Strong Defenses
How to Protect Your Business from Cybercrime in a Digital World
BY TERRA CARNRIKE-GRANATA AND ANDREW FRISBIE
The ever-evolving digital
world we operate in each
day offers infinite oppor-
tunities for business growth and
development, but it also presents
many risks.
On the positive side, the arti-
ficial intelligence (AI) boom pro-
vides businesses of all sizes ways
to streamline processes and
operations, reduce costs, and
generate revenue. On the other
TERRA CARNRIKE-GRANATA
hand, the explosion of AI tech-
nology has created new pathways
for sophisticated cybercriminal
enterprises to attack.
According to a recent study from Massachusetts IT Sloan
Cybersecurity and Safe Security, 80% of ransomware attacks
are powered by AI-generated malware, phishing campaigns, and
deepfake-driven social engineering. The study asserts that “AI has
made ransomware attacks faster, more efficient, and harder to
detect.”
In today’s threat landscape, hacking is a business. Sophisti-
cated organizations operate like legitimate businesses, and their
primary goal is usually financial gain through theft, extortion, and
exploitation. These fraudsters have legitimate businesses of all
sizes in their crosshairs.
According to a survey from Mastercard of more than 5,000
small and medium-sized business owners, 46% have experienced
a cyberattack on their current business, and nearly one in five that
suffered an attack later filed for bankruptcy or closed their busi-
ness. Smaller businesses often do not budget for adequate cyber-
security protection and have fewer internal resources dedicated to
“Educate your employees. A robust secu-
rity program, combined with awareness
of warning signs, safe practices, and
responses to takeover, are crucial for
protecting your company and
customers.”
ANDREW FRISBIE
“AI has made ransomware attacks faster, more
efficient, and harder to detect.”
cybersecurity, and criminals know it.
But even small or medium-sized businesses with limited cyber-
security budgets and resources can use these strategies to protect
their assets from cyberattacks:
• Require multi-factor authentication (MFA). If your business
does not require MFA, you are taking an unnecessary risk by leav-
ing accounts and personal information unprotected and vulner-
able to attack.
• Ensure all employees use strong, unique passwords, or
consider passwordless options for improved security. The most
important characteristic of a strong password is length, with
between 12 and 21 characters recommended. Good passwords
also avoid predictable patterns (such as 123456 and qwerty), and
should not include personal information like birthdays, addresses,
or phone numbers. Passwords should also be unique for every
login. Passwordless options use passkeys or biometric identifi-
ers in place of passwords and can be very strong if implemented
properly.
• Install antivirus software on all company devices. Antivirus
software protects devices from known and even suspected mal-
ware, which can steal your data, encrypt it so you cannot access
it, or even erase it completely.
• Keep all device software patched and up to date. Patching is
fundamental to security because fraudsters exploit known vulner-
abilities. By keeping software up to date, devices receive regular
security patches, which makes it much harder for hackers to
exploit.
• Educate your employees. A robust security program, com-
bined with awareness of warning signs, safe practices, and
responses to takeover, are crucial for protecting your company
and customers.
• Invest in third-party cybersecurity expertise. Getting outside
eyes on your company’s security environment is critical to a well-
rounded security posture. In most cases, the cost of an outside
security consultant is reasonable when compared with the cost of
a breach, including business downtime, reputational damage, a
potential ransom payment, and data loss.
• Invest in adequate cyber insurance, which helps mitigate the
financial impact of cyberattacks and data breaches by covering
costs related to incident response, data recovery, legal fees, busi-
ness interruption, and other potential liabilities.
The rise in AI usage has also spurred an increase in high-qual-
ity email impersonation attacks and business email compromise.
With higher quality phishing and social engineering tactics, scam
emails look more realistic, so it is important to remind employ-
ees to pause and evaluate before responding, clicking on links,
or downloading attachments. Encourage employees to report
suspicious emails to the network administrator to be checked for
signs of trouble.
Financial institutions will never ask for personal information
or account credentials in an email or text message, so it is good
practice to call your bank directly if a suspicious email, phone
call, or text raises concerns about your business bank accounts.
It is important to note that, even with processes and protec-
tions in place, businesses can experience cybersecurity incidents
and should be prepared to respond immediately. In the event of a
cyber incident, businesses should cease all activity on the network
or system, contact their bank(s), and change online banking pass-
words. Depending on the level and seriousness of the incident,
businesses may also need to file reports with local police and the
FBI’s Internet Crime Complaint Center.
It is also critical to keep meticulous records of events around
the incident to aid in the recovery process. NBT Bank’s Business
Fraud Information Center provides a full range of resources and
information as well as up-to-date fraud information and alerts to
help protect your business from becoming one of the thousands
victimized by scammers each year. BW
Terra Carnrike-Granata is senior director of Information
Security at NBT Bank, where she designs and implements
sophisticated controls to prevent loss and mitigate risk, while
also developing innovative ways to educate consumers and
businesses on cyberthreats. Andrew Frisbie is vice president
and director of Information Security at NBT Bank, where he
provides strategic leadership to and operational oversight of
the Information Security, Cyber Operations, Third-party Risk
Management, and Insider Risk Management programs.
Business W est << CYBERSECURITY >>
DECEMBER 8, 2025
59