on those devices.
  • Have a secure firewall – A firewall is a device that blocks certain Internet traffic from reaching your computers and servers.  Having a secure firewall can prevent phishers, hackers, malware and viruses from accessing your computers and servers.
  • Encrypt data – Although potentially cumbersome to implement, if your information is stolen, encrypting the helps prevent the phishers or hackers who obtain your data from being able to see or use it.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Carr McClellan P.C. | Attorney Advertising

Written by:


Carr McClellan P.C. on:

JD Supra Readers' Choice 2016 Awards
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.