What is a cybersecurity policy and why do you need one?

Cybersecurity policy

You’ve likely heard the term ‘cybersecurity policy’ before. But what is it? And why does your company need one? 

What do we mean by ‘policy’? 

A ‘policy’, in cybersecurity terms, is a set of principles that guide decisions within an organisation. These principles can inform the decisions senior management make or guide employees in their day-to-day activities. A great example of the latter is a password policy.

What is the purpose of a policy?

A well-crafted policy can help your organisation achieve its goals, say reducing the risk of phishing attacks or compliance with Cyber Essentials. Any policy worth its salt should outline what employees should or shouldn’t do, offer directions on best practices, and guidance for decision making. 

Why are policies so important? 

According to research,  90% of security breaches occur through human error. However, improving your cybersecurity isn’t about blaming employees for their all-too-human mistakes. It’s about giving your people the tools and knowledge to better protect themselves.

According to research,  90% of security breaches occur through human error

This is where policies come in. Policies and procedures provide a roadmap for day-to-day operations. They ensure compliance with laws and regulations, offer guidance,  and even help employees make better decisions. After all, if your people don’t know which behaviours are harmful, they can’t correct them.

But clear, readily available policies have benefits beyond merely reducing the likelihood of a successful security breach. Here are just a few.

Improved efficiency 

Sometimes clear policies are all that stand between a business and organised chaos. Sure, everyone’s working, but are they all pulling in the same direction? Or adhering to company values?

When everyone is following policies and procedures, a business will generally run smoothly. Management structures and teams operate as they’re meant to while mistakes and hiccups in processes can be quickly identified and addressed. 

What’s more, when everyone understands what’s expected of them and goals are clearly defined, time and resources are managed more efficiently. And this will ultimately help you meet targets and grow. 

Better customer service 

There’s nothing more frustrating than receiving wildly different service from two separate interactions with the same organisation. It could be your utility provider, GP surgery or bank, but we’ve all experienced the irritation it causes. 

Having clear, easy-to-follow policies in place is a sure-fire way to stop your business from providing erratic customer service. When policies are followed, tasks are performed correctly and every customer receives the same high level of service – enhancing your business’s reputation to boot. 

A safer workplace 

Workplace accidents and incidents are far less likely to happen if everyone’s working to the same standards and principles. This not only reduces liability risk for your business but also cuts downtime and disruption. And, even if the worst does happen, you’ll weather it much better with a clear procedure on how to deal with it. 

How can CyberSmart help? 

We’ve discussed why policies are important but now comes the tricky bit. How do you ensure that everyone in your business has access to the policies they need to work safely? And, more important still, how do you make sure they read them?

CyberSmart Policy Manager allows you to digitally upload and share policies straight to staff’s devices through our platform, CyberSmart Active Protect. Policies can easily be uploaded through the CyberSmart Dashboard and made available to your users instantly. 

What’s more, you can be sure your employees read them. Our Dashboard provides you with a digital audit trail of when policies have been read and agreed upon. 

But what if you’re unsure of where to start when creating a new policy? Well, we’ve got you covered there too. We’ve put together a handy set of templates to help you get started. These are free to download from your CyberSmart Dashboard and easily modified to suit your business. Our policy templates include: 

  •  Data Classification policy 
  •  Cyber Essentials policy 
  •  Data Protection policy 
  •  IT Access policy 
  •  Security Awareness and Training Guidelines policy 
  •  Work From Home Covid-19 policy

We also offer a GDPR policy pack as part of our IASME and GDPR certification.

And that’s all there is to know about policies. They’re a simple tool, but one that provides an important first line of defence for your business against cyber threats. Hopefully, this blog has armed you with all the knowledge you need, but if you have any questions please get in touch, our team are always happy to help.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

GDPR post-Brexit – an update

GDPR post-Brexit

Late last year, we published a guide to everything you need to know about GDPR after Brexit. A few things have changed since then, not least, the UK finally agreeing on a deal on 24th December 2020. So, with the terms of the UK’s exit decided, do we know anything more about what GDPR looks like post-Brexit?

What’s happened since a deal was agreed?

You may remember from our previous piece that the UK was awaiting an ‘adequacy’ decision from the European Commission (EC). In simple terms, the EC must decide whether the UK has adequate data protection measures in place for EU countries to work with it.

In the time-honoured fashion of all negotiations between Britain and EU organisations, we’re still waiting on that decision. However, as a temporary fix, the two sides have set out the ‘Trade and Cooperation Agreement’, which contains a provision for data flows. 

What does this mean for GDPR? 

The ‘Trade and Cooperation Agreement’ contains a provision allowing data flows between the EU and UK to continue as they were pre-Brexit for a maximum of six months. In other words, data can still be transferred in the way it was pre-January 2021 until June this year.

There are two ways this ‘bridging period’ could come to an end. The first is that the UK makes changes to data protection law during the period. If this happens, the UK would be outside the terms of the agreement and data transfers will immediately stop.

The second is that the EC makes a decision on the UK’s adequacy status. If this hasn’t happened by 1st April then the period will be extended to its full six-month maximum. 

Still with us? It’s also important to note that the UK has already deemed the EU’s data protection as adequate, meaning data is free to flow in the other direction too. GDPR has now been made part of UK law and renamed the ‘UK GDPR’. And, the Trade and Cooperation Agreement includes a commitment that the UK and EU will continue to cooperate on digital trade in future. 

What does your business need to do? 

If it’s business as usual until April, does your business need to do anything to ensure compliance with GDPR?

Unfortunately, the answer is yes. While data flows can continue as they are, for now, predicting the future is tricky. Some commentators are cautiously optimistic about the likelihood of a favourable adequacy decision for the UK. However, many others cite the long-standing differences in surveillance practices between the EU and UK as a potential blocker to any positive outcome.

This means that the smart thing to do, for businesses of any size, is to put in place alternative arrangements. The Information Commissioners Office (ICO) has already issued a statement urging businesses that depend on data received from EU/EEA countries to do exactly that. 

In practice, this means setting out binding corporate rules (BCRs) or standard contractual clauses (SSCs) on data protection for an EU organisation you exchange information with. This is essentially a commitment to comply with EU data rules as an individual organisation in the event that something changes at the state level.

You can find more advice on the ICO’s Brexit hub and we’ll keep bringing you further updates as we get them. 

Data privay toolbox

GDPR after Brexit – everything you need to know

GDPR after Brexit

Just when you thought the endless rounds of Brexit negotiations were finally drawing to a close and it was safe to tune into the news again, another problem has reared its head. What will happen to GDPR after Brexit? And will UK companies still be able to exchange data within the EU? 

To provide some clarity amongst the confusion, we’ve tried to answer both. So, join us on a whistlestop tour of all things Brexit and GDPR. 

Will GDPR apply in the UK after Brexit? 

Strap yourselves in, this one’s going to take some explaining. While GDPR will no longer apply ‘directly’ once the transition period ends on 31st December 2020, that doesn’t mean UK organisations no longer need to comply with it. 

This is because the Data Protection Act 2018 enshrines GDPR’s requirements in law. On top of the existing legislation, the UK government has issued a statutory instrument catchily titled ‘The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019’. In simple terms, this amends the original law and merges it with the requirements of GDPR. The outcome will be a new data protection framework known as the ‘UK GDPR’. 

Still with us? The good news is that there’s virtually no difference between the UK version of GDPR and the current EU regime. So, for the meantime at least, you should continue to comply with the requirements of the EU GDPR. 

So why all the dramatic headlines about GDPR after Brexit? 

If there’s little material difference between the current GDPR and the proposed UK version, why are we seeing headlines about the switch costing UK firms £1.6bn in compliance fees?

Well, the problem lies in how the UK’s status is defined by the EU. Once the UK leaves the EU, as a non-member state it will be reclassified as a ‘third country’. And this has big ramifications for the transfer of personal data between countries. 

Under GDPR (the EU version), transferring personal data from the European Economic Area (EAA) to third countries is only permitted in one of three circumstances.

The three options

  1. If the European Commission (EC) has issued an adequacy decision. In other words, the EC has decided the third country has adequate data protection measures in place for EU countries to work with it.
  2. If safeguards such as binding corporate rules (BCRs) or standard contractual clauses (SCCs) are in place between organisations exchanging data. These are essentially commitments to comply with GDPR at the level of an individual company.
  3. If an approved ‘code of conduct’ is in place between the EEA and the third country. 

At the moment, no code of conduct has been agreed between the EEA and the UK. What’s more, the EC is yet to issue an adequacy decision.

This has led commentators, such as the New Economics Foundation (NEF) and UCL’s European Institute research hub, to suggest that in the event of a no-deal Brexit, UK businesses would have to undertake option two from the three circumstances listed above. 

The problem with this is that it could prove very costly. In fact, NEF estimates setting up extra compliance measures like SCCs could cost on average £3,000 for a micro-business, £10,000 for a small business and £19,555 for a medium-sized firm. For large firms, the figure could be as high as £162,790, with a cost of £1.6bn to the UK economy as a whole. 

How likely is this to happen?

While the last section might be a little scary, it’s important to stress that it is the worst-case scenario. The UK government has stated several times that it’s committed to securing an adequacy agreement with the EC. So it’s not beyond the realms of possibility that all this will be academic and we’ll see a relatively smooth transition process.

However, there are some doubts about the likelihood of the UK being granted adequacy status. And there are a couple of compelling reasons for this. First, the EU has long opposed some of the practices of the UK security services. This has led to several protracted court battles and a few defeats for British legislators. It’s felt that unless the UK is willing to change it’s surveillance practices – something it’s repeatedly refused to do – then this is likely to provide a blocker to the UK being granted adequacy status. 

Second, the UK government has committed to ‘liberalizing’ data laws as it leaves the EU. Its argument for doing this is that data is currently ‘inappropriately constrained’ by EU laws. The problem is that this is likely to render the UK’s data protection measures inadequate in the eyes of the EU. Again, leading to a scenario in which the UK becomes considered a third country without adequacy status. 

What should SMEs do? 

At this point, it’s natural to wonder what your business can do to ensure you’re ready for the transition. After all, with all the decisions being made at an international level, what can a single SME do but wait?

We don’t yet know the outcome of negotiations on the UK’s adequacy status. So planning for extra compliance measures like SSCs is a challenge. Nevertheless, as we mentioned earlier, it’s well worthwhile ensuring your business is compliant under the current GDPR regime. At the very least, this should help you stay on the right side of the new UK GDPR standard once it’s released.

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.

CyberSmart Privacy Toolbox

Playing politics: customer spotlight on Play Verto


‘Fun’ isn’t a word often associated with politics. Many of us tend to think of it as a game played by powerful people in oak-panelled chambers, far away from the reality of our everyday lives. And, it’s this feeling that has led to widespread disengagement from politics and distrust in our institutions.

But what if politics was a game we could all play? 

CyberSmart client, Play Verto, seeks to answer that question. The social enterprise specialises in improving community engagement through gamification. Its app, Verto, allows the public to express their political views by answering questions in a play-based format. 

By combining technology and play, Play Verto is creating a space for wider participation and plurality of opinion in politics. 

However, handling public data brings cybersecurity challenges with it. We sat down with Ben Pook, Director of Play Verto, to discuss these and how using CyberSmart Active Protect has helped overcome them.

What are the security challenges you’ve faced as a startup? 

When you are in the start-up space, you tend to play many different roles and you are thinking a million things. You quickly learn that you need to be agile to accommodate that. However, data security is not something you want to play about with. There is often a lot to consider, which can easily be forgotten or simply not considered at all.

Play Verto is a data-led decision-making company. So, inevitably, we deal with a lot of sensitive data. Our customers depend on us to safeguard this, ensuring it’s collected and stored securely. The company also emerged around the time that GDPR was coming into place, raising another challenge. 

How did CyberSmart help you resolve your security challenges?

Cybersecurity is an intimidating subject, especially when you lack rudimentary knowledge.  What we like about CyberSmart is that they ‘dumb-down’ cybersecurity and compliance for you, providing an easy step-by-step guide to make sure you have all your bases covered. They walk you through GDPR, Cyber Essentials as well as ISO27001.

It’s also helpful in the sense that it allows you to say, ‘hey, have you thought about this?’ and if not, here is what you should do. It doesn’t matter that you don’t have years of experience working in information security or the means to hire a specialist.

How far is Play Verto into setting up CyberSmart? 

We’ve gone through the whole process and we have the certificates. It’s given us a kick-start; we now use the tools and information offered by CyberSmart to constantly re-evaluate our compliance and security.

In fact, it’s become part of our routine. Whenever we onboard someone new, they go through CyberSmart’s training and install the app on their devices to ensure they meet our security standards. We also have a fortnightly team meeting on cybersecurity.

Our company culture has become much more security-focused thanks to CyberSmart. 

What role has CyberSmart played in your relationship with customers and partners?

The impact of not having the right security measures in place is massive. Our customers and partners rely on us to keep their data secure. CyberSmart offers an additional service that is critical in giving both ourselves, as well as our customers, peace of mind.

When we take on a new client, they want to understand how we collect data, how we store it, where it is stored, which servers we are using etc. With CyberSmart, all of that information is one place and easily accessible. What’s more, the certificates themselves are a demonstration that we take security seriously in the eyes of our customers. 

What cost and time benefits have you experienced since using CyberSmart? 

Well, I think it really comes down to ‘what is the cost of not using it?’. We have a pretty good security culture in our company, but it costs to be ignorant. I would rather be the fool that asked than the fool that wished he did.

CyberSmart’s monthly subscription is also perfect for those in the start-up space. Shelling out thousands of dollars in one go is tricky for a small business. The subscription model makes CyberSmart’s tools accessible to organisations in a similar position to us when we first started.

What advice would you give to someone looking to tackle similar challenges to those you’ve faced?

To be honest, I’d probably recommend CyberSmart, particularly because of their customer service. The team is amazingly responsive and there’s no such thing as a silly question.  It almost feels like a personal relationship, they do a great job of building a rapport.

Are you a start-up looking to improve cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

Mythbusting: is contact tracing safe?

We have a problem. Well, more of a puzzle. Like much of Europe, the UK is gradually emerging from the lockdown of the last few months – this is great for business, collective sanity and our social lives. But opening up brings risks. If a second wave of COVID-19 is inevitable, and many scientists think it is, how should we avoid the mistakes of our first run?

Imposing another nationwide lockdown like the one this spring risks economic ruin for an already ailing UK economy. But with a vaccination a long way off, ‘keeping calm and carrying on’ would be even more disastrous. 

One solution you’ve probably heard a lot about in the last few months is contact tracing. Or, more specifically, the new NHS COVID-19 app. Some have boldly declared the technology, coupled with testing, the answer to a return to normality. Meanwhile, others have raised serious cybersecurity and data privacy concerns. 

So, how does contact tracing work? Are privacy activists and cybersecurity experts right to be worried about it? And, are your privacy and cybersecurity really in peril? 

How does contact tracing work?

Although there are many different ways apps like this could work. For simplicity, let’s stick with how the NHS app works.

The app is incredibly simple. It uses Bluetooth to ‘ping’ any other phones (with the app downloaded) in your vicinity. The app then stores a record of anyone you’ve been in close contact with over a relevant time frame. For example, the 2-14 days symptoms typically take to appear in those who come into contact with the virus. 

If anyone receives a COVID-19 diagnosis, the app notifies everyone recorded within the infection range. It then sends a message asking users to self-isolate. 

What are the privacy concerns? 

At this point, you may be wondering what the problem is. The app seems intuitive, it has the crucial benefit of simplicity, and it’s easy to scale (after all, 79% of us own a smartphone). 

Most experts are broadly in agreement that the system is needed and a good idea. Where opinion differs is in the best way to design an app to accommodate it. 

This argument centres around whether we should be building centralised or decentralised apps to tackle contact tracing. A centralised app means that in the event a user flags a positive test result, the data from their phone is sent to a centralised database run by a healthcare body or the government. This central database then unlocks the identities of the infected person and anyone they’ve been near. 

In a decentralised model, this same process is repeated on the phone itself, meaning the government or healthcare body never receives any identifying information about app users. Instead, any data they collect is depersonalised, for example, the number of people infected and their geographic spread.

Privacy and security campaigners worry about the centralised model because it’s open to ‘scope creep’. Or, to put it another way, just because the technology is being used for benign purposes now, doesn’t mean it couldn’t be applied for mass surveillance in the future. 

The UK had planned to use a centralised model. However, partly due to these concerns, and Apple and Google declaring they wouldn’t allow its use on their phones, it’s now switched to a decentralised model

What about security? 

The other big concern about any contact tracing app stems from whether its data is completely safe from cyber attacks. A recent report from two academics specialising in cybersecurity, reveals that contact tracing apps may have some unforeseen vulnerabilities.

We won’t delve too far into the technical reasons behind the findings. In essence, most of the models for apps we’ve seen from governments so far transmit encrypted and unencrypted data side-by-side. Security experts fear that this could mean would-be hackers have an ‘in’ to identify individual users and steal their data.

Are your cybersecurity and privacy really at risk? 

We’ve outlined some of the security and privacy concerns about contact tracing apps, but how at risk is anyone who uses one?

Privacy – Had the UK government pushed ahead with its plan to use a centralised model, this would have been a very different article. However, the move to a decentralised approach has mitigated most privacy concerns. 

A decentralised app won’t share any personal information about you. It won’t share your geographic location with any third party. And, from an inter-user standpoint, the design shouldn’t allow anyone to work out who in their recent contacts has become symptomatic. 

Security – This issue is a little thornier. The questions raised by the report we mentioned earlier haven’t gone away, but at this stage, they remain theoretical problems rather than something users are reporting. What’s more, the GCHQ National Cyber Security Centre (NCSC) is aware of the findings of the report and is working towards fixing them. 

Contact tracing apps aren’t perfect, but it’s a balancing act. As with any state-run technology, they face questions about privacy and security. On the other hand, the risks to privacy are small and security is only likely to improve as the technology does. More importantly, contact tracing has enormous potential to help us get back to something more like the pre-COVID world. So perhaps the real question is can we afford not to use it? 

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

The business risk that’s more worrying than Brexit

News articles have continued to highlight the impact Brexit could have on UK businesses in 2020. With everything from visas to regulations and import taxes, businesses face a lot of uncertainty in the coming years.  

However, despite Brexit continuing as a hot topic in business media, surveys have found that it is not the most pressing issue on business leaders’ agendas. Instead, data protection topped the list

The first half of 2019 saw data breaches leave 4.1 billion records across the world exposed, and they are continuing to occur on an almost weekly basis in the UK. The rapid sophistication of cyber attacks is leaving an increasing number of UK’s businesses vulnerable to these potentially devastating breaches.

80% of CEOs concerned about cyber threat

PricewaterhouseCoopers conducted a recent survey to gauge the key areas of CEO uncertainty and how they are taking action to address them. The findings found that eight out of ten CEOs are concerned about the threats posed by a cyber attack. 

This concern emerges among a growing abundance of news stories reporting enormous data and security breaches at top companies and organisations, which end up costing them hundreds of thousands in compensation. 

One of the most publicised cases of 2019 was the British Airways breach in which the details of about 500,000 customers were stolen by hackers. As a result, BA was charged a fine of £183 million.

This is a corporate example, but even small businesses are at risk of fines for violating GDPR data protection laws. If you’re wondering if you’re GDPR compliant, CyberSmart offers a simple, non-technical path to GDPR certification.

The public wants to know businesses are protecting their data

Media coverage and market research make it clear that cyber attacks are only going to increase in frequency in 2020, both in the UK and the rest of the world. But this is not just an issue for CEOs. 

The media attention garnered by cyber attack stories have made data regulations and privacy a key issue amongst the general public, who place an increasing premium on companies that take protection of their data seriously.

It’s more important than ever to show that businesses showcase their cyber security certifications and GDPR compliance. 

Pressure from consumers has been further motivation for CEOs to consider data privacy and compliance with data regulations as two of their top issues. 57% of respondents to PwC’s report cited public fears over security as a key factor.

Cyber security starts at the foundation

However, 2020 is expected to see more CEOs focusing on the configuration of their business in order to meet the requirements of cyber resilience. In the increasingly digital landscape of the future, cyber security will no longer be an added feature for organisations to incorporate as an afterthought, but rather a critical feature to be in-built into a business’ infrastructure.

As cyber attacks continue to pose a significant threat to UK businesses in 2020, it has never been more important for companies to ensure they are compliant with data protection laws and agreements. 

CyberSmart several ways that even small businesses can take precautions against cyber threats. Our Cyber Essentials and Cyber Essentials Plus certification offers simplify the process of keeping businesses up to date with UK laws while CyberSmart Active Protect secures your company devices around the clock. 

In addition, we offer products for IASME GDPR compliance enabling you and your company to meet protection standards and have peace of mind in your service.

How does GDPR protect your customers?

How does GDPR protect your customers?

The General Data Protection Regulation, or GDPR, was brought in by the European Union in 2018. The intention was to update data protection laws across all member states and ensure that companies would become compliant in their handling of data. A lot of businesses, however, still see GDPR as a nuisance. In fact, it acts to protect customers and businesses alike. Here, we discuss exactly how that is the case.

Security of data

Under GDPR, the data of individuals became much better defined. Anything identifiable to an individual is their personal data, and under GDPR users have the right to know who is in possession of their data and which organisations are using it. Customers have to agree to actions being taken with their data, so they have a far greater level of control over what companies are doing with their personal information. If they don’t like what a company is doing, they can simply withdraw their consent and request that a company deletes the data. This not only protects the customer but also benefits the business in that it ensures individuals can have a greater feeling of comfort that their data is being used legitimately.

Transparency of data

Customers are also given the right to be informed of what the purpose their data is being used for, exactly what data is collected, and if there have been any data security breaches. These wide-ranging reforms, designed to allow for a much greater level of transparency, ensure that customers are not only more secure but are also more aware of what exactly their data entails. When individuals are allowed to download all of the data that international companies hold about them, they have a better idea of what their data actually is, and can get a better idea of what sort of access they want to let companies have. Customers, therefore, are more likely to be trusting of what exactly a company does, since data is no longer an abstract concept but something more tangible. Two-thirds of Europeans have now heard of GDPR, demonstrating the reach of the regulation and its impact in boosting awareness. Compliant companies are therefore likely to benefit from the implementation of GDPR.

With the implementation of GDPR across Europe, companies are now considering data to be an intrinsic part of cyber essentials. Data handling is key to modern business operations, and to ensure that your company is completely compliant, you may need expert help. CyberSmart can help make a complicated bit of regulation, much simpler with our Privacy toolbox, click here to find out more.

Data privay toolbox

Is GDPR going stateside?

GDPR going stateside

The introduction of the General Data Protection Regulation – a.k.a. GDPR – was introduced in 2018. This new framework standardised and updated data protection law across the European market and most importantly gave consumers more say over how their data is handled, stored and shared.

However, considering how quickly data collection and analysis technologies are developing, this legislation wasn’t a one-size-fits-all solution. Subsequently, there are a few grey areas that left many organisations feeling confused – which is risky, considering the size of the potential fines.

Now, it seems that similar legislation with its own unique nuances will appear in the United States, adding a whole new layer of data privacy legislation for companies to navigate. Here, we discuss what American data privacy law is likely to bring going into 2020.

GDPR USA – What to expect

Although data privacy is a global issue, every region is developing its own distinct regulations. Although it’s likely there will be similarities between GDPR and American data privacy legislation, currently, there are no plans for a comprehensive, nation-wide GDPR USA. Instead – much to the dismay of many international companies – every state is drawing up its own plan. Currently, the two major ones businesses need to be aware of are California’s Consumer Privacy Act (CCPA) and the SHIELD Act.


California’s Consumer Privacy Act, or CCPA, came into force as of 1 January 2020. The legislation has similarities with GDPR, however, there are important differences. For instance, under GDPR users must opt-in to third-party data sharing whereas, under CCPA, they need to opt-out. This means companies will have to have customised terms and conditions forms for Californian users. That said, the good news is that CCPA isn’t as far-reaching as GDPR. If your company turnover is less than $25 million and you don’t handle the data of more than 50,000 then the rules don’t apply.


In July 2019 New York State passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD), which will come into effect on 21 March 2020. Similarly to GDPR, this law is designed to standardise data privacy requirements. However, this is where it can get confusing; the wording of the legislation is suitably vague, with statements such as “data security should be appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” To add to the bill’s cryptic nature, if companies are already in compliance with historic data protection laws like HIPAA and the GLBA, they may already be compliant.

Get globally data compliant

Legislation like GDPR has global implications. With so many different laws emerging all over the world, it’s critically important that companies with international operations seek advice on data compliance and certification. Just look at some of the fines that have been dished out under GDPR – and legislation like CCPA empowers American states to enforce even heftier fines. Cyber Smart are the experts in cybersecurity compliance, and with IASME’s GDPR Readiness certification we can help your business ensure full GDPR compliance and the proper processes and policies are in place. Wherever your business operates, contact us to ensure you’re fully compliant.

Data privay toolbox

Four ways you can protect your customers

The information age has given businesses a new set of responsibilities for customer data that just didn’t exist before, including anything from basic name and address details all the way through to legally sensitive details, medical records and serious financial data. This has enabled major advances in everything from logistics to advertising and healthcare, but it’s also a major burden for companies – so how can you make sure you’re doing your best?

Change behaviours

While the tricks and tools that hackers use to get at your data are genuinely becoming ever more sophisticated, by far the most popular way to steal from you is with the good old fashioned confidence trick. Fake email solicitations, clones or mirrored websites and even the impersonation of trusted contacts can get your staff to hand over data voluntarily – so make sure a culture of suspicion is built into your workforce. Set up a secure inbox that staff can forward suspicious emails to, so IT can safely dispose of them, and make sure to train staff regularly to spot fraud.

Layer your defences

The holy grail of any hacker’s attacks is to get at not only the target of their crime but all your other data as well. While one file may not be enough to cause harm, it can be linked to other files that can be used cumulatively to carry out more serious attacks on people like identity fraud, so make sure you have several layers between other areas of your systems so one breach doesn’t cascade into several. It can also help to restrict access on a need to know basis, so accidental breaches simply can’t happen or ban things like portable disk drives just in case.

Trust the experts

While it’s totally possible to fashion your own defences, it’s hard to give your customer true peace of mind without some official credentials to back it up. Using software with IASME backed certification like Cyber Essentials or Cyber Essentials Plus ensures that you have the industry’s gold standard protection in place, and with the GDPR Readiness standard you can become GDPR compliant and showcase your efforts to world-class customer data security, which in turn can open doors to new contracts with companies who insist on only working with the most secure firms.

Keep your patches up to date

Another sadly common way that hackers access your systems is through known back doors in software that has been fixed but isn’t the latest version with repairs included. These obvious flaws are like gold dust to hackers who can just stroll right in, so it’s a good idea to get software like CyberSmart Active Protect that automatically detects old versions of operating systems as well as software vulnerabilities. Find out more.

Small businesses at risk of multimillion pound fines for breaking GDPR rules

A new survey has revealed many small business owners are still clueless about GDPR. The results suggest small businesses could be in breach of GDPR without even realising it, as half of the participants appeared confused when answering questions surrounding data protection and privacy regulations.

A worrying 4/10 didn’t know that losing paperwork could be a data breach, or that emailing or faxing personal details could potentially be breaching data regulations also.

Are you being extra careful when sending that email?

Scarily, 45% of businesses did not know that the ICO (Information Commissioner’s Office) needed to be informed when data was breached and individuals’ rights were affected. It also showed they were unaware and failing to ensure confidential paperwork such as signing in and visitor’s books were kept in a protected environment.

It’s essential as a business owner you stay well informed and aware of GDPR and data protection to ensure you continue to create trust in your employees and consumers. By staying up to date with the changing data laws, you will show that you are consistent in protecting personal and private information.

Breaking GDPR is easily done within a business – it’s as simple as storing files with personal data outside of a defined structure. Many SMEs are digitally renovating their businesses with more intricate technology, however, this essential move is increasing their exposure and vulnerability for cyber-attacks.

The fact that new threats are constantly evolving and developing – and 43% of cyber-attacks are aimed at SMEs – highlights the lack of knowledge surrounding GDPR. Small businesses now need to look at investing more time in digital security. This will not only prevent any future attacks but show that you are being proactive with your digital approach.

What can you do?

By maintaining your security and safeguarding your business, you are able to protect your organisation long term. Utilising Cyber Essentials, Cyber Essentials Plus and IASME GDPR Readiness certifications, which are compliant with the Data Protection Act (2012), you can ensure that you are prioritising your business and data while giving your employees and consumers that added assurance.

Safeguarding your data should be your priority. Considering crisis incidents such as extortion, cyber attacks, and industrial espionage are just a click away, it is critical that SMEs assess their ability to survive a cyberattack, and there are steps to take to prevent and manage this if the worst were to happen.

How confident are you that your business is fully compliant?

Data privay toolbox