If Cybersecurity sounds like something only online businesses and large companies need to be aware off, you are very wrong!
Think about it: We spend a lot of time online, between personal activities on social media , internet banking and all the things we do online for our business.
In business we hire staff via online portals and engage with contractors and freelancers online. We do our business banking and bookkeeping online as well as our email communications with clients and suppliers.
When you add up our daily online presence and then include the fact that the Internet of Things is becoming more and more a reality, there is no denying anymore that the importance of cyber security is a real thing and that it impacts every business, large and small.
One of the things you need to be aware of is the GDPR regulation which starts on the 25th of May 2018.
GDPR is all about privacy protection and personal data and to make sure this personal data is protected from outside attacks.
Personal data.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
What types of privacy data does the GDPR protect?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Does your company collect personally identifiable information electronically? If so, you may have to seriously look at your Cyber Security processes and procedures. Especially the ones around management and storage of private data. Every company that does business with a person in the EU is potentially subject to GDPR regulations and non compliance can be very expensive with fines of up to 4% of your global revenue.
As entrepreneurs we need to be serious about Cyber Security and make educated and conscious decisions to protect our business, our customers and ourselves.
However, you don’t have a team of cyber security specialists going through your entire business to identify the risks. So where do you start?
What can you do as an entrepreneur and/or small business owner to create more awareness around cyber security and to build a risk profile for your own business without spending hundreds of hours trying to educate yourself. There aren’t enough hours in the day as it is, so what do you do?
First of all, stay out of the technical quicksand. Approach this subject from a business point of view. When you get to a point that more technical knowledge is required, you can always engage a subject matter expert. There is no direct business benefit for you to become a cybersecurity expert.
Looking at Cyber Security from a business point of view means that the management requirements for Cyber Security can be split up across 5 different phases. These phases coincide with the general life cycle of a business process and loosely align with Deming’s Quality cycle: Plan – Do – Check – Act (PDCA for short).
- Plan what you are going to do
- Do what you planned for
- Check / study and analyze the results of what you did in the previous step
- Act accordingly – improve the activities, measurements and expected outcomes.
Phase 1: Recognize the value of Cyber Security for the overall business
What are the business objectives to be achieved with Cyber Security Risk Management? Will it solve real problems?
These questions may seem redundant, but without you truly understanding what the business benefit is of implementing cybersecurity measures in your business, every task you have to do in relation to cybersecurity will feel like a chore and a waste of precious resources.
But being able to link it to your business objectives creates energy and space to explore how you can benefit from cyber security in your business.
What real problem can you solve through cyber security? Or perhaps the question should be.. What opportunity do you see? How can cybersecurity add value to your business?
Phase 2: Define what Cyber Security means within the context of our business
Are we specifically expressing cybersecurity requirements to our partners, suppliers and other third parties?
Have we identified potential business impacts and likelihoods of this happening?
Cyber security is a very broad subject, and not every security threat has impact on your business. At this stage in the process it is important to recognize the likelihood of a security breach and what the impact is on the future of your business when such a thing happens. How dependent are you on using and storing sensitive information and what happens when somebody outside of your business gets access to this info?
You may also want to have a chat with your suppliers and where possible your third party providers. This can be challenging when you’re dealing with large companies (for example your mailchimp account has email addresses and your bookkeeping system has financial transactional data stored on their servers.. How are they guaranteeing that your information is safe and secure?)
Phase 3: Measure & Analyze How Cyber Security is currently performed
How do you identify and analyse stakeholders and their interests?
How do you determine which systems, components and functions get priority in regards to implementation of new Cybersecurity measures?
What controls do we have in place to protect data?
Now that we know the landscape that we are operating in, it’s time to figure out how we are going to measure and analyze cybersecurity related data.
If you can’t measure it, it is very difficult to manage. So spend some time thinking about the data points you need to report on to identify how well you are managing the safety and security of sensitive data.
Because we can’t do everything at once, it is important to prioritize. So start with the processes and systems that suffer the most from a cybersecurity attack. Or start with the data stores that are the most vulnerable, for example your customer data. How and where do you store your customer data? Who has access to it? How is access protected? Do you have backups of this data and how do you manage the safety of these backups?
Also set up Google alerts for security/data breaches of your most important external applications. For example mailchimp or shopify. You need to be aware what is happening in the world to ensure your data hasn’t been leaked.
Phase 4: Improve the Cyber Security processes
What are the things that could go wrong?
How do we decide which activities to take action on regarding Cybersecurity
This is where the fun starts! Now that we have a baseline of what cybersecurity looks like in our business we need to have a serious look at how well we are doing it.
What can go wrong? And what is most likely to go wrong? Where are we missing steps and what can be done more efficiently?
Of course you start with the clear non-compliant activities that you identified from the analysis tasks in phase 3 and work your way from the highest priority to the lowest.
Phase 5: Control & Sustain the Cyber Security Objectives
Are legal and regulatory requirements regarding Cybersecurity, including privacy and civil liberties obligaties understood and managed?
Part of improving the way you handle cybersecurity is to ensure you stay on top of changing rules and regulations. Case in point is the 2018 GDPR regulation in the EU. Many companies are scrambling to bring their privacy and security policies up to date to comply with the new regulations.
You will need to build in your system a way to have a regular check to see if you’re still in line with the latest rules and regulations.
Looking at cybersecurity from a business angle makes it less scary and overwhelming. Think about it in a logical way to ensure everything you do benefits your business and your long term goals.