The number of small businesses is growing. In fact, at the start of 2017, small businesses accounted for 99.3% of all private sector businesses. Yet, with this growth comes the risk of security breaches: these breaches aren’t limited to the major companies.
The UK Government announced earlier this year that more than two in five businesses reported a cybersecurity breach in the past 12 months. These data breaches aren’t limited to big brands, and it’s imperative that small businesses are well equipped to deal with the risk of a breach. To quote FBI Director Mueller, “There are only two types of companies: Those that have been hacked and those that will be hacked.”
SMEs face similar challenges to any other type of organization, whether that’s in the form of a brutal cyberattack, phishing attack, or the threat of GDPR fines. That’s why it’s so important for SMEs to implement strategies which at the very best prevent a breach, and in the worse case, minimize the consequences.
One key strategy is security by design. This is a simple concept that allows a business to mitigate or even rectify a breach, and is based on the framework of people, process and technology. Having these elements in place will provide customers with the vital reassurance that the organization is capable of dealing with breaches and is striving to prevent future attacks.
Just like sunscreen and cake, security is best when
There are a number of technology solutions available to help SMEs and startups protect their networks as well as their customers’ data. There is no one magic answer, instead a layered approach to security is the best line of defence – think malware detection, email security, encryption, anti-phishing technologies, where you simply assure customers that any emails they receive from your domain is guaranteed to originate from you, not a spoofed account sending out phishing emails. Each level of protection reduces the attack surface and encourages criminals to look elsewhere for softer targets, meaning that each layer provides another boost to the confidence of your customers.
Developers and leadership teams within startups must be able to understand the issues, in order to build layers of security into systems. To do so, education, training and security awareness are three key components. Nevertheless, basic cybersecurity education is vital for all employees and will stress how easy it can be for a breach to take place. In smaller teams, clear roles must be assigned for those responsible for security in an organization and will thus ensure that the required knowledge and influence is achieved.
Think of cybersecurity as a process
We have to think about cybersecurity as an ongoing process, rather than a checkbox to be ticked off. Implementing security frameworks such as the Information Security Management Systems is a good starting point. Although obtaining this standard is a significant lift, by demonstrating the importance of security to the business, you can’t underestimate the change it can bring to the culture and mindset of a startup. When a full ISO is simply too resource-intensive for a small business, you can take elements from the approach to expand the internal policies: this could be as easy as nominating a security committee to steer the organization or drafting incident response plans.
The GDPR requirements on a data breach are fairly straightforward – the processor notifies the controller and the controller notifies the data subject unless the processor had implemented and applied appropriate technical (encryption) and organizational measures (ISO27001) to make the data unintelligible to unauthorised viewers. This notion of making data ‘unintelligible’ emphasizes the significance of designing systems with security in mind to protect the reputation of your company.
There’s always the possibility of a breach, however rigorous your security is; but what’s most important is how you deal with it publicly in order to reassure customers and regain their trust. Regardless of the nature of a crisis, its well known that transparency and honesty helps to regain trust. Take clear steps to rebuild defences, provide the level of security necessary to avoid future breaches, and you will begin to regain customer confidence in your brand. Ultimately, it’s the SMEs’ responsibility to deliver the level of protection that customers, partners and investors deserve. If not, we risk losing their confidence to larger, established competing brands who are all too often perceived to be the safer option.