Data protection is a serious business. Strict legislation governs how a company receives, stores, protects and erases data. This is especially important when it comes to the personal information of employees, clients, customers, and suppliers. If a small business owner finds themselves on the wrong side of a GDRP Cyber Security compliance or PCI audit, then the reputational and financial consequences could be overwhelming.
Electronic storage is vulnerable because whilst it makes it simple to collect, store, organise, and backup data, it also makes it easier to steal. But it isn’t just the risk of electronic theft, but also physical theft of course, something that is often overlooked. Business owners will be held responsible for data losses or lapses in security despite their size, so it’s up to you as the small business owner to understand your obligations.
Data Protection Is Vital
Some businesses have to learn the hard way: A London sole trader left a laptop in the car and it was stolen. In the laptop’s bag there was also an external hard drive containing the financial information of around 250 customers. While the drive was protected by a password the data itself wasn’t encrypted, so the thief was able to glean the personal details of all of these customers, including their dates of birth, names, and the scans of identification documents etc. All of this could have easily been used for nefarious purposes including identity theft and fraud.
The company was fined £5,000 for the negligence. Initially they were facing a £70,000 fine, but they were thankfully saved the larger fine because they reported the data loss themselves and were in a financially vulnerable position.
This however should be seen as a wakeup call for small business owners. It is imperative that you take steps to stay on top of your own cybersecurity. In many cases, small business owners have no idea just how much personal data they are storing on their network. We regularly undertake network scans and find thousands of documents that the owners have no idea existed. In particular it is very difficult to know what sort of personal information exists within documents or images and it is not something that you can easily search for without specialist software.
Action will depend on the data being collected and how it is actually used, however you can protect your company for a comparatively nominal fee compared to what you stand to lose if you actually experience a cybersecurity attack or data breach. Your best course of action is to enlist the help of a professional to determine first, whether the information you are collecting is really necessary, or if there might be a better way of doing things. Additionally you have to think about the wider security picture; are your customers aware that you have CCTV in place and that they are being recorded? Do you collect email addresses, phone numbers, and addresses? The electronic storage of all this data is a key concern.
It’s vital that the personal data that you store is encrypted and protected properly. In reality it usually pays to be overly cautious and encrypt whenever possible.
When the Sony PlayStation Network was hacked, around 77 million accounts were stolen. The credit card data may have been encrypted, however the usernames and passwords were not; this resulted in a £250,000 fine.
Of course backing up your data is best practice, but you should also ensure that your backups are just as secure as everything else. If you are syncing the backup over multiple devices consider where they are all kept, who has access to them and how secure is the facility.
Also consider the emails that might be stored on company phones, these likely contain sensitive data that you might not be aware of. Your employees should be fully trained on how to handle data collection and security with regard to email and in particular mobile devices.
The consequences of a data beach can be significant to the point that it might just cost you your business, so rather than half-heartedly using the sticking-plaster method of securing your data, it makes business sense to let the professionals help you do the job properly.