Ask the boss of a small or medium business if they have considered cyber security and their response would be similar to that given to the guy at a car rental agency trying to upsell collision damage waiver: “That’s covered with my own insurance, thanks.” Persist further and they might say: “My IT department has it covered”, even if they have no idea. In reality, rather like the customer who waives the extra insurance, they believe it won’t happen to them, or if it does, that the cost of fixing things will be modest compared with the cost of protection. It also reflects a belief that doing nothing means the problem will somehow vanish, but it won’t. The boss needs to realise that in doing nothing they are in fact increasing risks that they do not fully comprehend.
Importantly, governments have declared that cyber security is a board-level issue, and not just an IT one. To emphasise this, new rules and regulations will make companies liable for any breach of data protection. The General Date Protection Regulation (GDPR), which will come into force in a little over a year’s time, brings with it the threat of fines from the regulator of up to 4 per cent of group global turnover if the company is deemed liable for a loss of data.
To understand what this means, we could perhaps look at the financial services industry, where, following the global financial crisis of 2008, the regulatory regime was heavily intensified. If you take the situation seriously and demonstrate that you have made reasonable efforts to safeguard your systems and data then the regulators will work with you. Ignore them, however, and the resulting penalties could make the actual inconvenience from a data breach the least of your problems.
So what should the prudent boss be doing about this? Just as it is sensible to look after your health and have regular check-ups, so it makes sense to have a cyber-health check for your company before these new regulations come in. You don’t need to break the bank and much of the threat can be contained by proper software, but, to continue the analogy, this is an ongoing health regime – it’s about looking after yourself all year round, not just in the two weeks before the medical.
Nor is it just about software. Research shows that almost every data breach is because the human firewall was at fault. Your people might be your greatest asset, but they are also your weakest link when it comes to cyber attack. State of the art defensive software is necessary but not sufficient, for you or the regulator. Reviewing the systems, training your staff, putting in place protocols to both prevent attacks where possible and mitigate the impact when they do occur are all now needed to survive and thrive in an increasingly interconnected world.
Andrew Taylor
CEO of Bronzeye IBRM
BronzeyeIBRM offers an affordable monthly subscription-based information and cyber security service to SMEs and others.