How IT Companies Can Help Small Businesses Prepare For GDPR

How IT Companies Can Help Small Businesses Prepare For GDPR


  • 21 Mar 2018
  • Written by David

The new GDPR raises many questions about cybersecurity and data protection in business. What can small businesses do and what's the role of IT?

GDPR, Cybersecurity and Data Protection for Small Businesses

The Role of IT in GDPR and Cybersecurity

A Google search for “GDPR” pulls up over six million search results. The topics range from the legislation content, to training courses and consultancy services around cybersecurity and preparing for 25th May 2018, when the new rules come into force.

This may surprise you, but as an IT company, I consider our role in the GDPR to be quite minimal. That isn’t to say that IT companies don’t have a role, but GDPR is law - all companies need to bear that in mind. It’s not just about best practice or technical solutions and products.

GDPR is about being able to comply with the law and respond appropriately to certain situations. Even if an IT company specialises in cybersecurity, they shouldn’t necessarily be your first point of contact if you’re a business that wants to be ready for this new piece of legislation.

The way I see it, Nimbus Blue, and companies like us, are implementers. A client might say, “We need to comply with GDPR. What do we require, technically, in order to be compliant?”. This is where an IT company would come in.

Speak to lawyers and qualified GDPR practitioners

To get a detailed understanding of GDPR, small and large businesses should first speak to a data protection lawyer or a qualified GDPR practitioner. Qualified practitioners can do a gap analysis and tell you where you sit in relation to the regulation.

GDPR will have an impact on cybersecurity. You need to consider how you would manage a breach. If data in your possession becomes compromised, you are now duty-bound to report it.

Cybersecurity helps you to put the appropriate processes and practices in place. A breach is stressful enough, so your incidence reporting needs to be robust.

 

GDPR Cybersecurity and Data Protection for Small Businesses quote

 

GDPR goes beyond cybersecurity

All businesses need to have a security policy that comes from the board level. And that’s not just cybersecurity, it incorporates physical security and asset security too.

For businesses managing their own IT, it is crucial that you keep your operating systems updated. This was evident in the NHS WannaCry attack last May. The incident was reported by the media as an attack on the NHS, but it wasn’t. It was an attack in the wild.

The NHS became susceptible because of its outdated systems. Making sure your operating system is up-to-date is up there with anti-virus in terms of importance. Maybe even more important.

Data protection tips for small businesses

If you’re a micro business, perhaps working with collaborators remotely, data protection and cybersecurity is very important. This is because you are, arguably, more vulnerable.

But you don’t need to spend a lot to get the basics right. Here are some security measures that you could consider:

Password authentication

How do you get in and out of your accounts? Traditional advice has been to change your passwords regularly. There are good reasons for that.

But the IT community has come to the realisation that making people change their passwords regularly is not as efficient as making your password very strong and complicated – using phrases – and changing the passwords less regularly.

Multi-factor authentication

This is used by banks to secure your bank accounts. Instead of just a password, the system has up to 3 ways of verifying who you are. Here are some things you could consider to increase the security of your business:

  • “Know” - e.g. a password or a pin code
  • “Have” - e.g. a badge that lets you into a building
  • “Are” - e.g. fingerprints, retina scan and facial recognition

One of these three is not enough on its own. That’s how multi-factor began. A good example of multi-factor is the Chip & Pin. You must have the card and know the pin. That’s multi-factor authentication.

Email providers such as Google are now using multi-factor. You have applications on your phone that generate codes that you must use in addition to your password. The codes change every 20 seconds or so.

This kind of thing is what I’d recommend for small businesses. It exponentially reduces the chances your systems and the data within it will be susceptible to cyber-attacks.

For more in-depth advice about how to make your business more secure and prepare for the GDPR, check out our Security Awareness Training.

Got a question?

Speak to our friendly team about keeping your IT systems secure and running smoothly.

Get in touch