As a micro-enterprise you are close to your clients and trust and confidence are key in your relationship with them. Thanks to these relationships, your clients and your entrepreneurship, you and other European small and medium-sized enterprises add more than 20% of value to the European economy [1], for a total amount of 1,525 trillion euro [2].
In your day-to-day business activities, you inevitably process personal data of clients, suppliers, employees, business relationships, etc. All data processed by all small and medium-sized enterprises taken together represent one of the biggest data stacks. When combined, this pile of data can provide important insights in the businesses and private lives of the people they relate to (your contacts), making personal data (one of) the most valuable commodities [3] in the current digital age. Any destruction, loss, alteration and unauthorized disclosure of, or access to, personal data can severely harm these individuals. For this reason, and because of their higher vulnerability, small and medium-sized enterprises are increasingly being hit by phishing frauds [4] and become victims of ransomware scams [9]. Even if you do not process large volumes of data, you must protect yourself and the data you process against these attacks.
To protect the personal data you hold, you will, of course, need to have a good ICT security. But having security is not enough: most attacks will target your personnel and try to lure them into providing their credentials to gain access to your (secured) ICT environment. After all, your employees are processing and accessing the personal data you process and the ICT environment in which your business is conducted.
This means that you must make sure that your employees handle your ICT, the data of your business and the personal data you process in a secure way. And at the same time, you should ensure that your ICT environment is organised in such a way that even if something goes wrong, the impact can be contained and/or the damage can be repaired.
How can you ensure that your employees process personal data, and make use of your ICT environment, in a secure way?
By taking the following steps:
Organise your ICT-environment:
-
- Allow only known devices on your company network (including WIFI), that are managed by your company. If desired, you can set up a guest WIFI network to allow visitors and employees to access the Internet when using their own devices.
- Define a role and access policy: organise the information (including personal data) you process and make sure that employees can only access and/or modify information if this is required for their job.
- Set up an enforced password policy, for example: require individual accounts and complex temporary passwords to be used to access the ICT environment and applications. Ideally, a password manager is used. Require 2-factor-authentication for access to critical applications and data and for access to user accounts from outside the office. Also: don’t forget to change the default passwords on network devices such as routers, printers, etc.
- Make sure you have a solid, well-configured firewall, up-to-date centrally managed antivirus software and activate the required protection mechanisms. Ensure that all devices connected to the network are protected.
- Keep systems, devices, and software up-to-date.
- Encrypt your devices and provide for backups. Make sure that your backups are stored in a secure location, with no direct connection to your network. And test if your back up works.
- Monitor for and log incidents
Be aware and raise awareness among your employees about
-
- How to correctly handle ICT (computers, network access, etc.)
- How to deal with confidential data
- Risks (such as phishing)
Most security breaches can be prevented by raising awareness.
Draft and impose an ICT and Data Policy on your employees.
This will explain to them how they should use your ICT network and devices, how they should handle personal data, how they can recognise personal data and data breaches, what private use they can make of the devices, how they should prevent phishing, password use, etc.
By implementing the steps above, you will reduce your risk of falling victim to cybercrime and seeing the personal data of your contacts out on the streets.
Moreover, by doing so you will increase your GDPR compliance, as obtaining data and information security through organisation, personnel awareness and correct data handling is one of the key targets of the GDPR. This also means that you’ll avoid data breaches and avoid fines that may be imposed to you if you suffered a breach but are unable to demonstrate that your employee ICT and data policies provided for a healthy and secure environment.
Conclusion
By taking a number of technical and organisational steps and raising awareness among your employees about (personal) data and information security, you are able to better protect yourself against cybercrime and you will avoid fines under the GDPR.
Written by Brahim Bénichou and Nadia Feci, KULeuven
[1] https://ec.europa.eu/eurostat/web/products-eurostat-news/-/EDN-20181119-1
[2] https://ec.europa.eu/growth/smes/business-friendly-environment/performance-review_en
[3] https://www.telegraph.co.uk/news/2019/01/07/data-now-important-commodity-oil-leading-qc-says/
[4] http://www.smeweb.com/2018/05/22/smes-increasingly-hit-phishing-cyber-crime/