The GDPR data security risks facing SMBs
With the deadline for compliance to the General Data Protection Regulation (GDPR) fast approaching, misinformation is still swirling, especially within the small business space. One of the biggest myths is that GDPR data security risks somehow doesn’t apply to small and medium sized business owners or managers. Wrong.
Seriously wrong. In fact, it is the UK’s smallest businesses that are at most risk – to both data breach and regulatory fine.
From May 25th, 2018, the Information Commissioner’s Office (ICO) will be able to impose incredibly punitive data protection fines: up to €10m or 2% of annual turnover (whichever is highest) or €20m or 4% of annual global turnover depending on which part of GDPR is breached.
If these figures are not enough to focus the attention, small businesses have become a prime target for cyber criminals who are leveraging automated tools to cruise the Internet and get quickly in and out of unprotected organisations. While the primary goal is ransom or fraudulent access to data, the attendant risk of personal data exposure cannot be ignored. Larger organisations are typically far better protected with robust online data security however, the small business – with its somewhat laissez faire attitude to data protection – is a more appealing soft target.
Ignorance is not bliss
No company can afford to ignore GDPR data security risks – from financial information located in cloud-based systems and accessed by managers working remotely, to competitively sensitive information shared via email, the volume and significance of data that is routinely in transit represents a massive business risk.
Regulators are not going to be sympathetic in the event of any data breach or misuse. Should a problem occur, the ICO’s first question will: what steps have been taken to protect data? The more robust processes in place to protect against GDPR data security risks, the more lenient the regulator is likely to be. Those small businesses that have failed to, for example, educate employees or encrypt customer data, can expect to have the book thrown at them.
So, what next? Put someone in charge. While smaller organisations are not required to appoint a Data Protection Officer (DPO), it is a good start. Embark upon a programme of employee training and education, including raising awareness of the risk of using public Wi-Fi, and back up that education with robust procedures and software to protect business data.
To safeguard both data at rest within the business and in transit, organisations need to build on basic Anti-Virus and Anti-Malware solutions, adding anti-spam, two-factor authentication, firewall, online encryption, even hard disc data encryption to lock down and secure sensitive data. It is this depth of security posture – especially online data encryption – that will enable businesses to demonstrate that data security is taken seriously.
It is the ability to demonstrate that all reasonable precautions have been taken that will be key to mitigating GDPR fines.
To learn more about mitigating your GDPR security risks and how employees are the biggest security threat to your business, download our eBook “Employees: The biggest cyber security threat to businesses“