In an age where more and more things are being connected to the Internet, cyber breach is becoming a serious challenge for businesses.
A 2016 Internet Security Threat Report from Symantec says that 62% of data theft victims are small to mid-size businesses.
In addition, 40% of data breaches are caused by external intrusions. In this context, external intrusions refer to third parties with access to your network, or other personal devices connecting to your networks.
What the above indicates, is that not only large businesses, whom we would perceive as facing the most risk because of their clientele, but also small to medium sized operations are being targeted. Studies show that the cost of a data breach is about USD4 million.
Another important point to ponder, besides the obvious fact that most businesses obtain, use and store client data, and have for a long time; is the fact that all businesses, without exception, collect, use and store data as part of their operations.
Related: Security in the age of digital transformation
With this, I mean employee, supplier and stakeholder data. From these observations, I hope to illustrate the point that all businesses collect, use and store data and that data security is something that concerns all businesses – small, medium and large.
The real risks you face
Although this aspect should be taken seriously by all, smaller businesses find themselves particularly vulnerable for a number of reasons. Before we delve into this further, let us first answer the question: What is a small business? In revenue, infrastructure or number of staff? Small or consolidated infrastructure does not necessarily mean small revenue streams. It’s not about the size, but rather a thought pattern.
According to Bindu Sundaresan, a senior security professional for AT&T: “They feel like ‘Who’s going to come after me?’”
“I find that most small businesses don’t understand the impact of a cyber security breach outside of their business. They’re basically a pawn in a larger game.”
Accordingly, the days of thinking this does not apply to you or is not a priority, is over.
POPI and you
In South Africa, the Protection of Personal Information Act 4 of 2013, as amended, regulates the collection, storage and processing of information. The aim of the legislation is ultimately to create a framework and measures to regulate the security of data so collected. So, it urges businesses to be proactive when dealing with data and to take reasonable steps to secure it.
In addition, legislation dealing with cybercrime will be promulgated in due course.
Related: SMEs need IT security too
Recommended best practice
- Don’t underestimate the threat.
- Less is more – don’t collect what you don’t really need. Collect, use and store only the information you truly need.
- Obtain consent from the owner of the information and only collect information or data where you have the required consent to do so.
- If you need to collect it, ensure you have a data collection and storage policy in place. Outline which personal information you have, where you are storing it, how you are using it and who has access to it.
- It is important that this policy is clear, understood by and easily accessible to staff and clients. In addition, ensure that it clearly outlines how you are keeping personal information safe.
- Observe and comply. In addition to implementing a policy, obtain advice on any legislative provisions in the jurisdiction you are operating in. Most businesses set the minimum standards of care or acceptable best practices in relation to their data collection, storage and protection. Ensure you comply with these provisions and incorporate it in your data collection and storage policies.
- Educate and train your employees.
It is important that businesses critically analyse which data they are collecting, storing and processing. How safe and secure is that data, and to take reasonable steps moving forward.