Small businesses are particularly vulnerable to cyber attacks. Not because they are more likely to be hacked, but because many are so focused on establishing their core business that they have not allocated the appropriate level of management and resource to dealing with information security. Yet they do so at their peril.
GDPR is a legal requirement and failure to comply can lead to fines and punitive action. But it should not be viewed as a chore; it should instead act as a motivation to get your house in order. Because the harsh fact is that breaches can and do occur. In fact, 88% of UK businesses have been breached in the last 12 months, with well over a third (37%) forced to report a breach to the Information Commissioner’s Office. Many of these organisations, particularly SMEs, are simply not able to recover from the financial or reputational consequences of a serious attack.
In today’s digital environment it has never been more vital to put information security at the top of the board agenda and to ensure that it is reviewed critically and constructively. The long-term future of a business will depend on its security posture as well as its ability to bounce back from a breach.
Here we examine the what, who, how and when of information security for small businesses:
So, what questions should board members be asking? Here are a few things to consider when discussing your company’s risk posture:
- Do we back up our data regularly?
- Do we take specific steps to reduce the risk of malware?
- Do our employees know how to respond to potential phishing attacks?
- Are replying on passwords alone to provide protection?
- Do we run regular vulnerability scans and penetration tests?
- Do we have a Business Continuity Plan in place?
If the answer to any of these questions is a negative, then it is time to be proactive and to take steps to remedy the situation. Even if you can answer some of the questions positively, it is still important to drill down into the detail of your information security strategy to make sure you are not exposing your organisation to unnecessary risk.
Who is in charge of information security within your business? Although not every business is legally obliged to appoint a data protection officer (DPO) that doesn’t mean that you shouldn’t have one. Small organisations are typically not bound by the same GDPR requirements as their larger counterparts when it comes to appointing a DPO, yet it is important that every organisation has someone accountable and responsible for the security of information.
Thankfully, GDPR provides organisations with a number of options for finding someone who meets the exacting standards. The DPO role can be filled internally with an employee focusing on data protection and compliance alongside other responsibilities (as long as there is no conflict) or the DPO role can be shared with other businesses or outsourced to a professional service provider.
Unlike GDPR, which does not have an actual compliance process, ISO 27001 is a security framework that provides very clear direction. In this way it can be a useful starting point for ongoing adherence to GDPR. ISO 27001 concentrates on policies and processes, including all legal, physical and technical controls involved in an organisation’s information risk management processes.
Its value is that ISO 27001 creates a robust environment to protect both staff and customer information assets. But of equal value is the fact that it also provides evidence to potential customers and partner organisations that your company prioritises the security of the information it holds. A specialist ISO 27001 consultant can provide expert guidance in how to achieve certification in a cost-effective way.
As the American writer and philosopher Mark Twain once said: “the secret of getting ahead is getting started.’ So, the short answer to this is “now”. Establishing and enacting your information security strategy is best done when you have time to make measured decisions and engage specialist professionals to help guide you in reducing your risk posture. It is too late when a crisis or a breach occurs. If you do not have a protocol in place in the event of a breach and a robust business continuity plan to hand then you will be under immense pressure at the very time when you need to act quickly and effectively.