Small and mid-size companies electronically transmit an increased amount of sensitive financial information via the Internet to comply with tax compliance obligations.

Small and mid-size businesses electronically transmit company and employee information throughout the year to their accountants and taxing authorities, and even more so now during income tax season.  Income tax withholding and reporting, sales and use tax remittance, and employee payroll tax reporting all require that companies release private, sensitive information via the Internet or other electronic portal.

Below we describe several cost effective measures you can take to help prevent a cyber attack.

Small and Mid-Sized Companies Have a False Sense of Security

Recent high-profile media coverage of large company data security breaches has caused a false sense of security for small and mid-sized companies.  According to a study by the National Cyber Security Alliance, 77 percent of small businesses think that they are safe from cyberthreats, and 87 percent of such businesses do not have a policy in place to try to prevent such attacks.

This false sense of security combined with the fact that smaller businesses generally have fewer resources to devote to combating cyber threats makes them an increasingly attractive target for attackers.  A recent Symantec Intelligence Report indicated that cyber attacks against small businesses are steadily increasing while attacks against large companies with more than 2,500 employees are proportionately decreasing.  Even though cyber attacks on small companies do not make the headlines, almost 20% of cyber attacks are on small companies with fewer than 250 employees.

Cost of Cybersecurity Breaches

The cost of these attacks is staggering.  According to a recent FCC report, the average annual cost of a cyber attack on a small and medium size business is a whopping $188, 242.  If sensitive financial information, the type of which is transmitted to accountants and taxing authorities, is stolen, it is likely the cost will be on the higher side.

This cost has a disproportionate effect on small and medium-size businesses.  A 2011 Business Insider report indicates that nearly 60 percent of small businesses shutter their doors within six months of a cyber attack.

What Can Small and Mid-Size Businesses Do?

First and foremost, you must implement and actively enforce a company-wide data security policy.  The scope of your policy will depend upon the size and nature of your business, but all small and mid-size businesses should, at a minimum, take the following cost-effective measures to potentially decrease the likelihood of a cyber attack:

  • Have and actively enforce a mobile device policy – At a minimum:  (1) limit the number of employees (“Authorized Employees”) who may remotely access sensitive financial information; (2) Authorized Employees’ mobile devices should be password protected, and Authorized Employees should be required to frequently change their passwords; (3) log Authorized Employees’ use of the remote access system; and (4) regularly review the logs to determine if the system has been attacked and that Authorized Employees are following corporate procedures.
  • Be on the lookout for phishing emails – Recently, phishers have increasingly attempted to acquire sensitive personal information (such as names, account numbers and financial information) by sending you emails that are allegedly from a trustworthy entity like the Internal Revenue Service (“IRS”), an accountant or a bank.  You should train you employees on how to recognize phishing emails.  If you or one of your employees suspects they received a phishing email, they should not:  (1) respond to the email; (2) click on any links embedded in the email; or (3) go to any websites mentioned in the email. 
  • Install security software – Security software protects against malicious software such as viruses, spam, phishing emails and malware.   If you install and keep security software up to date, you will increase the security of your computers, servers and mobile devices and help protect malicious software or phishers from accessing the sensitive financial information stored on those devices.
  • Have a secure firewall – A firewall is a device that blocks certain Internet traffic from reaching your computers and servers.  Having a secure firewall can prevent phishers, hackers, malware and viruses from accessing your computers and servers.
  • Encrypt data – Although potentially cumbersome to implement, if your information is stolen, encrypting the helps prevent the phishers or hackers who obtain your data from being able to see or use it.

If you have further questions on tax issues, you may contact Brendan Lund at Carr McClellan either by phone: (650) 342-9600 or e-mail:

If you have any questions about how to implement a data security policy contact Helen Christakos at (650) 696-2545 or at