Small businesses have not historically been the target of cybercrime but in 2015 something drastically changed. This year’s Government Security Breaches Survey found that 74pc of small organisations reported a security breach in the past 12 months. SMEs are now being pinpointed by digital attackers.
Risks to personal data have set off a wave of regulatory compliance, with heavier penalties for personal data breaches in the UK.
And at the same time as the Information Commissioner’s Office (ICO) has been increasing activity at a national level, the European Commission has proposed a major reform of EU data protection laws.
What can be done to help small businesses maintain trust, protect their reputations, and improve their bottom line?
1. Never assume anything
Don’t fall into the trap of believing that size exempts you from a breach. Targeting SMEs can give hackers access to larger companies. Your first step is being aware of the threat.
2. Loose lips sink ships
Bad business practice leads to most data breaches – think of that wartime slogan “Loose lips sink ships” – low physical security, lost memory sticks, non-password-protected devices and loudly talking about private matters in public.
In fact, according to a recent Government study “50pc of the worst breaches in the year were caused by inadvertent human error.”
3. Identify your security risk
Identifying your security risk is imperative before you can figure out what to do about it. An information security management system (ISMS) standard such as ISO 27001 can provide a framework to identify and manage information security risks in a cost-effective way.
4. Protect your Achilles heel
Research has shown that human error is the leading cause of cyber-breaches, with trusted insiders often being most at fault. Ensure staff have gone on security awareness training.
Similarly, staff members need to make their personal information security a natural part of their routine – this will also help secure corporate information.
5. Be social-media-savvy
Social media are an inexpensive way of gathering information about people. But if not properly secured, accounts enable access to email addresses, telephone numbers, location settings and details of family and friends.
Passwords become easy to crack with all this information. Change passwords regularly or use a system such as ISO 27001 to manage this for you.
6. Network safety
Do you allow staff to bring their own devices to work and access your network? Can you be confident that family members are not also using it?
Are you aware of the malicious code being added to free apps downloaded on to mobile devices? If not, you need a policy in place for this.
7. Sharing with care
Sending information between organisations happens daily but should be executed with extra safety. If information is shared with a supplier, the company would be failing in its duty of care if the supplier’s handling of that information was insecure.
Questions you need to think about are: what information needs to be shared? And what safeguards do suppliers have in place to protect confidential data?
8. Passing clouds
Providers of your cloud service ought to be ISO 27001 certified and operating in compliance with the Cloud Security Alliance (CSA) STAR certification requirements.
Image: Credit: Getty