Austria
Belgium
Estonia
Finland
France
Germany
Greece
Iceland
Ireland
Italy
Netherland
Norway
Poland
Portugal
Spain
Sweden
Switzerland
Turkey
United Kingdom
Australia
Hong Kong
New Zealand
India
Indonesia
Japan
Malaysia
Philippines
Singapore
Thailand
Brazil
Chile
Colombia
Mexico
Peru
Bahrain
Israel
Morocco
UAE
Oman
Tanzania
Turkey
Essential data protection tips for SME businesses
Published
Read time
Is your data properly protected?
Data breaches – where a company has their data held ransom, leaked, or sold by hackers – are an increasingly lucrative activity for cybercriminals. And businesses are footing the bill.
According to the Cyber Security Breaches Survey, 32% of UK businesses have suffered a data breach within the last 12 months[1]. With direct response costs averaging £4250, the long-term financial impact can be significant[2]. Perhaps most damagingly, research shows that 41% of customers wouldn’t trust a company with their personal data again following a breach[3].
A steady stream of sensitive information flows through any business that has employees, clients, or customers. For a small business, how you handle this data could be the difference between swimming or sinking.
Here are some essential tips for maintaining an effective data protection strategy.
Check where you stand
Whether you’re an established company or just starting out, having a strong understanding of the data your business handles is crucial.
Personal data is any information that might identify a person, but it’s not always obvious. To gain a clearer picture of the sensitive data you’re processing day to day, you should perform an audit.
Make a list of the different types of personal data you handle, including:
- Personal details – such as names, addresses, and phone numbers
- Numbers and codes – this may include customer reference numbers and IP addresses
- Forms of identification – such as official documents and photographs
- Reviews and comments – whether glowing or scathing, these interactions can be used as identification.
You should also look at how you’re asking for information. People who give up their data should do so with the benefit of transparency. Ensure your data protection notices explain why you need their data and how it will be used.
Consider why you’re collecting the data
First and foremost, you need to make sure your legal basis for processing other people’s data stands up. There are six lawful reasons for handling someone’s data under GDPR:
- Entering a contract
- When you’re given consent
- To comply with the law
- Claiming your ‘legitimate interest’, taking full responsibility for how the data is used
- Protecting a person’s ‘vital interest’, such as their physical or financial health
- When it’s in the public interest[4].
Decide which reasons are most appropriate for your purposes and keep track of them – this will help you to demonstrate compliance if required. Importantly, if you want to change the basis for holding someone’s information, you must get permission from them first.
You should think critically about what information you truly need. There’s no point in requesting personal data that you’re not going to use. Doing so will only increase the damage a data breach could cause.
Stay on the right side of data protection guidelines
How to manage client data, follow GDPR, and protect your reputation.
Regularly audit your data stores
Most data will lose its value over time. If you’re not careful, personal data that’s no longer needed can become a liability.
At best, out-of-date and inaccurate information is an unnecessary burden on your storage capabilities. At worst, it adds dangerous fuel to the fire in a data breach.
GDPR doesn’t set time limits for storing information. Rather, it’s up to you to justify why you still need it (‘just in case’ it’s useful one day doesn’t count). You should consider whether your stated reason for processing the data still applies. If you can’t justify holding onto it any longer, that’s when you should act.
Your safest option is to simply delete any data you don’t need. Doing so ensures GDPR compliance and prevents the data from being used against you by cybercriminals. Alternatively, you could anonymise the data, allowing you to retain demographic insights without the risk of specific people being identified.
Practice good cyber hygiene
Hackers seeking to steal your business data often take a scattergun approach, hoping to hit you off guard with large numbers of crude cyberattacks. Many of these attempts can be thwarted by following the basics[5].
Cyber hygiene is a collection of strategies designed to keep sensitive data secure. Encompassing a vast array of practices, the extent of your strategy depends on your unique business needs. At a minimum, however, your strategy should include:
Encrypting key data: Sensitive information is scrambled by an algorithm, rendering it unreadable (and, therefore, useless) to an unauthorised user.
Keeping your software updated: Roughly 560,000 new malwares are detected every day[6]. Software providers regularly issue patches and updates to fix known vulnerabilities in their products. It’s best practice to install them as soon as possible to benefit from the latest protection.
Strong password management: Passwords are the key to effective cyber security. They should be at least ten characters long, with a variety of symbols, numbers, and letters[7]. Multi-factor authentication adds an additional layer of protection by requiring users to login with information sent to their personal devices.
Train your people
No matter the sophistication of your security software, it can’t negate the impact of human error.
According to Deloitte, employees falling for phishing attacks is the cause of 91% of data breaches[8]. Unlike cyberattacks which target gaps in software to steal sensitive information, phishing preys on human weaknesses. Therefore, you need to train your staff how to spot phishing attempts and how to handle them safely.
Cyberthreats are constantly evolving. To ensure your employees are suitably armed against the threats, cybersecurity training should be regularly reviewed and reinforced.
Implement device use policies
Remote working has blurred the boundaries between work and home. To keep your data safe, it’s crucial to have ground rules for employees when they’re working away from the office.
Public Wi-Fi networks should be avoided. They’re often unsecured and vulnerable to attack. Hackers can exploit the weakness to install malicious software and steal sensitive information. That means employees should be discouraged from working in public places, such as cafes and trains.
Employees should also keep their work and personal devices as separate as possible. Working on a home computer poses increased risk. Without the antivirus software and firewalls of work devices, personal devices are more vulnerable to malware. Home computers are also often shared with other family members, increasing the risk that sensitive information could accidentally be compromised.
Talk to a professional
Strong cybersecurity is achievable, no matter how small your business.
Cyber insurance provides vital protection against a wide range of cyber risks, helping you to achieve business resilience. Backed by a comprehensive cyber policy, you can mitigate threats in real time and respond quickly to stop an attack in its tracks.
Howden arranges comprehensive cyber solutions, tailored to your unique needs.