How data protection law helps SMEs protect themselves from attack


Date: 21 May 2019

A small business employee logs into a secure online system designed to protect customer data.As an increasing portion of human activity migrates online, so do businesses. From liaising with clients and advertising products to providing customer support or engaging in online retail, most companies in the UK and elsewhere have some form of online presence - including SMEs.

Selling products and services online can be very profitable, as customers seek out the convenience of online shopping. According to Statista, made more than $5 billion in 2018, while Tesco sold roughly $3.1 billion worth of products online and Argos saw more than $2.3 billion in online sales.

SMEs increasingly see the potential offered by having their own online shop, while also taking advantage of software solutions to help streamline day-to-day operations. However, with an increased digital presence come some dangers. Hackers are out to get as many victims as they can, and British SMEs must be prepared.

Step one: understanding your needs

As more and more data breaches are reported on the news, including worldwide catastrophes like the WannaCry incident that devastated the NHS, keeping data secure has emerged as a top concern for firms of all types. For most businesses, this includes identifying hidden risks they were not aware of, such as rogue databases or compromised users.

In order to draw up a sound cybersecurity policy, every business must first assess its situation and understand what is at stake. This means identifying how much data you hold and where, as well as what types of data. This is important in order to paint an accurate picture of what kind of defences you might need.

If you hold data on the cloud, you will likely require specific protection geared towards cloud computing, while data saved on company computers that are connected to other devices through an internet connection also need special handling. The categories of data that you store and process are of paramount importance.

SMEs active in fields such as healthcare or payments will have to routinely deal with sensitive and personal data like health status or banking details, which call for increased security measures.

Finally, it is important to understand which laws your business is subject to, in order to ensure that you adhere to regulatory requirements. For instance, if the United Kingdom finds itself out of the EU once Brexit fully unfolds, the latest General Data Protection rules will still be directly applicable to UK SMEs serving or monitoring EU-based clients.

They also form part of the UK Data Protection Act 2018, which calls for hefty penalties for companies failing to comply with its requirements. The standard maximum penalty amount is equal to 2% of the company’s total global turnover in the previous year or 10 million Euros, depending on which amount is higher. For the higher maximum amount, these figures rise to 20 million Euros or 4% of the annual turnover respectively.

Compliance will in practice mean taking extra cautions and vetting thoroughly everyone you work with when they handle data on your behalf - so most businesses need to make sure they have drawn up service level agreements with their providers.

Where attacks come from, and how to prevent them

According to research published on Fortune, China, Russia and Iran are the sources of the most cyber threats when it comes to US businesses. This can be easily explained when we examine the tension between these countries and the US, which makes cyberwarfare a tool for both sides.

In this battle, local businesses and SMEs are often caught in the crossfire, as foreign hackers are keen to learn their trade secrets, gain access to valuable IP or simply disrupt the smooth economic lifecycle of an adversary. The same holds true for UK businesses, as China holds the first spot worldwide in terms of telnet hacker attacks, intended to dupe victims into downloading malware.

As reported, a whopping 27% of telnet attacks come from China. This means that UK businesses must prepare to fend off a variety of attackers - often targeting them through sophisticated means from very far away.

SMEs are far from safe, as has been proven. Attacking small and medium-sized businesses is an essential part of every hacker’s strategy, whether they intend to extort money from them or simply use them as a means to an end - to gain access to client info or as a springboard to launch further attacks.

Against this setting, it is essential that cybersecurity issues must be addressed top-down in any company. Having experienced IT staff on board is crucial, as is educating every single employee on the dangers of cybercrime and how to avoid falling victim to it. This is especially important when it comes to stealthy attacks like phishing scams, which usually find their way in through low-level employees.

Yet company directors must also be up to scratch - particularly since they will be the ones drawing up the company’s policy as well as facing the backlash from a data breach. Establishing a comprehensive cybersecurity policy and disseminating it through a company handbook, regular employee training and specialised contracts with suppliers and staff is necessary to properly safeguard your data.

This policy should cover every aspect of cybersecurity, from implementing preventive technical measures such as anti-malware software or data masking to setting up an incident response plan to mitigate breaches as quickly as possible.

In an increasingly digital world, rigorous attention to data security is no longer “going the extra mile” - it's fundamental for every business.

Copyright © 2019 Article was written by Jamie Heap

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.