Gone are the days when organizations, however small they were, could think about security as an afterthought. As former FBI Director Robert Mueller states, "There are only two types of companies: Those that have been hacked and those that will be hacked”. Today, it's a question of when, rather than if your organization will be hacked, and it's vital that small businesses, who often have limited resources to deal with the aftermath of a brutal cyber attack (and the almost inevitable GDPR fine), put strategies in place to thwart a breach and minimize its impact.
However, the rollout of GDPR has put many startups and SMEs on the back foot - with so many operational issues to manage, security can easily take a backseat.
Honesty is the best policy
Once you've done your homework, however, you’ll find the GDPR requirements surrounding a data breach are actually fairly straightforward – if you're a data processor, you are obliged to inform the data controller without undue delay as soon as you become aware of the breach. If you're a data controller, you must notify the supervisory authority within 72 hours of becoming aware of the breach. In the UK, this is the Information Commissioner's Office (ICO). In addition to this, you are obliged to inform the data subject about the breach, without undue delay.
A person who (alone, jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.
Example: Your Business
In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Example: Your Email Marketing Provider
Security by design
‘Security by design’ is a simple concept that uses a framework of people, processes and technology to mitigate, or in a worst-case scenario, remedy a breach. Having these elements in place will offer customers some vital reassurance that your organization is capable of handling their data securely and safely, dealing with breaches, and doing its utmost to prevent any possible future attacks.
Security awareness, education and training are essential for developers and leadership personnel within startups and small businesses, so that they understand the issues and build layers of security into systems and processes. But basic cybersecurity education is also key for all employees - teaching them about phishing emails, for example, will begin to change perceptions about how easy it is for a breach to occur, and the steps to take to avoid falling victim to one. In smaller teams, it’s also vital that clear roles are assigned to those responsible for security in a business, and to make sure they have the required knowledge to carry out their responsibilities.
Consider implementing formal security frameworks, such as the Information Security Management Systems - ISO27001. Although obtaining this standard is a significant lift, it can alter the culture and perception of a startup or small business by demonstrating the importance of security to the business. When a full ISO is simply too resource-intensive for a small business, elements from the approach can be extracted to help “beef up” its internal policies - this could be as simple as nominating a security committee to steer the organization or drafting incident response plans.
Education and resilience plans are one thing, but there are also a number of technological solutions available to help SMEs and startups protect their networks as well as their customers' data. There is no magic silver bullet, and so a layered approach to security is the best line of defence – you could consider encryption, malware detection, email security, and anti-phishing technologies, to name a few.
This could be as simple as making clear to customers the domain from which they will receive any genuine emails from you, as it easy to fall victim to an email from a spoofed account sending out phishing emails. Every layer of security that reduces the likelihood of a potential attack will encourage criminals to look elsewhere for softer targets.
No matter how stringent your security defences are, you can still fall foul of a breach, but how you deal with it publicly is key to reassuring potential and existing customers and regaining their confidence. Regardless of the nature of a crisis, it is well documented that transparency and honesty helps to regain trust. Taking clear steps to rebuild defences and provide the level of security necessary to avoid future breaches will help to regain customer confidence in your brand. Ultimately, the onus is on startups and SMEs to deliver the level of protection that customers, partners and investors have come to expect and deserve, or risk losing their trust to established competing brands who are perceived, not always correctly, to be a safer pair of hands.
About the Author
Rahul Powar is co-founder and CEO of Red Sift, a VC-backed London start-up building a cognitive cybersecurity platform. Rahul founded his previous company Apsmart bringing secure data technologies to mobile apps. Before that, he was the principal technical architect for Shazam Entertainment, where he envisioned and created the Shazam iPhone App.