Over half of Small and Medium Enterprises (SMEs) and micro businesses are confused or unaware of the rules around GDPR, according to a recent poll.
The poll comes from a survey earlier this year from the National Cyber Security Programme that revealed nearly half of UK businesses experienced at least one cyber security breach or attack in 2017.
Although GDPR came into effect in May, SMEs attitude to cyber security is still worrying as one in five say they have no plans to invest in the coming year, says Chris Mallett, Broking Manager for Aon who commissioned the recent poll.
According to Dr Emma Philpott from the UK Cyber Security Forum, GDPR has caused companies to focus on this issue but the concern is, she says, this was for too many a short-lived effect.
Dr Philpott is also CEO of the IASME Consortium, an accreditation body for assessing and certifying against the Government’s Cyber Essentials Scheme. “As soon as the deadline for GDPR passed too many thought that was job done and that’s where their responsibility ended,” she says.
“The big data breaches in the Press help to raise awareness but they can also cause data breach fatigue; a sense that the time, cost and high-end security to tackle this is complicated and overwhelming,” says Dr Philpott. “There is a lot of misunderstanding of risks, and still a worry among SMEs that it must be complicated. It is not always about high end security. It’s about having the basics in place to protect you from indiscriminate attacks. Educating staff takes time but doesn’t cost anything at all.”
Chris Mallett says there are particular vulnerabilities with the growth of flexible working with staff accessing data on-the-go. But the Bring Your Own Device culture, which sees business leaders and their teams using their personal computers, smart phones or tablets for work purposes, can expose companies to the increased risk of a cyber security breach if data is not properly encrypted and controlled, says Mallett.
The poll of 1000 SMEs carried out through OnePoll indicates around one in four of SMEs allow staff to use their own devices for work. “What’s more, it revealed one in three don’t see personal information stolen as a result of cyber attack or fraud as a data breach, with the same number admitting they’re unaware of the time limit on reporting such a loss, exposing their companies to the risk of huge fines,” says Mallett.
“I don’t think companies realise how awful the impact of a breach can be or the amount that actually has to be done,” says Dr Philpott. “It involves everything from mandatory reporting to keeping affected customers or clients informed. It can leave those clients fearful and cause reputational damage. It’s not just about replacing laptops or paying a fine.”
While many companies have professional indemnity insurance (PII) in place, there are often significant costs that professional indemnity won’t pick up, adds Aon’s Chris Mallett, who points to the poll results showing general confusion about the likely financial impact of a cyber attack (more than four out of ten admitted they had no idea).
“Around one in seven believe the costs are covered by their PII and more than three in ten choose not to insure against cyber attacks or fraud,” says Chris Mallett.
“Although fines are expected to be issued as a last resort, they can be up to €20 million or 4 per cent of annual turnover,” explains Mallett. “The risk presented by non-compliance with GDPR has the potential to bring a small business to its knees.”
Mallett says companies are surprised by how affordable cyber insurance is. “Specialist policies not only cover for the cost of responding to a breach, but also the costs of damages you’re legally liable to pay in the event of a breach or security failure, as well as associated legal costs.”
There are easy ways to take action
Mallett offers the below advice for SMEs to take action
- Install anti-virus software or check existing software is up to date on all employees’ computers and laptops. It is one of the simplest ways to prevent employees downloading potentially harmful malware that could lead to a data breach. And ask your IT team to check firewall settings.
- Have clear policies in place to create a cyber-conscious culture in the workplace (everything from password rules and backing up work to use of WhatsApp groups and what data employees can keep on their computers).
- Check on what your PII or business insurance covers and consider cyber insurance. This can cover the cost of responding to a breach, as well as damages, and also give you access to specialist support ensuring the breach will be dealt with in line with GDPR requirements. Make sure any cyber insurance comes with a pre-approved panel of providers who are immediately available in the event of a breach.
European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.