It's never too early to protect against cybercrime.

Tax time can be a cybercriminal's paradise, as there are so many more opportunities to prey upon vulnerable small businesses. And even if you've already filed your 2018 returns, you're still at risk, as fraudsters don't take time off of work. 

Even so, there are steps every business owner can take to safeguard information, according to Daniel Eliot, Director of Small Business Programs at the National Cyber Security Alliance, or NCSA. Here are five tips on how to prevent a cyber attack from sidelining your business all year long.

1. Guard your Identity.

Employer Identification Numbers (EINs) are gateways into a company's sensitive information and a popular tool among cybercriminals, who use them to open new lines of credit or obtain credit cards, according to the Internal Revenue Service. To get a hold of your company's EIN, cybercriminals will mousetrap small businesses into filling out forms on fake websites. The IRS advises employers to be wary of any email that requests  sensitive information. 

Business owners are encouraged to contact the IRS if they experience any of these issues:

  • A file request gets rejected unexpectedly with an alert that your company's EIN is already on file.
  • If you receive a receipt of a tax transcript or a notice from the IRS for filings that were not submitted.
  • Failure to receive expected and routine notices from the IRS -- often could indicate the identity thief tampered addresses.

2. Expand insurance coverage.

Not all general liability policies cover cyber incidents and recovering from cybercrime can be costly -- especially as ransomware becomes a more regular threat for small businesses. If your company does not have a cyber insurance policy, you'll have to determine whether your business needs first-party or third-party coverage.

First-party plans are often what non-tech firms need to stay protected from everyday cyber risks. This type of insurance will mitigate costs following a breach and help a company restore lost data. On the other hand, if there is a regular possibility that human error at a company could lead to larger data security breaches, your safest choice might be to consider third-party coverage. For tech companies that store sensitive client information, such as IT companies and software companies, there is an eminent benefit from obtaining wider legal protection offered by third-party plans.

Some companies known to offer wide cyber liability insurance policies, for both types, include UPS Capital, Progressive, and Zeoguro

3. Implement protocols for remote work.

For businesses that employ remote workers, it's important to remember that public networks are not secure and that sensitive company information is at risk when manipulated on public networks, the NCSA notes.

"All companies need to ensure that employees who work remotely are connecting via a secure network, like a virtual private network (VPN) or mobile hotspot," Eliot says.

Setting up a company VPN encrypts the data that moves within the network, lowering the odds of remote workers getting hacked and putting a company in a vulnerable situation. Investing in VPN's can cost less than $5 a month with companies like CyberGhost, Nord VPN, and Goose VPN.

4. Train your staff.

Phishing scams, or cybercriminal attempts to obtain sensitive information, have become so sophisticated that more than 90 percent of cyber incidents begin with an email, according to the NCSA. For this reason, employers should, at the very minimum, implement email security training in the onboarding process for all employees, regardless of title or position, Eliot says. Effective training includes phishing simulations, computer-based modules, and infographics. The NCSA launched the CyberSecure My Business program in 2017, which offers in-person interactive training for SMB's. 

5. Devise a plan for a post-data breach.

Every company should have a protocol for what measures to take in the event of a data breach. "Business owners are encouraged at the very least to familiarize themselves with the data breach notification law for the state where the bulk of their customers and employees reside,"  Eliot says. Immediate action following a cyber breach is essential to minimizing impact and costs.

In the event of a breach, the IRS recommends the following actions to be taken:

  • Contact the IRS and law enforcement.
  • Report customer data theft to your local stakeholder liaison. 
  • File a police report and contact the local Federal Bureau of Investigation office if advised to do so.
  • Email the Federation of Tax Administrators at to get information on how to report victim information to the states.
  • Report the breach to State Attorney General for each state in which you prepare returns. (Most states require the state's respective attorney general to be notified of data breaches.)