Andrew Stellakis, managing director of computer consultancy Q2Q IT explains the steps you should take to protect your business against a data breach.
There’s been no shortage of high-profile data breaches hitting the headlines lately – Ticketmaster, Whitbread and the NHS have all faced media scrutiny as a result of sensitive customer, employee or patient information being compromised.
And whilst the potential operational and reputational damage that a breach can cause is nothing new, the financial implications for breaking recent GDPR laws are far more severe than previous penalties.
Companies now face fines of up to £17m or 4% of global turnover if any personally identifiable information is lost or stolen, making data security one crucial matter firms cannot afford to overlook.
So, as a small business owner, what should you be doing to protect your SME against a breach?
Firstly, understanding where your data is stored and what security measures are in place is key.
You might have already undertaken an audit of personal data processing as part of your GDPR preparations, but this identification process should encompass all files on your systems – not just those containing employee, customer or other individuals’ information.
Looking at your current infrastructure is important here, particularly in terms of storage and back-ups.
Are you still relying on physical servers and manual replication processes?
If so, switching to an automated and encrypted cloud-based service would not only provide you with an improved level of security, but also scalable storage capacity and a far more efficient back-up procedure – essential for data recovery in the event of a breach.
Up your security
The sheer number of security options available can be overwhelming, but there are certain essentials that every SME should have in place.
Using a firewall secures your internet connection and screens any incoming traffic before it’s allowed into your network, whilst anti-malware software helps guard against harmful viruses and ransomware.
Strong passwords should be implemented – and two-factor authentication employed where possible.
Keeping your computer systems and software up-to-date is also crucial – malware is ever-evolving, so the longer you leave between installing updates, the higher the risk of a new-fangled virus slipping past your defences.
Arm your employees
Your people are both your greatest weapon and biggest weakness when it comes to data security, so ensure they’re clued up on deterring potential threats.
That might mean enlisting a specialist training provider, or simply having effective cyber-security and BYOD (Bring Your Own Device) policies in place that everyone follows.
By equipping your team with the skills and knowledge they need to detect any threats and combat them accordingly, you’ll ensure they’re a help rather than a hole in your defences.
Limiting user permissions – so employees only have access to the software, settings, online services and device connectivity functions that enable them to do their job – also reduces the possibility of data being compromised.
Be wary of access
Similarly, where external suppliers are appointed, you need to ensure they can be trusted to safeguard your data.
A number of recent significant data breaches have occurred as a result of vulnerabilities within third-party software.
For instance, the Whitbread breach that affected Costa Coffee and Premier Inn job applicants occurred within the PageUp online recruitment system, while the data of over 150,000 NHS patients was compromised thanks to a coding issue with the TPP-developed SystmOne application.
In such an event of data being leaked through an external supplier, although the fault may lie with them, it is ultimately you – the data controller – who is culpable for failing to protect that information.
For new or existing providers, check out their privacy policies and contractual small-print, and don’t be afraid to ask about their security procedures.
Similarly, make sure you ask for help if you need it.
Data security is an ongoing battle that is only set to continue, so if you’re unsure about any aspect of safeguarding your SME – whether that’s with the implementation of effective security measures, or what you should be looking out for in third-party terms and conditions – it’s better to ask for assistance from a specialist and be safe than neglect your data protection responsibilities and be sorry.
Our BQ Bulletin emails will land in your inbox at 7.30am, Monday to Friday, with a mix of the latest local business news, national news, and features to inspire you. Sign up here!
Click here to read our privacy statement