These days pretty much all businesses use computers in some way or another. If yours is one of them, then you need to think about cyber security. It’s a term which we’ve all heard about, but which very few of us actually see as a direct risk to ourselves or our businesses. Some people find it very rare to be impacted at all, as their habits or their obscurity keep them safe.
So it might surprise you to know that, according to HM Government, one in four companies has reported a cyber breach or attack in the last 12 months. What practical steps can your business take?
What is cyber security?
Cyber security is the process of protecting your digital assets from unauthorised access and misuse. Cyber criminals can gain from such access in a number of different ways. They can use the access to take funds directly from you, or they can take the information held on your systems and sell it or use it to gain funds illegally in other ways.
The impact on you and your business is not just financial however. A cyber attack will disrupt your business, cause reputational damage and may even lead to penalties if you are found to have been unprotected and unprepared. There are sound legal, financial and ethical reasons to keep your digital property safe, just as we do our physical property.
While the digital world and all its technicalities may not be something all small business managers want to have much to do with, there are certain responsibilities that definitely are part of your role, and can’t be ignored.
If your business handles any of your customers’, suppliers’ or employees’ personal data then you are legally obliged by The Data Protection Act to ensure that their data is protected. The key principles of the Data Protection Act state that:
- You must only collect data for a specific purpose
- You must keep the data secure – so good cyber security is essential
- You must ensure that the data is relevant and kept up to date
- You must only keep the data that you need, for as long as you need it
- You must allow the person whose data it is to see it if they request it
You may also need to register with the Information Commissioner’s Office (ICO) as a Data Controller. For more information, visit the ICO website.
If your business conducts any marketing by telephone or email, then you must follow the Privacy and Electronics Communications Regulations. The ICO has compiled a useful checklist that you can use to ensure that you have done everything you should. This is very important, as a cyber criminal can use your marketing contacts database to get up to all sorts of mischief, and you don’t want to be the cause of pain to the people that pay your wages.
So who is responsible for cyber security? Everyone working for your business has a responsibility to protect its data and that of your customers, clients and employees. Ultimately however, it is your responsibility as the business owner to ensure that your business is doing what it needs to and is compliant when it comes to data protection. The legal position is very clear.
So, where to start with your cyber security? Here are a few of the basics.
By installing anti-virus software, you can protect your computer from most malware and viruses. It’s such a simple step to take but one which so many of us forget or don’t bother updating once it has been installed.
When you get legitimate notifications telling you that your software is due to be updated, act as soon as possible. This will ensure that any security is as up-to-date and effective as possible.
Delete suspicious emails
Phishing emails appear to be from a reputable source such as your bank and they will generally ask you to click a link and confirm your details in some way. You are then taken to a fake site owned by the fraudster who wants to collect your details and misuse them. If you’re not sure who an email is from then just delete it – especially if you’re being asked to click a link or provide your personal details. If you think you should act on it, go to the site directly, not through any links in the email.
Use strong passwords
So many things need passwords these days and trying to remember them all can be frustrating. However, tempting as it might be to just use one password for everything or worse still, to not bother with them at all when it comes to work, it really is a key part of cyber security. For more information on creating strong passwords, take a look at our Experian Expert blogs on the subject.
People seem to have a real antipathy remembering lots of passwords, judging by the reports that come out every year on the most popular and poor password choices. It’s something that we all have to get over to keep our assets safe.
Processes and training
Unless you’re a sole trader, then you need to ensure that all your employees are committed to cyber security. Think about creating some basic processes which everyone can follow to ensure that they’re not putting your business data at risk. Once you have these processes outlined then you must make sure that staff are given training and refreshers. Gov.uk has created training that can be use or adapt for small businesses.
The government offers a form of assessment called Cyber Essentials which allows your business to ensure it meets certain guidelines when it comes to cybersecurity. If these are met, then your business can display a Cyber Essentials badge which shows customers and clients that you are well protected. For more information, take a look at the Cyber Essentials website.
What to do if you suffer a data breach
Your business may experience a data breach, so you need to be prepared, just like businesses have fire insurance. Sadly it is becoming a more frequent occurrence. You may have customers, clients or employees to notify, you may have reputational impact to manage and of course, you may have systems and digital assets that need securing.
It’s worth taking the trouble to reduce the chances of becoming a victim. You can take a pre-breach assessment to let you know how at risk your business is. Should the worst happen, you will want to quickly assess the situation. To help in the eventuality, it’s worth drafting a comprehensive data breach plan.
Plan, prepare and be secure. A little bit of prevention can be all that stands between a successful business and a disaster.
Ade Potts is Managing Director, Experian SME