#Privacy: How can SMEs create a data security strategy suitable for the long-term?

Data security is vital for organisations of all sizes. However, this area can present the great challenges for small to medium-sized enterprises (SMEs), who must tackle compliance with limited budgets and smaller IT teams, typically without the in-house expert advice that is readily available to larger corporations.

As a result, it’s a good idea for SMEs to address their data security issues sooner rather than later, as those who act now will find themselves on the front foot when it comes to facing compliance challenges further down the line. The problem, though, is that many SMEs will be uncertain about the steps they need to take to prepare themselves for the long-term.

So, how can SMEs develop long-term data security strategies that will protect them both now and in the future?

Data: too hot to handle?

The rapid growth of digitisation means that many SMEs are now sitting on increasing piles of data, yet many underestimate its value and importance. Quite simply, this data should be viewed as information capital and must be protected from the growing risk of cyberattacks.

As firms accumulate data, they need to invest in IT systems that not only protect this data, but which also reflect their individual circumstances. As a result, many firms will be thinking about moving cloud-based systems, if they have not done so already.

This model offers a number of benefits, such as flexibility, scalability and lower total cost of ownership (TOC), but SMEs must realise they are still responsible for their data security. A study by Veritas showed that 83% of SME Directors believed their cloud provider is accountable for protecting their clients’ data, but this is a misconception – and a potentially dangerous one at that.

Firms are still liable for their data and that of their users, regardless of whether it is stored on premise or in the cloud. This should not put firms off using the cloud but they should be aware of any regulatory requirements. The future of work depends on connectivity, and a cloud-based infrastructure can help to empower the next-generation of flexible, agile businesses, but SMEs need to be sure they’re choosing the right provider.

First and foremost, they need to raise the issue of compliance. Has the provider been fully and independently audited? What technology and resources do they have in place, and are they compliant with the latest regulations? Where and how will the data be stored?

SMEs that choose to store their data locally will need to ask themselves these same questions, so they can demonstrate compliance in these areas. Hybrid models, where data is divided between a third-party cloud provider and a company’s in-house IT system, can raise even more questions in terms of where the responsibility for data security lies.

Whichever route a firm chooses, it’s vital that its chosen solution forms a central part of its long-term business planning. Stringent regulations like PCI-DSS can often provide a model framework in this regard. If firms take steps to comply with complex and specific regulations like these, it’s far more likely that they will be prepared as new compliance hurdles emerge down the line.

Clueing up the workforce

When factoring data security into a long-term business strategy, it’s also vital to consider the people who will be tasked with using technology on the front lines every day. SMEs will likely lack specialist in-house IT teams, so it’s particularly important for employees to be compliance and security savvy.

Statistics from Accenture’s ‘The Cost of Cybercrime’ study highlight a 67% year-on-year increase in the number of data security breaches in the past five years – and nearly 80% can be attributed to new business models and technologies. This suggests that employees need to get a handle on new ways of working as soon as they’re implemented.

Most data breaches and ransomware incidents tend to be caused by employees unwittingly, but just one event can cause major reputational and financial damage. Risk assessments should be undertaken and suitable controls should be in place to protect strategic data assets. Security training should also be an essential part of every SME’s security strategy and must be updated regularly.

Planning ahead

Cybersecurity and compliance are likely to remain top priorities for businesses of all sizes and must place a key role in their long-term business strategy. SMEs who prepared for regulations like GDPR will already be aware of the intricacies involved in protecting customer data, and will therefore understand why it is important to start preparations early.

As cybersecurity threats become more sophisticated, however, it will become even more important for SMEs to adopt a proactive compliance strategy that includes carefully vetting third-party providers as well as training their own staff. In short, the more seriously that firms take data security right now, the better prepared they will be for the long-term.

By Robert Rutherford, CEO at QuoStar

Robert Rutherford is Chief Executive Officer of QuoStar, a UK based IT consultancy and service provider specialising in digital transformation. Founded in 2005, the company supports evolving businesses in the professional services, financial and manufacturing sectors with services ranging from IT outsourcing and managed security services through to technical and strategic consultancy. Robert has over 25 years of experience working with Business IT and systems.

The post #Privacy: How can SMEs create a data security strategy suitable for the long-term? appeared first on PrivSec Report.