Introduction to Cyber Security for Small Businesses

The collection and use of customer data, and the increasingly large amount of data that businesses store about themselves, means that cyber security has become a consideration for companies of every size. In fact, business security is now primarily about the digital world rather than anything physical. As a result, it’s very important that even small businesses understand what they need to do to keep their own business systems and information safe, along with their customers’ data. Failure to do so might mean severe financial difficulties, lawsuits, and even criminal prosecution. In this article, we’re going to briefly introduce you to what the law says about cyber security, how you can get better at it, and where you can find further resources.

The Law & GDPR

Currently, there are few laws that directly pertain to your specific obligations in regards to preventing cyber security incidents, but Data Protection Act 1998 does insist that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. This ultimately means that it is your legal responsibility to keep consumer data safe, and should do everything you can to do so. Naturally, these same techniques will apply to keeping your own business data safe.

This is further reinforced by the upcoming GDPR regulation.

The General Data Protection Regulation (EU Regulation 2016/679) was agreed in 2016, and comes into force on May 17th of 2018. It is a hugely important development for cyber security, because it makes illegal a number of practices that would previously have been widespread. In short, it means that anyone collecting or handling EU citizens’ data must have a genuine, legally defensible reason for doing so, which in most cases will require consent. Data collection must also be transparent, and people can request access to or erasure of their data. In addition, GDPR makes the reporting of data breaches in a reasonable timeframe a legal requirement. This is particularly important to cyber security.

Types of Cyber Security Incident

Cyber security incidents can take numerous forms, and are increasing in their complexity and impact. In order to help categorise them and plan mitigation for specific events, the National Cyber Security Centre has outlined four major categories. They are the following:

attempts to gain unauthorised access to a system and/or to data - This means that the mere attempt to get into a system without permission is considered an incident. This could be as minor as someone trying to guess their colleague’s password, to a major attempt to break into a business’ financial data.
the unauthorised use of systems and/or data - This is when a malicious party actually gains access to your business software, hardware or data and uses it. For small businesses, this could be when a hacker manages to break in and steal customer data to be ransomed or sold.
modification of a system's firmware, software or hardware without the system-owner's consent - Viruses and other types of malware are well understood by most internet users, and they might modify software or hardware to make it unusable, or inaccessible.
malicious disruption and/or denial of service - Cyber criminals can cause problems without actually gaining access to networks. By overloading them, they can stop them from working properly, which can cost businesses a lot of money.

Data Breach Prevention

There are a huge number of things that you can do as a small business to prevent incidents such as those detailed above from happening, and it can be difficult to figure out exactly where to begin, especially if you are a small business with either no IT department, or a very small one. Fortunately, there are a number of UK Government initiatives and international standards and certifications that can be used to make sure that you’re doing everything you can as a small business. Two of the most important are ISO 27001 and the Cyber Essentials Scheme. The former is for smaller businesses with significant cyber security needs, and the latter is useful for all businesses.

For more information on how adhering to these schemes can help you guard against cyber security incidents, read our article which explains what they contain here.

However, some of the main points that all small businesses should think about are the following:

Have your business systems and network been set up correctly to mitigate against attacks?
Are permissions management policies in place to ensure that only the right people have access to the right data? This can be as basic as having a password policy for computers.
Do computers have the right malware protection software on them? This can help prevent viruses and other software from causing issues.
Is everything up-to-date? Cyber criminals often rely on taking advantage of exploits, which are patched quickly by software providers when found, but still need to be implemented by users.
Is everyone relevant trained to understand what their responsibilities are and how they can prevent cyber crime? This might even mean basic training on how to avoid phishing scams.

GDPR Education and Training

Proper understanding of cyber security is vital for preventing serious incidents from occurring, which is why it is recommended that those responsible undertake training. Dedicated IT employees should have accredited qualifications where possible, but it is useful for just about any employee to have an understanding of what cyber security means for small businesses.

Virtual College offers two cyber security courses that will be useful for small businesses that wish to ensure their employees are clued up. The first is our Introduction to Cyber Security course, which will help any SME get to grips with protecting their business. The second is Data Protection at Work, which will help you stay on the right side of the law when it comes to holding other people's’ data.