Interior of cafe showing requirement for data protection

Data Protection Now A Crucial Requirement for Small Businesses

Putting data protection at the centre of digital businesses strategies is the key to improving trust and digital growth” – Steve Wood, ICO Deputy Commissioner

Cybersecurity and data protection is important for all businesses. Consumers need to know that their details will not be unlawfully shared, and companies must be sure that confidential plans and operational details are not accessed and abused by criminals or rival businesses.

The fallout from privacy breaches can be catastrophic, causing near-irrevocable damage to your brand’s reputation. Customers feel they can no longer trust your company, and they cost huge amounts of both time and money to resolve. You could also lose valuable business plans and confidential ideas or contacts, setting back your profits considerably. But while these are valid concerns for enterprises of any size, they’re especially significant to the small business owner.

Data breaches impact small businesses most

As the owner of a small company, you’re probably already aware that the size of your organization is something of a double-edged sword. You have flexibility and can adapt to changing market needs more quickly than your larger counterparts might be able to. With all the adjustments that have been required over the COVID-19 pandemic and subsequent shutdown measures, that adaptability might have been especially important.

However, at the same time, small businesses have fewer resources at their disposal and are less able to weather any storms than bigger corporations are. A lot of examples of that have also been seen during the recent coronavirus crisis; profit losses were insurmountable, and a lot of independent companies were forced to close. Similarly, in the case of compromised data protection, your small outfit could be hit harder than a multinational.

You’ll have less money to pursue criminals, deal with disgruntled clients and withstand a temporary drop in sales. With a narrower scope of influence, it’s also likely that your brand is not as well-known as bigger competitors, so losing customer trust could be more of an issue for you. You may also be able to change your approach and bounce back faster, but ultimately the soundest advice for small businesses is to minimize the risk of a breach in the first place. The best practices listed below are intended to help owners and operators to do just that.

Develop and publicize your privacy policy

The 2018 California Consumer Privacy Act (CCPA)’s final deadline for compliance was July 1st, 2020, and other data protection rules (including the European Union’s General Data Protection Act) are also gaining momentum and attention. As the world becomes more digital, consumers are growing more aware of their rights. Implementing the CCPA’s regulations is crucial for businesses in the United States right now and making consumers aware that they have done so is just as important.

Make sure your policy is laid out in simple language as customers have been shown to mistrust documents that contain a lot of legalese. The policy should also be clearly displayed on any company website, and there should be a way of requiring clients to agree to the terms before any transactions take place. For example, someone might have to click to say that they agree before their purchase is completed.

Encrypt data on all devices

Most smaller enterprises use a Bring Your Own Device (BYOD) policy, allowing or even requiring employees to use their personal desktops, tablets and smartphones for work. This can be a valuable way of cutting costs, but it also means that employers must make doubly sure the information on devices leaving their business premises is properly protected. That’s where data encryption, which can be activated within a few simple steps on any machine, comes in.

Implementing a Mobile Device Management (MDM) system is also very advisable. These MDMs can wipe all data on tablets and smartphones remotely, meaning it doesn’t matter where the device is at the time. If they fall into the wrong hands or go missing, sensitive information can be deleted with a few clicks. Of course, regular backups are also essential so that if data is wiped your company can still access it.

Keep online data private with VPNs and SSL encryptions

In terms of regular backups, cloud-based, server and hard copies should all be made of important documents. A key idea in data security is redundancy; if one storage system fails another one can be used and business interruptions can be kept to a minimum. In the same way, using both a Virtual Private Network (VPN) and Secure Sockets Layer (SSL) encryptions creates more of a fail-safe online data encryption situation.

With a VPN, the closed network accessible only to account holders is superimposed onto the public Internet. You’re still using the World Wide Web, but only those with clearance can get into your company’s VPN. On the other hand, SSL encryptions require the website and the user to hold encryption and decryption keys. The information travels over the internet, but it is encoded when it leaves the sender and can only be decoded when it reaches its destination.

Make two-factor authentication and strong passwords mandatory

Passwords are ubiquitous, but an alarming proportion of people use codes that are known and incredibly easy to hack, or they use the same password across multiple platforms. Set your system to require that employees change their passwords on a regular basis, that the codes are at least eight characters long, and that they contain numbers, letters and symbols. Password managers, which generate and store strong codes, are the best way to ensure this.

Two-Factor Authentication takes a little while to set up, which is the primary barrier to why people don’t use it all the time. In addition, because it involves another step, login is not immediate. However, for the extra barrier of protection it creates, these issues are minimal at best. With 2FA, the account holder must enter two pieces of information, such as a password and a One Time Pin sent to their phone.

Even if a password or phone is hacked, the criminal won’t have both pieces of information and so will still not be able to access private files. Two-Factor Authentication is recommended for internal networks and customer-facing sites. Your company won’t share client data with hackers inadvertently, and internal information transfers won’t be at any risk. As with VPNs and SSL encryptions, and a variety of backups, this goes a long way to ensuring that all-important data security redundancy.

While the threat of a data breach may be ever-present, it can be mitigated if your business implements security features, protocols and policies that follow the best practice guidelines.


Staff Writer at CPO Magazine