Andrew Stellakis is managing director of managed IT support specialist Q2Q IT. Here, he explores some practical steps that small business owners can take, to safeguard themselves against a data breach.
Data breaches are everywhere at the moment, it seems. You certainly don’t need to look far before stumbling across a headline about a company selling customer details, or another falling victim to a cyber attack. Penalties of up to £17m – or 4% of global turnover – now loom over companies who fail to comply with the GDPR’s rigorous rules, surrounding how personally identifiable information should be processed and protected. This means data security is one crucial matter that firms cannot afford to overlook.
And with these hefty fines now in full force, the implications of such instances of compromised data have never been so severe. British Airways, Ticketmaster, the NHS and other large organisations have been in the media spotlight lately for huge breaches – and similarly huge fines – but the threat of such data leaks isn’t confined to big businesses, and nor is the consequential reputational and financial damage. In fact, it’s a dangerous misconception amongst many UK SMEs that only larger companies are at risk.
A recent government report revealed that 42% of small and micro businesses have identified one or more data breaches or cyber attacks within the past year, while independent research from Appstractor claimed that UK SMEs faced an average of five hacks in the same timeframe – both sobering statistics for anyone thinking they’re immune.
So, what steps should you be taking to protect your business against a breach?
Take stock of your data
First thing’s first – understanding what important data you hold, where it’s stored and what security measures are in place is crucial. It’s likely that you’ll have already undertaken an audit of personal data processing as part of your GDPR preparations, but for this identification procedure, it’s vital to take everything on your systems into account – not just files containing employee, customer or other people’s information.
Assessing your current infrastructure is essential too, particularly in relation to storage and back-ups. Are you still relying on physical servers, and replicating important files manually? If so, then swapping to an automated, cloud-based service – with in-built encryption – would not only provide you with an extra layer of security, but also deliver scalable storage capacity and an infinitely more efficient back-up procedure. This is an essential tool for data recovery in the event that a breach or loss does occur.
Ramp up your security
Although the vast array of different security options available can be daunting, there are certain essentials that all businesses should have in place. For instance, a firewall is crucial to secure your internet connection and screen any incoming traffic before it enters your network, whilst anti-malware software helps prevent harmful viruses and ransomware from infecting your systems.
It goes without saying that robust passwords should also be implemented – using a password manager such as LastPass if possible – and two-factor authentication considered, to add an additional level of safeguarding via an approved secondary device.
Once these measures are in place, it’s crucial to keep both your systems and software up-to-date. Failing to install updates can leave you susceptible to new, more advanced types of malware, so be sure to keep on top of upgrades and not let any subscriptions run out!
Equip your employees
Where data security is concerned, your people can either be your greatest weapon or biggest weakness – it all depends on how well-equipped they are to deter potential threats. Whether you need to enlist a specialist training provider – or just implement effective cyber-security and BYOD (Bring Your Own Device) policies that everyone follows – will vary from business to business. But for all companies, ensuring each employee has a satisfactory working knowledge of the basics – including how to spot threats and potential breaches – is imperative.
Operating a role-based access approach can also help strengthen security for SMEs. By limiting user permissions – so that employees can only access the software, settings, online services and device connectivity functions they need in order to fulfil their job requirements – the possibility of critical business data falling into the wrong hands is significantly reduced.
Be wary of external access
Accessing files remotely can also pose a threat to your data security, so if you offer such flexible working options, it’s vital that safeguards are in place to protect company files against loss or theft. For instance, it should be part of your IT or BYOD policy that all devices used to access company files – both in and out of the office – must be encrypted, to prevent sensitive information from being interpreted if the laptop, phone or tablet is lost or stolen.
Similarly, whether using a home or public WiFi network, employees should be encouraged to use a Virtual Private Network (VPN) to protect data that’s being sent or received via the internet, from being intercepted by others with access to the network. There are free versions available, but the most robust and user-friendly VPNs tend to be paid-for, so it’s a good idea to factor a company subscription into your IT budget – especially if team members regularly work remotely.
Check your suppliers’ security
In terms of external suppliers being privy to certain sensitive data, it goes without saying that you must be able to trust that they’ll protect it. Many recent significant data breaches have occurred as a result of vulnerability within third-party software – including the latest one affecting the NHS, for example.
This saw the information of over 150,000 individuals being compromised, as a result of a coding error within the TPP-developed SystmOne appointment booking and patient record application.
But in the event of information being leaked through an external supplier, while the fault may lie with them, it’s ultimately you as the data controller who is culpable for failing to protect that data.
Therefore, for both new and existing providers, it’s essential to check their privacy policies and any contractual small print before signing up to anything. And don’t be afraid to ask about their security procedures.
You shouldn’t be worried about asking for help if you need it either. Data security is an ongoing battle with no end in sight. So, if you’re unsure about any aspect of safeguarding your business – whether through implementing effective security measures, or vetting third-party privacy policies – it’s a good idea to seek assistance from an IT support provider that’s well-versed in security.
Preparation is vital when it comes to avoiding a data breach, so if you need help to ready your business against ever-advancing threats, then be sure to ask for it.