In Werner Herzog’s documentary Lo and Behold, Reveries of the Connected World, legendary hacker Kevin Mitnick recounts how he got his hands on confidential security information from a company’s overly helpful receptionist, simply by asking nicely and sounding like a trustworthy sort of guy. The threat from cyber criminals to small businesses from methods like these, along with sophisticated software designed to latch onto data, is very real. And the resulting cost might not just be reputational damage but could land you in some pretty steamy legal waters too.
According to the The National Crime Agency, the number of data breaches reported to the Information Commissioner’s Office (ICO) has nearly doubled in 2016. That may mean businesses are getting better at reporting breaches but there’s little doubt that the criminals are also getting smarter and finding new ways to get their hands on data.
But if you think your firewalls will protect you, it’s not as simple as that. The easiest point of entry is through people, says Rose Bernard, analyst in the cyber threat intelligence team at Control Risks, the risk consultancy. “SMEs often underestimate the threat posed by social engineering, where an individual is targeted by a cyber criminal and persuaded to disclose information that helps the perpetrator get to the data they’re really after,” Bernard says.
One of the other ways hackers can get the data they crave, like a username or password, is through a phishing email or instant message, where they’ll pose as somebody from the company so people let their guard down.
Complacency breeds crime
If you’re reading this and thinking “meh”, you’re not alone. According to a report by Juniper Research, 74% of British SMEs think they’re safe from cyber attack, despite half of them having suffered a data breach. Andrew Starr, managing director at OpenIP, an IT consultancy, agrees that SMEs can be blase when it comes to data security. “Our biggest challenge when working with clients is to get them to take cybersecurity seriously,” he says.
Some small businesses also tend to see cybercrime as a problem for the big guys with the big data, not least because they’re the ones who make the headlines when sensitive information is leaked. But if anything SMEs are even more at risk, says Bernard. “Small businesses often represent attractive targets for criminals who perceive them to be more vulnerable than larger companies with dedicated cybersecurity departments,” she warns.
Jason Hart, chief technology officer of data protection at Gemalto, the digital security company, points out that most cyber criminals don’t discriminate against small businesses. “From a bad guy’s point of view, all they want to do is consume data,” he says. “Any data.” And given how reliant businesses are becoming on data, there’s a lot more of it around to steal.
Implications of Brexit: untangling EU law
For now, the main legislation SMEs need to concern themselves with is the Data Protection Act. But having come into effect when Mark Zuckerberg was just 11 years old and the online world was in its infancy, it’s starting to feel a bit archaic. The EU’s response has been to introduce the General Data Protection Regulations (GDPR), which comes into effect in 2018 and introduces more stringent rules around the way companies collect and store data. Some of the areas it touches on are related to getting consent, reporting breaches and trans-border data transfers.
And if you’re wondering whether it matters how in or out of the EU Britain is by that stage, the message from the legal experts is loud and clear: it doesn’t. Regardless of the negotiations, you could be held legally accountable and fined if you aren’t compliant in time for the deadline.
That’s because we live in a digital world where data flows freely across borders. Even if you’re not in the EU, you can still be held accountable to its laws if you hold information on its citizens or trade with any authority or company in the EU. And Britain may well have to implement near identical laws if it’s to trade freely with EU countries. Tim Halstead, data protection consultant at HW Fisher & Company, the chartered accountancy company, believes stricter data laws are inevitable. “It’s going to happen in some form or another, especially since Britain has always taken a lead on data protection legislation. This isn’t going to go away,” he warns.
Getting the house in order
So what does good cybersecurity behaviour look like? According to Hart, your first step should be mapping out exactly what customer data you have. This audit should look factors such as whose data you collect, the permissions you seek to obtain it, who’s responsible for it and where it’s stored. “The number one question small businesses need to ask themselves is ‘what data would cause me the biggest pain, if compromised?’” Hart says. From there, you can then assess whether there’s any data you’re collecting unnecessarily and make sure you’re getting adequate consent.
Once your audit’s completed, Starr believes small businesses need to make technology their friend to comply with most laws. “We use the newest technologies to achieve compliance with data protection, including encryption, identity and access management and network security,” he says. But sometimes the solution can be relatively simple. Many SMEs only change their password every 30 days or use very basic passwords – an elementary gaffe but one that provides a hacker plenty of time to gain access to their systems. Hart recommends using one-time passwords, which are only valid for only one login session, adding that they aren’t nearly as expensive as many businesses think.
Halstead, meanwhile, believes that training and auditing staff will become even more important as data protection laws become stricter. “The regulators will want to see that you have clear policies and that you have an audit programme. It’s all very well giving staff training but if you don’t audit them they’re less likely to put it into practice,” he says.
There is help on hand, of course, and small businesses may well consider looking externally for legal advice or technical help. The government has also announced a partnership with tech startups aimed at developing cutting-edge cybersecurity technology as part of its £1.9bn National Cyber Security Programme. But the onus is on business owners to be proactive when it comes to compliance because prevention is better than cure. And cybersecurity is not just an IT issue.