The collection and use of customer data, and the increasingly large amount of data that businesses store about themselves, means that cyber security has become a consideration for companies of every size. In fact, business security is now primarily about the digital world rather than anything physical. As a result, it’s very important that even small businesses understand what they need to do to keep their own business systems and information safe, along with their customers’ data. Failure to do so might mean severe financial difficulties, lawsuits, and even criminal prosecution. In this article, we’re going to briefly introduce you to what the law says about cyber security, how you can get better at it, and where you can find further resources.
Currently, there are few laws that directly pertain to your specific obligations in regards to preventing cyber security incidents, but Data Protection Act 1998 does insist that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. This ultimately means that it is your legal responsibility to keep consumer data safe, and should do everything you can to do so. Naturally, these same techniques will apply to keeping your own business data safe.
This is further reinforced by the upcoming GDPR regulation.
The General Data Protection Regulation (EU Regulation 2016/679) was agreed in 2016, and comes into force on May 17th of 2018. It is a hugely important development for cyber security, because it makes illegal a number of practices that would previously have been widespread. In short, it means that anyone collecting or handling EU citizens’ data must have a genuine, legally defensible reason for doing so, which in most cases will require consent. Data collection must also be transparent, and people can request access to or erasure of their data. In addition, GDPR makes the reporting of data breaches in a reasonable timeframe a legal requirement. This is particularly important to cyber security.
Cyber security incidents can take numerous forms, and are increasing in their complexity and impact. In order to help categorise them and plan mitigation for specific events, the National Cyber Security Centre has outlined four major categories. They are the following:
There are a huge number of things that you can do as a small business to prevent incidents such as those detailed above from happening, and it can be difficult to figure out exactly where to begin, especially if you are a small business with either no IT department, or a very small one. Fortunately, there are a number of UK Government initiatives and international standards and certifications that can be used to make sure that you’re doing everything you can as a small business. Two of the most important are ISO 27001 and the Cyber Essentials Scheme. The former is for smaller businesses with significant cyber security needs, and the latter is useful for all businesses.
For more information on how adhering to these schemes can help you guard against cyber security incidents, read our article which explains what they contain here.
However, some of the main points that all small businesses should think about are the following:
Proper understanding of cyber security is vital for preventing serious incidents from occurring, which is why it is recommended that those responsible undertake training. Dedicated IT employees should have accredited qualifications where possible, but it is useful for just about any employee to have an understanding of what cyber security means for small businesses.
Virtual College offers two cyber security courses that will be useful for small businesses that wish to ensure their employees are clued up. The first is our Introduction to Cyber Security course, which will help any SME get to grips with protecting their business. The second is Data Protection at Work, which will help you stay on the right side of the law when it comes to holding other people's’ data.