How will GDPR affect small business owners?
We sometimes suffer from deja-vu here in the 2-sec office. Whilst rifling through dusty filing cabinets in our annual spring clean, we rediscovered an article from the last quarter of 2016.
The article was headlined with the title, “UK SMEs have a False Sense of Cyber Security”. We had to re-examine the story to check on the date. Surely this is an article from back in 2003, when we first started blogging on cybersecurity issues?
The article pointed out that almost three-quarters of UK SMEs STILL think they are safe from a cyberattack, despite half actually suffering a data breach in 2016.
I suppose these figures shouldn’t be such a surprise. In our experience, due to lack of time, or lack of knowledge/understanding, many SMEs pay nominal lip service to the idea of a security policy, and instead think that they are below the radar of any cyber attacker.
I was chatting to an employee from a small (ish) firm in the Midlands. He admitted that the company had recently experienced a ransomware attack, and had paid the fee demanded (around £1200) to ensure continued access to their company information. He shrugged his shoulders. “They now employ a freelance expert”, he said but he admitted that “his bosses still didn’t understand cyber security and queried the cost of contracting external help”.
We find this a bit depressing, especially after all the media coverage of high profile cyberattacks, noisy headlines in the popular press and the Government’s ongoing cyber security educational campaign.
But then I spoke to another SME owner who explained that “the stresses on small companies are huge. Brexit certainly looks threatening to many industries, and SME owners are just about keeping on top of everything and have no time or energy to spare to consider properly designed cyber security protection.”
This is one of the reasons that 2016 saw such an explosion in ransomware. Due to the fact that these attacks are cheap to create their targets’ lack of considered analysis or evaluation, there has been a major increase in the number of companies experiencing this type of cyber incident.
On the other side of the coin, shrewd companies are not only employing cyber security professionals in their IT departments, but also systematically integrating it into all their business systems.
So, in 2017 we might not only see a further growth in ransomware but also a proliferation in more creative and sophisticated attacks, as they evolve to penetrate increasingly proactive defences. We have been involved in cases when attackers are taking advantage of human nature in more manipulative ways, by sending complex offers and threats, such as ransomware disguised as job offers to disgruntled employers, to prevent suspicious contact being flagged to their employers.
But what can we do about companies that are failing to implement even the most basic IT security measures?
Perhaps the EU’s General Data Protection Regulation (GDPR) will impact these business owners enough to force them into action. Whilst it doesn’t take effect until May 2018, it will most certainly influence those who handle PII (personally identifiable information) for EU citizens. And BREXIT won’t protect UK businesses: the GDPR is going to affect companies offering any type of service to the EU market, regardless of whether they store or process data on EU soil, and whether the UK stays in the EU or not.
To prepare for GDPR, organizations must conduct a systematic audit of their current and future processing of personal data and begin implementing solutions, to protect it, in 2017. With Data Protection Impact Assessments (DPIA) mandated by GDPR for high-risk processing, organizations that qualify must begin those processes in 2017 to meet the deadline in 2018.
So maybe this will be the disruption that some SMEs need to persuade them that they need to spend time on analysing cyber security threats to their business, and change any laissez faire approach to information security. We have to say, working at the “coal face” of SME cyber security, we’re not completely convinced…
2-sec are holding a number of seminars through 2017 to help companies meet the challenge of auditing their data processing ready for the EU’s General Data Protection Regulation. Please get in touch and we will be more than happy to help.