Data Security and the Small Business Part 1
Policies are your friend (sort of)
With the impending doom that is the GDPR (General Data Protection Legislation) soon to be upon us, it occurred to me that, once again, the EU plutocrats have proved that government by the people and for the people remains a myth and that any hope that our dearly beloved elected representatives have developed a real plan to combat cybercrime has been dashed.
So what does the new legislation actually mean? As with all things European, no one can be certain until the legislation actually comes into force but it does seem likely that cost of cyber insurance and consequently, all business insurance will rise to accommodate the “generous” penalties that our Lords and Masters will soon be able to impose. Remarkably, and this is only a view without any legal validity whatsoever, it seems that the blame is getting moved away from the perpetrators of cybercrime to the victims whether they be multinational corporations, small businesses or even charities. Naturally, the people whose personal information has become public – and there are actually people out there who could actually suffer – are relegated, once more, to the side lines.
You can also be certain that whatever applies to your business or organisation or, indeed, Amazon will not apply to governments who, protected by the, time honoured, in the interests of national security defence, will be spared the indignity of having to disclose that their network has been breached by some miscreant and the reality is that there is very little or no chance of bringing said miscreant to justice. Once that data is out there on the Internet then it is out there forever and no amount of legislation or fines will fix that.
It would be nice to think that all the organisations and businesses in the world would be able to protect the end user’s data but it is a simple fact that even large organisations with whole departments of skilled security staff will be hard pressed to do so and smaller businesses organisations simply won’t have access to the necessary resources, either in house or from the marketplace, to properly assess their potential exposure to a security breach let alone detect and respond to a real incident.
So, if you don’t have the means or wherewithal to detect intrusions and protect the data you collect then what can you actually do? That will also remain to be seen until the new laws get tested in court but the back to basics approach may well be a good plan. That means working out the risk yourself using your own common sense and creating policies and controls so that, on paper at least, you will have taken reasonable care to protect the user data under your care.
More on that in Part 2.