Protecting your business from cybercrime in a digital world

The ever-evolving digital world we operate in each day offers infinite opportunities for business growth and development, but it also presents many risks. On the positive side, the artificial intelligence (AI) boom provides businesses of all sizes ways to streamline processes and operations, reduce costs and generate revenue.

On the other hand, the explosion of AI technology has created new pathways for sophisticated cybercriminal enterprises to attack. According to a recent study from Massachusetts IT Sloan Cybersecurity and Safe Security, 80% of ransomware attacks are powered by AI-generated malware, phishing campaigns and deepfake-driven social engineering. The study asserts that, “AI has made ransomware attacks faster, more efficient, and harder to detect.”

In today’s threat landscape, hacking is a business. Sophisticated organizations operate like legitimate businesses, and their primary goal is usually financial gain through theft, extortion and exploitation. These fraudsters have legitimate businesses of all sizes in their crosshairs.

According to a survey from Mastercard of more than 5,000 small and medium-sized business owners, 46% have experienced a cyberattack on their current business, and nearly one in five that suffered an attack later filed for bankruptcy or closed their business. Smaller businesses often do not budget for adequate cybersecurity protection and have fewer internal resources dedicated to cybersecurity, and criminals know it!

But even small or medium-sized businesses with limited cybersecurity budgets and resources can use these strategies to protect their assets from cyberattacks:

  • • Require multi-factor authentication (MFA). If your business does not require MFA, you are taking an unnecessary risk by leaving accounts and personal information unprotected and vulnerable to attack.
  • • Ensure all employees use strong, unique passwords, or consider password-less options for improved security. The most important characteristic of a strong password is length, with between 12 and 21 characters recommended. Good passwords also avoid predictable patterns (such as 123456 and qwerty), and should not include personal information like birthdays, addresses or phone numbers. Passwords should also be unique for every login. Password-less options use passkeys or biometric identifiers in place of passwords and can be very strong if implemented properly.
  • • Install anti-virus software on all company devices. Anti-virus software protects devices from known and even suspected malware, which can steal your data, encrypt it so you cannot access it, or even erase it completely.
  • • Keep all device software patched and up to date. Patching is fundamental to security because fraudsters exploit known vulnerabilities. By keeping software up to date, devices receive regular security patches, which makes it much harder for hackers to exploit.
  • • Educate your employees. A robust security program, combined with awareness of warning signs, safe practices and responses to takeover are crucial for protecting your company and customers.
  • • Invest in third-party cybersecurity expertise. Getting outside eyes on your business’s security environment is critical to a well-rounded security posture.
  • In most cases, the cost of an outside security consultant pales when compared with the cost of a breach, including business downtime, reputational damage, a potential ransom payment and data loss.
  • • Invest in adequate cyber insurance. Cyber insurance helps mitigate the financial impact of cyberattacks and data breaches by covering costs related to incident response, data recovery, legal fees, business interruption and other potential liabilities.

The rise in AI usage has also spurred an increase in high-quality email impersonation attacks and business email compromise. With higher-quality phishing and social engineering tactics, scam emails look more realistic, so it is important to remind employees to pause and evaluate before responding, clicking on links or downloading attachments. Encourage employees to report suspicious emails to the network administrator to be checked for signs of trouble.

Financial institutions will never ask for personal information or account credentials in an email or text message, so it is good practice to call your bank directly if a suspicious email, phone call or text raises concerns about your business bank accounts.

It is important to note that, even with processes and protections in place, businesses can experience cybersecurity incidents and should be prepared to respond immediately. In the event of a cyber incident, businesses should cease all activity on the network or system, contact their bank(s), and change online banking passwords. Depending on the level and seriousness of the incident, businesses may also need to file reports with local police and the FBI’s Internet Crime Complaint Center. And it is critical to keep meticulous records of events around the incident to aid in the recovery process.

NBT’s Business Fraud Information Center provides a full range of resources and information as well as up-to-date fraud information and alerts to help protect your business from becoming one of the thousands victimized by scammers each year.


Terra Carnrike-Granata is senior director of information security at NBT Bank, and Andrew Frisbie is vice president and director of information security at NBT Bank.

Categories: Cybersecurity, Legal Advice