Cybersecurity for SMBs
Cybersecurity is now a threat to businesses at every level. It puts intellectual property at risk, and causes disruption to the smooth running of your business.
But when it comes to protecting personal data, you can't afford to ignore the importance of the European General Data Protection Regulations (GDPR). Until now, unless you are a government organisation, there has been no obligation on you to tell your customers in the event that you suffer a data breach. From 2018, if you don't notify those affected by a data breach in your company, you will be breaking the law. Does your CEO want to end up on the 6 o'clock news because of a data breach? I think not!
Small and midsize businesses (SMBs) – The Soft Target for Cyberattacks
Perhaps the group of companies who are least prepared to protect against and respond to cybersecurity threats are Britain's SMBs. In reality, few SMBs outside the financial community have IT staff equipped with the specialist skills required to respond to a successful cyberattack, yet the actions that you take once a breach is discovered are critical if you want to be able to work out exactly how far the attack has spread. What's more, according to Symantec's latest threat report , 43% of all cyberattacks targeted SMBs.
Is Cybersecurity Really An Operational Priority for SMBs?
There is an understandable pressure on IT managers to do more without increasing headcount, and IT investments that will increase productivity will always be prioritised. What changes with the GDPR however is the requirement to build in “Privacy By Design” into your business processes. Security can no longer be an afterthought. With the threat of fines up to 4% of turnover, not to mention the cost to your business of negative publicity surrounding a data breach, robust cybersecurity defenses are not optional.
Where Should SMBs Start With Cybersecurity?
The best starting point for SMBs is the Government's Cyber Essentials Scheme. Cyber Essentials is a government backed self-certification scheme that spells out the minimum recommendations for protecting your company against cyberattack. The main recommendations of the Cyber Essentials Scheme cover:
- Correct configuration of boundary firewalls and internet gateways.
- Secure configuration of computers and network devices.
- Best practices for user access control.
- Protection against malware
- Patch Management
Out of all of the recommendations addressed in Cyber Essentials, patch management seems to require closest scrutiny. Ransomware and zero-day attacks may account for the lion's share of the security headlines at the moment, but according to the last PWC Security Breaches Survey, 70% of successful attacks exploited known vulnerabilities. The message is clear; by keeping your system patches up-to-date, you will dramatically reduce your exposure to a cyberattack.
Data Protection Officers In The Spotlight
If your company employs over 250 users, the GDPR mandates that you will need to appoint a Data Protection Officer to monitor compliance with the GDPR. This in itself is not an insignificant task! If you are to monitor compliance with the procedures and protection that the GDPR requires you to wrap around personal information, you will need to create an information asset register and map the data flows that affect personal information in your company. Once you have done this, you will need to create policies to protect personal information throughout its lifecycle, not forgetting that you will need to delete personal information when it is no longer needed.
If you don't already have processes and procedures in place, you may wish to consider using software such as SecureAware that will provide you with templates for the creation of your information Asset Register, Data Maps, and even ISO 27001 / GDPR compliant policies.
In reality, improving cybersecurity is increasingly becoming a business imperative for SMBs. This is being driven both by the arrival of new legislation in the form of the GDPR, but also by “trickle-down” from larger clients for whom their SMB business partners are a clear source of risk.
Cyber Security Enterprise Account Manager