Small Business Cyber Security & Data Protection


Cyber security seems to be in the press almost everyday in one guise or another and it is something that every small business should be taking seriously.

The Office of National Statistics have just released (20th July 2016), statistics that reveal almost six million fraud and cyber crimes were committed last year in England and Wales.

With two million computer misuse incidents reported, the majority appear to involve a computer or internet-enabled device being infected with a virus, accounting for 1.4 million incidents with the remaining 0.6 million incidents relating to “unauthorised access to personal information”.

Some scary numbers I think you will agree.

So what can you do to protect your small business in terms of cyber security ?

The Government have recently published a paper, Common Cyber Attacks: Reducing The Impact alongside a useful high level, 10 Step Cyber Security infographic, outlining the areas you should be addressing.

Cyber Security Infographic

10 Steps to Cyber Security

At a high level, the overall steps are common sense, however when you look deeper into cyber security, it can get confusing quite quickly for a non IT orientated company.

Cyber Essentials is a Government-backed and industry supported scheme to guide businesses in protecting themselves against cyber threats. and provides businesses of all sizes with information on good basic cyber security practice. However with basic certification costing around £300 per annum, this could be an issue for many small businesses unless it is a requirement for their suppliers or IT Secuirty is a core part of their business activities.

The Cyber Essentials questionnaire does outline the areas you should be looking at in terms of your Cyber Security and is a useful resource for helping to define your IT practises, policies and procedures relating to security in your small business. You can view the Cyber Essentials information and details on the scheme at the website https://www.cyberstreetwise.com/cyberessentials/

However, some of the terminology can be quite confusing if you are a non techy savvy small business.  As an example some of the questions  include :

  • Is all legacy or unsupported software isolated, disabled or removed from devices within the Scope?
  • Are users prevented from running executable code or programs form any media to which they also have write access?
  • Have all commonly attacked and vulnerable services (such as Server Message Block (SMB) NetBIOSm tftp, RPC, rlogin, rsh, rexec) been disabled or blocked by default at the boundary firewalls?

Does that make sense to you ?

Data Protection Matters

It is important to remember that cyber security doesn’t only apply to technology specific to the running of your small business, it applies to the security of the data that you hold on your clients, suppliers and employees as well.  Many small businesses are unaware of the requirement to be registered with the Information Commissioners Office if they met the following criteria :

If you hold and process information about your clients, employees or suppliers, you are legally obliged to protect that information. Under the Data Protection Act, you must:

only collect information that you need for a specific purpose;

  • keep it secure;

  • ensure it is relevant and up to date;

  • only hold as much as you need, and only for as long as you need it; and

  • allow the subject of the information to see it on request.

There is a wide range of data protection information for business owners on the ICO webite – https://ico.org.uk/for-organisations/business/

Luckily for most small businesses, the cost for registering with the ICO is reasonable with the annual fee of £35 for most organisations, including small and medium-sized businesses.

However it is important to ensure that you have the necessary policies and procedures in place to comply IF a data protection issue was to occur within your small business.

In Summary

Three common themes that we keep come across on a regular basis are that :

  • Some small business owners do not seem to acknowledge their IT, not matter how big or small the setup, as a cyber risk as their core business is not technology orientated.
  • Terminology in official Cyber Security documentation, whether from Government or Business Sectors can be confusing and quite daunting to a non technical audience.
  • Data Protection Registration (and the associated policies and procedures) are not widely recognised as important by many Small Businesses.

Even if your small business isn’t involved with IT as a core business activity, you still need to take suitable steps to ensure your IT infrastructure and data is cyber secure.

Despite the “official” guides and schemes, it doesn’t have to be overly complex and doesn’t have to hamper your day-today business actvities. By taking some basic, common sense steps you can help minimise the cyber risk to your business and help protect your company data.

Please get in touch if you would like simple advice, in plain english, with regard to how you can improve your cyber security and adopt some simple, but effective measures to help keep your small business cyber secure.