Despite the introduction of global regulations like the General Data Protection Regulation (GDPR) in Europe Australia's Notifiable Data Breaches (NDB) legislation, cybercrime remains a huge threat to businesses of all sizes.
It's only a matter of time before a major breach with profound impact occurs. Breaches weren't limited to any particular industry, either, 2018 saw high-profile data breaches in everything from healthcare to social media; from Cathay Pacific to Google Plus.
Yet it's small to medium businesses (SMBs) that are particularly vulnerable, given they make up the vast majority of all businesses, coupled with their high rate of internet usage.
Over in Australia, cybersecurity costs the economy approximately $1 billion every year and is on the rise, yet Their SMBs are remarkably overconfident about their cybersecurity strategies.
A survey of SMBs from 451 Research found that over the past two years, 71% of respondents experienced a breach or attack that resulted in operational disruption, reputational damage, significant financial losses or regulatory penalties.
Given the high failure rate of small businesses, avoiding these unnecessary disruptions should be an SMB's top priority. According to Webroot's SMB Cybersecurity Preparedness report, Australian mid-sized businesses estimate a cyber attack would cost on average $994,025 – a huge loss for any business.
Yet nearly half (49%) of those SMBs surveyed said cybersecurity was a low priority, and 90% said they already had appropriate security technologies in place.
All businesses, no matter the size, could benefit from a risk profile evaluation. Every business has different risk factors. If you don't have the expertise, a Managed Service Provider (MSP) can assess your security infrastructure and work with you to develop a plan for ongoing risk mitigation.
Given the proliferation of breaches recently (and they're just the ones that have been reported!), businesses should plan for the worst. Develop a data breach response plan that includes security experts to call and a communications response plan to notify customers, staff, and the public. Make sure you are regularly backing up your data with hard data and offline versions.
Some additional pieces of advice for business owners to ensure they're prepared and complaint include:
Know your data - Know what personal data your organisation has, where it's stored, and in what systems. Regularly schedule audits and allocate resources for this work.
Delete - Make sure any data you do not need is deleted securely. There are legal requirements for maintaining certain types of data, but when data retention is not required, disposing of it helps reduce risk.
Communicate - With any process change, effective communication is essential. Proper internal communications with employees and external communications with suppliers will help make them aware of changes and give them time to amend their own processes. Regular security awareness training is also a vital method of ensuring the team internally are able to identify security threats.
Assess - When auditing personal data processes in relation to the NDB scheme, consider if a privacy impact assessment is required.
Comply - If there is a security breach within your organisation, follow your country's regulations. Under these regulations, it's essential to be transparent and inform affected individuals within the specified timeline.
Implementing these steps could ensure small and medium businesses do indeed have a Happy New Year.