While there is some evidence that a number of SMEs have left dealing with GDPR to the last minute, this is understandable given that the consultation period only finished last month.
So, although the clock is ticking, it makes sense to check for any last-minute updates on the ICO (Information Commissioner’s Office) online guidance before completing the GDPR compliance process.
GDPR is aimed primarily at protecting the personal and individual data of your customers and contacts but businesses also need to have robust protection from fraud and other malicious practices for themselves.
Cybercrime is becoming increasingly sophisticated and there is new evidence about how much it has been costing SMEs.
Research by YouGov commissioned by Barclays Business Banking has found that 44% of SMEs had suffered a cyber-attack and a small percentage had actually had to make staff redundant to cover the cost of dealing with it. Given that there are more than 5.6million SMEs that theoretically equates to a loss of up to 50,000 jobs.
The average cost of each fraud has been estimated at £35,000 and in addition to lost jobs, it could also impact on investing in training, equipment and further business development.
A robust cyber security system is essential
Criminals are using ever more sophisticated measures to scam businesses into parting with money.
Among the most worrying developments has been emails appearing to come from someone within the organisation, such as the CEO, instructing a member of staff to pay a bill or transfer money into a named account. Or emails with attached invoice documents, which when opened give hackers access to the IT system.
It is important that businesses put in place measures to protect them against such scams.
They should include:
Staff training, this is key since staff access and online activity from work-based devices represent the greatest weakness in most online security systems.
Using strong passwords and a password policy to help staff follow security best practice. Perhaps consider also technology solutions to enforce your password policy, such as scheduled password resets.
Restricting staff access to only the data and services for which they are authorised and have been trained.
Installing security software, such as anti-spyware and anti-virus programs, to help detect and remove malicious code if it slips into the business network.
Using intrusion detectors to monitor system and network activity. If a detection system suspects a potential security breach, it can generate an alarm, such as an email alert, based upon the type of activity it has identified.
Finally, the business should ensure staff understand their role and any relevant policies and procedures, and provide them with regular cyber security awareness and training.