Cybersecurity Best Practices for 2026 & Beyond
It has been called “the crime of the 21st century” and even identified as a top national security threat. I’m talking, of course, about cybercrime. According to the FBI’s Internet Crime Complaint Center’s (IC3) 2024 Internet Crime Report, cybercrime losses exceeded $16 billion in 2024, which was a 33% increase from 2023. California was one of the top three states in the country reporting the most cybercrime complaints in 2024.
Much of the cybercrime targeting U.S. businesses is being perpetuated by highly organized criminal gangs located in former Soviet bloc countries operating through proxy servers that mask their location. Many of these criminals are targeting middle-market companies that fall in the cybercrime “sweet spot”: They’re big enough to carry large balances in their corporate bank accounts, but they don’t have the resources to deploy the most advanced cybersecurity defenses like large corporations do.
Infecting Computers with Malware
The main goal of cybercriminals is to obtain sensitive information (think user names and passwords) that lets them hack into corporate bank accounts and make unauthorized funds transfers. This is accomplished by infecting corporate computers with malware via Man-in-the-Browser (MitB) attacks that capture employees’ keystrokes and online banking logins.
Email phishing and spear phishing schemes remain the preferred method of cybercriminals for planting malware. For example, criminals send fake emails supposedly from the business’ bank to finance and accounting employees stating that the company’s accounts have been frozen due to fraudulent activity and they must provide sensitive account information to unlock them. Or employees are instructed to click on a link that supposedly takes them to the bank’s website to fix the problem. Instead, they’re sent to a disguised clone site where malware is downloaded onto their computers.
Fortunately, it’s usually straightforward to identify phishing emails. They frequently include language that’s threatening or urgent and are characterized by misspelled words and poor grammar. Also, usually the email address of the sender doesn’t match the address of the financial institution or company from which it claims to have been sent. Instruct employees to simply delete emails that look suspicious without clicking on any links or downloading any attachments, or to show them to their supervisor if they aren’t sure.
Employee Education is Key
The best way to guard against cybercrime is to educate your employees about these cyberattacks and cybersecurity best practices. Instruct them to never reply to emails like these with sensitive account information and to never click on links in emails if they’re not completely sure of the source. Also urge caution with social media since cyberthieves are increasingly using social engineering to try to trick employees into downloading malware or divulging sensitive account information. Clarify what types of social media use are (and aren’t) allowed in the workplace and restrict access to some platforms, if necessary.
In addition, employees should be vigilant in protecting company-issued mobile devices (including smartphones, laptops and tablets) since these represent an easy point of entry for cyberthieves. Set up these devices so content is automatically deleted after a certain number of failed login attempts or if devices are lost or stolen.
Focus on the Fundamentals
By focusing on a few cybersecurity fundamentals, you can thwart the vast majority of cyberattacks. Here are four cybersecurity best practices you can implement at your business:
1. Enable multi-factor authentication (MFA).
As the name implies, MFA requires users to authenticate their identity at least twice before prior to accessing financial accounts. For example, after entering their username and password, they must enter a five-digit code received via text or email to complete login. With MFA, it’s nearly impossible for cyberthieves to break into accounts and steal funds.
2. Use strong passwords.
These are perhaps the most important defense against cybercrime. Instruct employees to create passwords that are unique, complex (containing numbers, lower- and upper-case letters as well as special characters) and long (at least 12 characters). With a password manager, employees can use a single master password to access all their accounts online.
3. Keep software up to date.
Developers regularly update their software to plug security gaps exploited by cyberthieves. But these updates must be installed to be effective. Instruct employees to quickly respond to prompts they receive that updates are available. Or better yet, enable automatic updates so employees don’t have to do this manually.
4. Talk to your bank about cybersecurity tools.
Treasury management tools from your bank can help your business guard against cybercrime. For example, ACH Positive Pay lets you set filters that control how much money can be electronically transferred to a vendor or supplier. Some banks also offer security software applications that help prevent phishing and MitB malware attacks.
Concluding Thoughts
With cybercrime on the rise, it’s critical that middle-market businesses apply cybersecurity best practices. This starts with educating employees about common attacks, such as email phishing and spear phishing schemes and Man-in-the-Browser (MitB) attacks. Focusing on key cybersecurity fundamentals can help you thwart the majority of cyberattacks and protect your bottom line.
Arthur F. Rothberg, Managing Director, CFO Edge, LLC
No Comments