BeCyberSure explain the risks of cyber crime and how it affects small businesses just as much as their larger counterparts.
Ask the boss of a small or even medium sized business if they have thought much about cyber security and the response will probably be similar to that which they give to the guy at the car rental agency who is trying to upsell them on the collision damage waiver. “ I’ve already got that covered with my own insurance thanks”. Persist a bit further and they might qualify that a little by saying that “my IT department has it all covered” even if truthfully they have no idea. In reality, rather like the customer who waives the extra insurance at the car rental counter, this state of mind reflects a twin belief, that either it won’t happen to them, or that if it does, the cost of fixing things will be modest compared with the cost of protecting against it. It also reflects a state of mind that believes doing nothing means the problem will somehow go away, like not opening the red bills from the utility company. It won’t, and it is getting worse. The boss needs to realise that in doing nothing they are taking an active decision to take on risk. They also need to understand better what those risks are.
Cyber security is not just an IT issue
What is most important however is that the UK government is now declaring that this is no longer acceptable and that cyber security is not an IT issue, but rather it is a board issue and to drive that point home a new set of rules and regulations are coming in that will make the company liable for any breach of its data protection. The Global Data Protection Regulation (GDPR) that comes into force in a little under a year’s time brings with it the threat of fines from the regulator of up to 4% of group global turnover if the company is deemed liable for a loss of data. The GDPR does not distinguish whether customer data is lost, stolen, sold or misplaced. If you cannot demonstrate that the organisation has the appropriate safeguards in place it is vulnerable from all sides. To understand what this could mean we could perhaps look at the Financial Services industry, where following the Global Financial Crisis in 2008 the regulatory regime was heavily intensified. If you take the situation seriously and demonstrate that you have made reasonable efforts to safeguard your systems and data then the regulators will work with you. Ignore them and the penalties from the regulator could make the actual inconvenience from a data breach the least of your problems.
What should be done?
So what should the prudent boss be doing about this? Well, just as it is sensible to look after your health and have regular check ups, so it makes sense to have a cyber-health check for your company before these new regulations come in. You don’t need to break the bank and much of the threat can be contained by proper software, but to continue the analogy this is an ongoing health regime, it’s eating properly as well as exercising regularly, all year round, not just in the two weeks before the medical. Nor is it just about software. Research shows that almost every data breach is because the human firewall was breached. Your people might be your greatest asset, but they are also your weakest link for a cyber attack. However, done correctly your people can really help an organisation protect its assets, defend against cyber attackers, act as a shield, and be effective against the growing criminal threat. State of the art defensive software is necessary but not sufficient, for you or the regulator.
Reviewing the systems, empowering and training your staff, putting in place protocols to both prevent attacks where possible and mitigate the impact when they do occur are all now needed to survive and thrive in our increasingly interconnected world.
Think human, BEFORE you think cyber.
Think security, NOT compliance.
BeCyberSure
For more information visit www.BeCyberSure.com