Act Like You’re Already Compromised: Cybersecurity Tips from the Solve iT Pros
The FBI Call That Changed How We Think About Identity Protection
A member of our team recently got a call from the FBI. That is not how anyone wants their workday to go.
The short version is that she may have been connected to a fraud investigation involving someone she knew years ago. The FBI had been trying to reach her, local law enforcement eventually got involved, and the whole situation became a strange reminder of something we tell clients all the time:
You should move through life as if your personal information is already out there.
That may sound a little grim, but it is actually the more practical way to think about security. The goal is not to live in fear. The goal is to make smart assumptions and reduce the damage when something eventually happens.
For most people and most small businesses, the question is rarely “Will my information ever be exposed?”
A better assumption is, “Some of my information is probably already floating around somewhere. What am I doing about it?”
Personal security is now business security
Years ago, personal identity theft and business cybersecurity felt like separate issues. Your credit card was your problem. Your work network was the company’s problem. That line is gone.
Employees use personal phones for work email. They access Microsoft 365, Teams, Slack, banking portals, CRMs, shared files, cloud apps, and client data from devices that also hold family photos, personal email, text messages, password resets, and banking apps.
That means a personal compromise can quickly become a business problem.
If an employee’s personal email is compromised, an attacker may be able to reset passwords. If a phone is compromised, business apps may be exposed. If someone’s identity is stolen, they may spend hours during the workweek trying to resolve it. If the situation is serious enough, that employee may be distracted, stressed, and unavailable for days or weeks.
That is not just a personal inconvenience. It is a business disruption.
Why employers should think about identity theft protection
I used to think of identity theft protection as a personal benefit. Nice to have, maybe. Similar to roadside assistance. I am starting to think about it differently.
For small businesses, identity theft protection may be one of those benefits that quietly pays for itself by reducing chaos. When an employee becomes a victim of fraud, the impact does not stay neatly contained outside business hours.
They may need to freeze credit, contact banks, file reports, speak with law enforcement, replace cards, monitor tax filings, and unwind fraudulent activity. That takes time. It also creates stress, and stress often shows up in performance, attendance, decision-making, and morale.
A good identity theft protection benefit can help with monitoring, alerts, restoration support, and access to specialists who know which steps to take and in what order. The value is not only the insurance component. The real value is having a team that can help the employee recover faster.
For an employer, that can mean fewer lost hours, less panic, and a stronger message to the team: we care about your well-being because your well-being affects the whole business.
This does not have to be expensive. Compared with replacing an employee, losing productivity, or having a compromised personal device create a business incident, it can be a very reasonable investment.
Act as if your information is already public
Here is the mindset I recommend for individuals and business owners:
-
Assume your email address is public.
-
Assume old passwords have been exposed somewhere.
-
Assume your phone number is in a database.
-
Assume your name, address, employer, and family connections can be found by someone willing to look.
Then build your habits around that assumption.
That means using unique passwords for every account. A password manager helps because nobody should be trying to remember 87 different passwords. It means enabling multi-factor authentication, preferably via an authenticator app or hardware key rather than text messages. It means reviewing bank and credit card activity regularly. Weekly is not unreasonable.
It also means freezing your credit when you do not need it open. A credit freeze is one of the simplest and most effective ways to reduce certain types of identity fraud. If you need to apply for credit, you can temporarily lift it.
For businesses, the same logic applies.
-
Assume employee credentials will be targeted.
-
Assume someone will click a phishing email.
-
Assume a vendor will change terms and conditions in a way that affects your data.
-
Assume a cloud app will add AI features that require review.
-
Assume a laptop will be lost, a password will be reused, and an invoice scam will eventually land in someone’s inbox.
Then plan for those moments.
What to do after exposure happens
When something suspicious happens, speed matters, but calm matters too.
Start by verifying the source. If someone calls claiming to be from a bank, law enforcement agency, software company, or insurance provider, do not use the number they give you without independently verifying it. Look up the official number yourself. Call back through a trusted channel.
If a financial account is involved, contact the bank or card provider directly. Replace the affected card or account access. Review recent transactions. Set alerts.
If credentials are involved, change the password immediately and check whether the same password has been reused elsewhere. If it was, change those too. This is where password reuse turns one incident into ten.
If personal identity information is exposed, freeze credit with the major bureaus. Consider fraud alerts. Keep records of calls, case numbers, emails, and reports. Documentation matters if the issue grows.
If a work device, work account, or business app may be involved, tell your IT provider immediately. This is where people sometimes hesitate because they are embarrassed. Please do not. We would much rather investigate a false alarm than clean up a breach that sat quietly for two weeks.
For business owners, make sure your team knows how to report suspicious activity. Make it easy. Make it normal. Nobody should need to decide whether something is “serious enough” before raising their hand.
Small business mitigation strategies
Every small business should have a basic identity and access protection plan. It should include:
-
Strong password management across the company.
-
Multi-factor authentication for email, financial systems, cloud apps, and remote access.
-
Security awareness training that uses real examples.
-
Clear policies for personal devices used for work.
-
Dark web monitoring for exposed credentials.
-
Regular review of admin accounts and user permissions.
-
Backups that are monitored and tested.
-
An incident response plan that says who does what when something goes wrong.
None of this has to be dramatic. It just needs to be consistent.
Security is not about pretending you can prevent every bad thing from happening. You cannot. Security is about reducing the odds, limiting the damage, and recovering faster.
The real goal is resilience
The lesson from our employee's situation is not that everyone should be paranoid. The lesson is that vigilance works better when it is supported by secure systems.
Individuals need habits that reduce risk. Businesses need controls that limit damage. Employers should consider benefits that help employees recover when personal fraud spills into work life.
Act like you are already compromised. Then build a life and a business that can absorb the hit.
If you are not sure where your business stands, start with a free threat assessment from Solve iT. We will help you understand your exposure, review your risks, and identify the steps that will make the biggest difference first.