It's easy to assume that only big businesses need to worry about data breaches. With British Airways, Uber and Equifax all hitting the headlines for their high-profile data faux pas recently, you'd be forgiven for thinking that's the case.
Yet, small businesses face just as much risk as bigger companies. In fact, nearly half of UK businesses experienced at least one cyber security breach or attack in 2017, according to a government survey conducted as part of the National Cyber Security Programme.
The report also found that 66% of SMEs and 45% of microbusinesses have been victims of a cyber attack.
Yet the attitude of SMEs to cyber security is worrying, with only one in four having a cyber security governance or risk management plan in place. A recent Aon survey of 1,000 business owners found that half of company owners are confused about the do's and don'ts when it comes to data protection and privacy regulations.
Meanwhile, the cyber risks facing businesses are ever increasing. Cyber criminals are switching their focus to smaller companies, in recognition of the fact that they often hold significant amounts of data that may not be protected by multi-million-pound security budgets. The growth of flexible working and the accompanying need to access data ‘on the go' creates additional vulnerabilities.
In addition, the European GDPR rules, which came into force in the UK in May, drastically increased potential penalties on companies found to have misused or mismanaged clients' personal data.
What does GDPR mean for my business?
Under GDPR, certain types of data breach now have to be reported within 72 hours, or companies can be hit with a fine. Although fines are expected to be issued as a last resort, they can be up to €20 million or 4% of annual turnover. This means the risk presented by non-compliance with GDPR has the potential to bring a small business to its knees.
While many companies have professional indemnity insurance in place, there are often significant costs that professional indemnity won't pick up. In the event of a data breach, firms will still need to cover the cost of responding to a breach themselves.
This can leave your business liable for hefty fees for notification services, forensic expert investigations, public relations consultants and the use of credit monitoring agencies to rectify problems and get them back up and running, should the worst happen.
Protecting your business
With an ever-growing number of cyber security threats to consider, it can be difficult to know where to start when it comes to protecting your business.
There are, however, a few key steps you can take to protect your firm - and the good news is, none of them require significant investment.
1. Check your IT systems
Cyber attacks can come in many guises, so the first step to protecting your business is ensuring your IT systems are secure. Ask your IT system or consultants what protections you have in place already, and ask them what can be done to tighten security. Installing anti-virus software is one simple way to reduce your risk of an attack.
Other measures that can help include using a firewall and installing manufacturer patches as soon as they become available, to protect against known weaknesses and vulnerabilities.
2. Develop a cyber-conscious culture
In order to ensure staff behave in a way that minimises your risk of a data breach, it's important to put clear policies in place and to communicate them to your team.
Policies should include rules for keeping a clean machine (including what programs, apps and data employees can install and keep on their work computers, and how data should be indexed). Other things to cover include:
- email security;
- encryption (which should extend to all company mobile devices and even employees' personal devices, where they use these to access data);
- best practices for passwords and backing up work;
- clear procedures for notifying an appropriate staff member if strange things are noticed on an employee computer;
- instructions to ignore suspicious links in email, tweets, messages, or attachments (even if an employee believes they know the source).
Once your policies are in place, the key to firmly embedding a culture of cyber security is staff engagement. Communicate why it matters, and give them the tools to keep your data safe.
Regular training can help with this, as can including cyber security in inductions for all new staff members. Also make sure that your senior people are leading by example.
3. Check your insurance policy
Data breaches are, by their very nature, unpredictable, and so it is impossible to be fully prepared for every possible scenario. Even the most sophisticated cyber security measures can never guarantee complete protection.
In the event of a breach where there's a risk of harm to individuals whose data has been compromised, your business is legally obliged to investigate the cause, notify everybody affected and provide them with ongoing support such as helplines and ongoing credit monitoring - all of this within 72 hours.
When you consider the specialist - and often short-notice - support you may need from cyber security experts, lawyers, call centres, IT and PR consultants, it's easy to see how the cost of responding to a breach in a way that is compliant with GDPR can quickly spiral.
For peace of mind, consider purchasing a cyber insurance policy. These policies can be surprisingly affordable and will ensure you're covered not only for the cost of responding to a breach, but for the costs of damages and claims expenses you're legally liable to pay in the event of a breach.
When arranging cover, ask your broker to ensure your policy comes with a pre-approved panel of providers who can help you take immediate action in the event of a breach and notify those affected. Also, check your policy covers any financial losses as a result of cyber crime, including ransomware claims.
A specialist cyber insurance policy will buy you peace of mind that, should the worst happen, you will be able to meet regulatory requirements as well as keep your business running.
By taking these steps, it's possible to protect your business against the ever-increasing risk of a cyber breach without breaking the bank.
Copyright 2018. Featured post made possible by Chris Mallett, Broking Manager for Aon's Affinity - helping businesses understand the threats facing them and how these risks can be managed.