6 steps to protect a very small business from ID theft

By Gwen Moran

For the self-employed and owners of very small businesses, whose time and energies are devoted to growing the company, data security often falls in priority.

It shouldn't. Protecting your business and your clients' financial data is critical to averting the kind of disaster that could tank your business dreams.

The dangers are real. According to a 2014 survey by identity theft and fraud protection firm CSID, the number of attacks against small and mid-sized businesses skyrocketed from 18 percent in 2011 to 31 percent in 2013. Yet many -- especially very small businesses -- are not doing anything about it. Only 29 percent of companies with fewer than 10 employees are taking any measures to protect against security risks, including identity theft of their own and their customers' information. 

6 steps to protect your very small business from ID theft

"Fraudsters are stealing as much as $1 billion a year from small and mid-sized businesses in North America and Europe, and the numbers are only going to increase," says Mike Gross, global risk strategy director with 41st Parameter, a business fraud prevention firm owned by credit reporting giant Experian. "Because the largest institutions have sophisticated fraud prevention solutions in place, the latest fraud attacks are looking to exploit the next tiers of businesses that are typically not as well defended."

Soloists, freelancers and microbusinesses with few employees often have scarce resources available for ID theft prevention. But there are still a number of practical, affordable steps you can take to make it tougher for criminals to steal your valuable information.

1. Operate with an EIN.
While a corporation or limited liability company must have a separate employer identification number (EIN) for tax identification purposes, a freelancer or small-business owner may operate as a sole proprietorship under his or her Social Security number, even if the business has employees.

Just because you can, doesn't mean you should. It's generally a better idea for sole proprietors to use an EIN, which can easily be obtained through the IRS website. Keeping business and personal finances separate is a good idea for many reasons, including identity theft prevention.

"That protects the business owner," says Paige Hanson, educational programs manager with the identity theft protection firm LifeLock. "If the business becomes a victim of identity theft, it won't be tied to your identity. If the business identity is stolen, hopefully it won't trickle down to you personally."

2. Secure sensitive files -- online and offline.
From bank statements to tax return filings to customer lists, your business may have a number of paper and electronic files that hold sensitive information. Gross suggests taking some basic measures to protect paper documents, such as using a secure mailbox, shredding any documents you don't need and keeping sensitive files in a locked area or other secure location.

It's a message not lost on barber Domenic Sciortino, owner of Mt. Rose Barberama in York, Pennsylvania. He keeps copies of important documents in a safe and shreds statements, credit card offers and other unnecessary paperwork that could give fraudsters access to his business or allow them to open credit lines in his business name. "We're very careful about that," he says. "We don't have duplicates anywhere and I know exactly" where sensitive information is kept.

To combat digital fraud, make sure your computer systems have appropriate firewall, anti-virus and anti-malware technology, says Suzanne Barber, director for the Center for Identity and a professor in electrical and computer engineering at the University of Texas, Austin.

Because the largest institutions have sophisticated fraud prevention solutions in place, the latest fraud attacks are looking to exploit the next tiers of businesses that are typically not as well defended.

-- Mike Gross
41st Parameter

Free software is available, but it may not include all of the components you need, or it may come with adware or spyware. Off-the-shelf security packages such as those from Symantec and McAfee are usually sufficient for very small businesses, and some products now offer protection that extends to mobile phones and other devices. Be sure to update patches in a timely manner by allowing automatic updates.

Also, check with your Internet service provider to find out how it protects your data. Find out which third-party security vendors it uses, then check the vendors' websites to learn about how frequently they update their solutions and whether certain content types are protected -- for example, email attachments.

You'll also want to find out the type of protection they offer. Are they using firewalls and anti-virus, anti-spam and anti-spyware software? Think about your online activities and make sure the ISP has the right solutions in place for you.

3. Establish good internal controls.
Businesses with employees need to pay extra attention to security. Barber says it's important to use passwords or otherwise restrict employee access to certain documents, such as customer lists or accounting files. She also recommends establishing a clear protocol to follow in the event of a data breach, including assigning someone to manage the breach and outlining what actions are needed to be taken.

For retail businesses, Barber suggests business owners review security footage for suspicious activity, such as an employee taking a customer's card away from the register to run a transaction. You should also regularly check any credit card terminals or ATM kiosks for skimming equipment.

Even businesses without a lot of employees need good controls. New Orleans jewelry designer Anne Renee Timmons-Harris, founder of A.R.T. Precious Collectible Jewelry, works from home with her husband and co-founder. Experience makes her extra cautious. In the early days of the business, she received an online order that just didn't "feel right." She tracked down the person whose card was used and called him. When she told him why she was calling, he "spilled his coffee in his lap because he hadn't placed the order," she says. 

She realized that if it was that easy for someone's card to get stolen, she couldn't take any chances with her own identity. Even though only she and her husband have access to their files, they change passwords at least quarterly and use random password generators, saving passwords offline on a jump drive to keep them away from Internet hackers.

4. Ask vendors about their information practices.
You may be asked to provide sensitive data on credit applications or other documents when you work with vendors. Hanson recommends asking about their security practices to ensure you're not putting sensitive data in the hands of a company that doesn't adequately protect it. 

It's perfectly reasonable to inquire about where customer data is kept and how it's protected. If the vendor can't answer those questions to your satisfaction, it might be a red flag that your data would be less than secure with them.

5. Deter device-centered hacking.
The "bring your own device" trend -- where employees use their personal mobile phones and other devices for work -- introduces extra risks to a small business. Gross says such devices need to be password-protected to ensure that sensitive company information can't be accessed if the device is lost or stolen.

Mobile payment solutions such as Square and PayPal Here that allow you to connect a card reader to a smartphone or tablet may also increase security risks. "The risk is definitely real with mobile payment solutions, and account takeover fraud should be an immediate concern for small-business owners," Gross says.

[An EIN] protects the business owner. ... If the business identity is stolen, hopefully it won't trickle down to you personally.

-- Paige Hanson

He suggests that business owners closely protect their account credentials because a fraudster gaining access to that account could easily divert funds from legitimate transactions to another account. 

If you're considering using a mobile payment system, look for a system that uses the best possible encryption methods and devices that require the highest level of authentication available in order to limit the ability of others to misuse your device, says Barber.

Consider employee access controls, too. Sciortino, for example, uses a tablet and one mobile payment system for eight stylists. He uses separate passwords for each stylist, so they can all use the tablet-based system, but no one has access to any information but their own.

6. Check your statements and profiles regularly.
Keeping an eye on your accounts is one of the best methods of halting fraud before it gets out of hand. Experian and other credit reporting agencies offer monitoring services that can help. is a nationwide program from the National Association of Secretaries of State to help combat business identity theft, data breaches and other types of fraud. Some states offer free email alerts to notify you when information related to your business identity changes. According to the organization's website, you can also use your state's online Business Identity Search to enter your business name and review information about your business.

It's also a good idea to review your banking agreements to determine whether your business accounts have protection against fraud, which can differ from consumer protections. In addition, review your insurance policies to see what, if any, coverage you have in case of a data breach that exposes customer information or if you incur other losses from fraud or ID theft.

Besides regularly reviewing his bank statements to make sure no fraudulent transactions have occurred, Sciortino uses a business credit profile monitoring service to alert him if there are changes to his company's credit record, such as new lines of credit or negative reporting. "It lets me know if anything affects it -- I get a notice right away," he says. 

See related: Protecting your business from credit card fraud, 8 steps to build your business credit profile

Published: March 9, 2015

Join the discussion
We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.

Follow Us

Updated: 10-23-2016

Weekly newsletter
Get the latest news, advice, articles and tips delivered to your inbox. It's FREE.