It can happen in an instant and without any maliciousness on the part of an employee. It can be as simple as someone clicking the wrong link. The fact is, cybersecurity incidents aren’t just happening on their own; people are easily falling for online scams. According to Verizon’s 2022 Data Breach Investigations Report, 82% of breaches involved the human element. But armed with the right knowledge, your company has a much better chance of avoiding such scams and breaches.

In an effort to make Cybersecurity Awareness Month a yearlong focus, we spoke with Christopher Schmigel, vice president and senior cybersecurity risk analyst at M&T. We asked him questions on how a small business can better protect the security of its employees, customers and self. Christopher has more than 35 years of technology experience, and 28 of those years have been with us, so you know you’re in good hands. Here’s what Christopher had to say. 

Businesses can get a lot of calls, texts or email spam – some posing as banks like M&T. Many don’t know what to do when they receive them. Ignore them, delete or respond?

Well, first off, NEVER respond. M&T Bank would never notify you over the phone, through email or text message to:

  • Ask you to "verify" or "confirm" your personal information
  • Request your PIN, passcode, account details or Social Security number

We also would never text or email you to tell you that your account has been “locked” or “restricted." It is M&T policy that we do NOT initiate a request for personal information via email or text. Unless you initiate the contact or we are completing an application for you, M&T will NOT request personal information. If you get these or similar requests from any organization, please do not respond. Ever.

For more information on identifying fraud, check out this article about protecting yourself from financial fraud.

What are a few tips for small businesses when it comes to cybersecurity?

There is no one-size-fits-all cybersecurity approach for businesses, but a good place to start is with the following five basic guidelines.

Be aware of fraudulent software and schemes.

Phishing is the most frequent and effective method that criminals use to try and convince individuals to click a link or share information such as their username, password or credit card number. Phishing can come in the form of unexpected or unsolicited emails, texts or phone calls that trigger emotions such as fear or sympathy. When a sender’s name is unfamiliar or incorrect and there are grammatical and spelling errors and threatening messages such as “account locked,” these are all good indicators that you’re dealing with a fraudster. You should delete these messages and report them if that option is available.

To stay clean, don’t click.

Even if you don’t provide any personal information, clicking links containing malicious software (malware) can provide criminals access to your systems. You and your employees should know the importance of reporting suspicious materials to your company’s cybersecurity department. If you don’t have one, you should contact your bank to put a hold on important accounts and check for fraudulent behavior if you detect suspicious activity. You should also complete a Federal Bureau of Investigation internet complaint. Keeping your machines clean with the latest security software, web browsers and operating systems can also greatly protect against viruses and other online threats.

Back up your backups.

Secure your data by creating multiple backups of your network’s files, systems and applications. The 3-2-1 rule refers to creating three different copies of your data, using two different storage types and keeping one copy offsite. For instance, iCloud can count as one, Google Drive as the second and then an external hard drive as your third. For more resources, check out this article on six effective strategies to prevent data loss.

Have a plan in place.

It is a wiser approach not to question IF you will be a target of a cybersecurity event but to be prepared for WHEN you become a target. According to Proofpoint’s 2022 State of the Phish report, “83% of respondents said their organization experienced a successful email-based phishing attack in 2021.” This was up 57% compared with 2020. Invest the time and effort to create a business continuity plan with one of our experts. This plan outlines how your business will be able to continue operating in the case of an unexpected disruption. It can also help to better prepare you and your company to manage a cyberattack and to restore your working environment and business processes if targeted. For more information, check out this short read on adapting a business continuity plan.

Hire the pros and save the headaches.

Even if you are a business with just a few employees or one that makes less than six figures a year, your business is just as vulnerable to becoming a victim of online fraud. Consider commissioning the services of professional technology support companies to assist you in securing your network. Purchasing cybersecurity insurance to help cover the costs of recovering from a system attack or data breach is extremely smart. Even setting up a firewall that prevents outsiders from accessing data is a great way to start securing your business. Here are 10 top cyber security companies for small businesses rated by Tech Journal.


How does M&T help to ensure its small business accounts remain secure?

M&T is dedicated to keeping your information as secure as possible. We maintain a comprehensive Enterprise Information Security Program that is shared with our regulators. And every day we’re evolving our security based on these five core functions:

  • Identify risks to systems, data and assets to prioritize M&T’s information security activities
  • Protect customers’ information by developing and implementing safeguards
  • Detect vulnerabilities by evolving technology that identifies abnormal behavior
  • Respond by creating activities that limit the impact of a detected cybersecurity event
  • Recover through executing plans that restore a natural or man-made event

Fraudsters continue to evolve the tactics they use, so it is vital to create a cybersecurity awareness training program to help keep your employees informed on the latest scams and threats. Your program should periodically train your employees on best practices and actions they can take to help protect your organization such as identifying and reporting phishing emails, creating strong passwords and enabling multifactor authentication (MFA) whenever possible. Even sending emails instructing your employees to update their passwords or sending a fake phishing message to see if anyone bites are easy ways to promote cybersecurity awareness.

Christopher and his cybersecurity team here at M&T are always on the lookout for your security online. There’s never enough protection when it comes to the safety of your business, employees and customers. M&T is always by your side to help detect and confirm fraudulent behavior and help make a plan going forward in the unfortunate event of a cyberattack. Together, we can make security month last for 365 days.

Stay safe out there, and please think before you click! For more about how M&T is committed to protecting you, visit our website.