Cybersecurity and data protection

What is cybersecurity?

Cybersecurity for businesses encompasses a set of practices, technologies, and policies designed to protect a company’s digital assets, data, and operations from a range of cyber threats including:

Phishing attacks – Cybercriminals use fake emails, messages or websites designed to look like they are from a trusted company or person to trick employees into divulging sensitive information such as passwords or downloading malware. These attacks will often pose as urgent, needing immediate attention to stop the recipient questioning the authenticity before acting.

Ransomware – A type of malicious software that encrypts the victim’s files and data rendering them inaccessible. The cybercriminal then demands a random, usually of cryptocurrency, in exchange for a decryption key to unlock the files.

Data breaches – Unauthorised access or disclosure of sensitive customer or employee data. This usually results in financial and reputational damage for both the business and individuals involved.

Insider threats – Employees or former employees may intentionally or unintentionally compromise data security. This can be the cause of other cyber threats.

 Strategies for improving cyber security

Training – Employees should be trained in cybersecurity including how to recognise phishing attempts, use strong passwords and what to do if they suspect a breach.

Regular updates – All software should be kept as up to date as possible. The holes in security that are used by cybercriminals often occur due to outdated software.

Access control – Limit access to sensitive data to only those employees who require it for their roles and use multi-factor authentication to help secure that access.

Back up data – Regularly take back ups of critical data and systems to avoid loss due to malfunction or ransomware.

Cyber insurance – Insurance can be taken out to mitigate the financial losses in the case of a breach. However, the cost of this insurance is often too much for small businesses to afford.

Exit procedures – Have clear exit procedures in place to ensure an employee’s access is revoked immediately to all systems when they leave the business.

Cybersecurity regulations

In the UK the General Data Protection Regulation (GDPR) requires personal data to be processed and stored securely and for a company to take appropriate measures to ensure it is kept safe. Specific measures are not listed, but rather a company is required to do whatever is necessary to comply given it’s specific situation. GDPR grants individuals rights over their personal data, including the right to access or have any data on them stored by a company deleted. There must be a legal basis for the holding and processing of personal data, which can include consent (clear and explicit consent from the individual), legal obligation, or contractual necessity.

There are also many industry specific regulations and standards around areas such as payment card details, telecommunication, CCTV and employee rights.