Sometimes, as with the implementation of GDPR next year, it pays to be small. The requirements of the General Data Protection Regulation, which come into force next year, are mostly nowhere near as onerous for companies with 250 employees or fewer as they are for large companies.
The one exception is if your company’s primary service is storing and using personal data – then you have to be careful. But for other small companies you don’t have to do anything different or employ anyone new. The aim of the game is simply not to get noticed by the regulator by being careful and methodical in the way you handle data and the security of your network.
Basically, if you never have a data breach and no one ever complains about the way you are handling their data, you’ll be fine.
Pub chain Wetherspoon, for example, has simply got rid of its customer email database, planning to publicise menus and offers on its website and social media. Wetherspoon told tech website Wired: “We felt, on balance, that we would rather not hold even email addresses for customers. The less customer information we have, which now is almost none, then the less risk associated with data.”
By all means keep most of your business data in the cloud, but why not keep your personnel records, for example, somewhere else? Even if you do get hacked, if you spread your data around the cyber-criminals can’t get to all of it. And don’t imagine Big IT is always going to be the answer. A service outage hit Microsoft’s Outlook in September 2017: if it can happen to the world’s biggest software company it can happen to anyone.
And that means enforcing and reinforcing password discipline. As our Operations Director John Crozier says, ‘You can have the most sophisticated cyber-security software and the most robust network in the world, but it means nothing if your password is “banana”.’