How small businesses can protect their confidential data this Christmas
Christmas is a wonderful time of the year, full of holiday cheer and family get-togethers. Yet it is also the time when small businesses are at their most vulnerable. The business wind down before the holidays can be extremely dangerous for SMEs. Only having skeleton staff present, while other employees either work remotely on insecure devices or are on annual leave, increases the potential for a data breach exponentially.
Given that the average cost of UK data breaches rose this year to £2.7 million, businesses of all shapes and sizes should be extremely wary of how their data is stored and handled – particularly during the Christmas holidays.
Allianz Insurance recently conducted a study with 500 small business leaders, finding that data loss, misuse and theft are considered the number one threat facing SMEs in 2018. With the holiday season now approaching, small businesses should begin taking the appropriate steps to protect themselves.
1. Deliver training
Christmas is the optimal time for cybercrime. Most staff members are either working from home or on annual leave, and those that do come into the office often have their guard down.
Hackers take advantage of this false sense of security through phishing scams – attempts to obtain sensitive information such as usernames, passwords and credit card details by disguising themselves as a member of the company or a trusted third party. These scams are typically carried out via email spoofing, whereby an email is sent with a forged sender address in the hope that an employee opens the email and clicks on a link that gives the hacker access to their systems.
Another deceptive approach taken by holiday hackers is to carry out Man in the Middle (MitM) attacks. With flexible working becoming an increasingly popular working arrangement, employees are likely to work remotely during the holidays to spend more time with their family, often using public WiFi networks in coffee shops, trains and hotels. However, public WiFi networks are insecure and competent hackers can compromise the private communications made from the employee’s device, injecting new messages and impersonating the other party to make them reveal sensitive information.
Hackers will already be preparing for the holiday season, meaning SMEs should do the same. Managers should deliver comprehensive training on how to avoid damaging data breaches and how to react should one occur. For example, employees should be taught how to create secure passwords that are unique and changed regularly, as well as highlighting the importance of not sharing them.
Training sessions should be delivered on spotting a potential phishing scam and how to alert the appropriate members of staff. Finally, small companies can specify that company-owned devices should only be used for work-related activities, have strong passwords and only be used in locations with secure WiFi networks.
2. Establish a clean desk policy
Cybersecurity is quite rightly a business priority for many SMEs. A recent report published by Beaming, found that UK businesses are attacked online every 2.5 minutes. However, small businesses often forget the importance of securely storing and destroying sensitive paper documents. A report published by the ICO in 2016 showed that 40% of data security incidents were related to paperwork, indicating the risk of leaving private information like credit card details and payroll documents accessible to external parties.
Implementing a clean desk policy (CDP), whereby employees are asked to leave their workspaces clutter-free at the end of each day, offers a potential solution. Criminals can copy or steal hard copies of documents to commit fraud or blackmail employees, yet SMEs can reduce this risk by regularly decluttering their workspaces and leaving no sensitive information on
Putting a clean desk policy into action is undoubtedly difficult even in smaller companies, yet it remains achievable if the correct steps are taken from the outset. For example, the entire senior management team agree to commit to the policy; without pressure from the top, the average employee is unlikely to change their habits.
The policy should also be communicated across the company, perhaps through an email with the document attached. Explaining the reasoning behind the policy will help to get everyone on board and create a cohesive approach.
Finally, SMEs should make it easy for employees to store or dispose of their paper documents. A dedicated storage space for documents should be created, with strong security protocols in place to protect its contents.
3. Increase physical security measures
In their efforts to implement cybersecurity measures, small business owners should not neglect effective physical security – security measures that are designed to prevent theft or vandalism. Having staff physically present in the office is often the best deterrent for avoiding thefts, yet a quieter office is unavoidable for most SMEs during the holidays. With fewer employees at their desk, external parties are more likely to breach the premises and take confidential information.
Steps should be taken to ensure access to the site is only granted to employees and their invitees, such as by introducing key cards and passcodes to enter the building. Likewise, office space should be monitored regularly, both by security personnel and CCTV. Investing in high-quality alarms is also always a good business decision. SMEs should not feel obliged to implement all of these security measures, however. Even designating funds for some of these policies will help to reduce the risk of a data breach, which could cost the average SME £25,736, according to Hiscox.
The Christmas holidays should be a well-deserved break for your business, a time to relax and regroup before business continues in the New Year. However, with fewer employees working and more external parties wanting to do harm to your business, confidential data is at greater risk of being compromised. Nevertheless, if the appropriate steps are taken to protect their data, both through cyber and physical security measures, SMEs can enjoy the holidays in peace.