Skip to main content

How security and regulations are impacting small businesses

(Image credit: Image Credit: StartupStockPhotos / Pixabay)

As millions of us scramble to make sense of Covid-19 and home working becomes the new normal for office-based workers, criminals are capitalising on the widespread panic – and succeeding. New coronavirus-themed phishing scams are leveraging fear, fooling vulnerable people, and taking advantage of workplace disruption and displacement.

Indeed, research from SentinelOne shows that from February 23rd to March 16th this year, there was an upward trend of attempted attacks, with peaks at 145 threats per 1,000 endpoints, compared to averages in the 30s at the start of that period.

This is especially important in light of the GDPR regulations British SMEs must adhere to. Simply put, if your business collects and stores data on computers or in organised filing systems, then you’ll be subject to data protection laws – this includes employee personal data too.

Many business owners are conscious of the crippling €20 million or four per cent of annual turnover penalty that non-compliance can incur and understand that even the smallest and least equipped businesses must keep private information secure and accurate.

Although cashflow might be your primary concern right now, it’s imperative business leaders continue to comply with regulations and ensure their security is just as robust while employees work remotely.

So, what can businesses and their workers do to improve their cybersecurity?

The government’s National Cyber Security Centre (NCSC) published a home working guide just last month that offers tips for businesses who are introducing remote working, as well as highlighting how to identify and mitigate important cyberattack methods, such as the tell-tale signs of phishing emails. Below are some key things to consider for SME owners:

  • People first: First and foremost, remember your employees are already dealing with a lot of stress and change – so it might not make sense to overhaul a system most are used to in replace of another, especially if it will require in-depth training. Those using new and unfamiliar systems are far more likely to miss signs of a cyber-threat in comparison to one they are well-versed in. If change is needed to support new working practices, select technology tools that emphasise ease of use and being intuitive, so people don’t have to worry about learning something complex.
  • Review your policy: Ensure your business has adequate policies as your company transitions to having more people outside the office. For instance, do your staff know how to report any problems?
  • Is your tech fit for purpose? In addition to policy updates, ensure the technology you are using is secure and fit for purpose. For instance, setting up and supporting conferencing software that ensures both a stable voice and video connection should be a priority, as most meetings will occur virtually, and reliability is key.
  • Encrypt laptops: Although your staff won’t be travelling anywhere anytime soon, it’s important to ensure all work devices encrypt data whilst at rest. Devices don’t have to be on the move and physically accessed for information to be stolen, so protecting that data even while stationary is just as important. Most modern devices have encryption built in, but encryption may still need to be turned on and configured.
  • Don’t forget to update: Depending on whether you’ve got IT outsourced, an in-house IT team or none at all – it’s important your software and Virtual Private Network (VPN) (if you have one) is regularly updated for any patches. It is vulnerabilities in pre-patched software versions that are often searched for and used by cybercriminals.

Where regulation fits in

The government-backed Cyber Essentials is crucial for any small businesses – they offer self-assessment protection against cyberattacks or you can take the certification to give you peace of mind too.

If your business handles large amounts of sensitive data, there is also the option of the ISO 27001 certification; a more in-depth process but one often looked for as a seal of approval for relevant businesses. ISO 27001 is an internationally recognised standard that demonstrates a commitment to data security, adhering to an information security management system, and fostering a culture of security awareness that encompasses all aspects of company operations and activities.

And this seal of approval is often something to consider when selecting suppliers and vendors. But remember, whilst using providers that have this the accreditation does not automatically make your business 100 per cent secure, it ensures your provider is fostering a culture of thinking about security in every interaction and is on a continuous journey to constantly improve it.

How Covid-19 has impacted regulations

In the wake of coronavirus, the government is taking steps to try and provide some certainty for small businesses and avoid too much change. For instance, the government has decided to defer implementation of their plans to extend the off-payroll rules (commonly known as IR35) to the public and private sector until April 6th next year.

In these uncertain times, shifts in policy are meaning that the ICO has said it is going to halt all GDPR fines for now. When issuing fines for Data Protection Act 2018 and GDPR breaches, the ICO will now consider whether an organisation’s security difficulties result from the coronavirus crisis.

As such, businesses found to have committed data protection violations may be given longer than usual to rectify breaches that predate the crisis, where the crisis has affected its ability to put things right. But businesses need to remember that these issues still need to be proactively tackled once uncovered; the ICO isn’t going anywhere and normal service will resume at some point.

The regulatory body said it would also now look to develop further monitoring measures that can be put in place at the end of the crisis to try to support economic growth and recovery. This could include new data protection advice services, sandboxes, codes, and international transfer mechanisms to test flexibility in safe data use.

There’s a lot on a business owner’s plate right now. Some SMEs have been hit incredibly hard by this crisis, especially in the retail space, but I do believe SMEs are uniquely placed to weather this health storm. We’re blessed with scalable technology that can provide the same functionality for big and small businesses alike, that can keep us connected and keep the community alive. Plus, our size, entrepreneurial spirit and nimble nature means we can pivot, adapt, and survive at a time where these assets are crucial.

Jonathan Richards, CEO and co-founder, Breathe (opens in new tab)

Jonathan Richards is the CEO and Founder of breatheHR. breatheHR is the software that takes the hard work out of managing your employees and centralises all your employee information in one easy to use system.