Cyber safety is essential for all online users and doubly so for online business owners because you carry the responsibility for all the personal data your business handles.
The 6th principle of GDPR is integrity and confidentiality and within that principle is the security of the personal data you handle. You don’t need to be a tech expert to improve the security of how you work with data, a lot is just common-sense. However, there are still a lot of small businesses that haven’t implemented even the basics.
Which is the most important stage of handling personal data?
When it comes to cyber safety, then this is a bit of a trick question. As a Data Controller, you are responsible for it from the collection to disposal of the data and weaknesses are possible at any point between.
Let’s look at this by stage:
Cyber safety and collection points for owner-run businesses
Secure your website:
- Use a good hosting company – consider where their servers are located – does the data have to be transferred to another country.
- Use HTTPS – you need an SSL certificate. The SSL protocol is more secure and your visitors won’t get a warning message when they access your website
- Ensure you have security in the actual build either coded in or by use of a suitable plugin e.g., Wordfence is a favourite on WordPress websites but there are others
- Use a complex admin password and 2FA, wherever possible
- If you use a CMS website, keep your platform, theme and plugins up to date. The same as any software you use. Check reviews and recommendations when you are choosing all your plugins. That’s from a technical non-conflicting standpoint as well as functionality and effectiveness
- Live Chat – if you have this installed on your website do make sure it’s a secure service and decide how you want to use it
- All of the devices you use for your business should have a strong password and you should use the secure access options e.g., fingerprint, PIN, pattern and so on. Using the security options on your personal devices also makes them less attractive/usable to thieves!
- Encrypt wherever that’s offered – your smartphone, tablet, laptop or computer. It’s the default setting on reasonably recent smartphones
- Activate the “find my device” option and remote wipe if it’s carrying or has access to business personal data.
Never leave the default password in place for anything…
- Don’t forget your router and any extenders you use in your workplace and home. You could be one of the unlucky people who find their bandwidth is being taken up by unscrupulous neighbours as well as hackers
- Smart speakers like Alexa, Google, Siri and so on are listening in all the time to hear when you call on them. Amazon, Google, etc, have recordings of what’s said. (Check their PN & T&Cs for details). Be aware of what you are discussing with such devices within hearing distance (theirs not yours) if you use them
- Other smart technology in your home such as doorbells, your fridge, etc., can all give access to your other devices if you have a home or office network set up. I’m not qualified to offer you technical guidance on that but common-sense dictates that your system is only as secure as its weakest link
The simple fact is, no standard email platforms are secure enough for you to send personal data through them. It’s better to use an encrypted file transfer service if you need to do that.
I have used a UK-based high-security encrypted email service, Galaxkey, which include shared folders, document transfer and signing. If you do have to share a lot of confidential data or documents, I suggest taking a look at it.
The basics are once again passwords and 2FA on your account.
Then we come to the ways in which the human element can expose your business to a cyber attack. The main risks with email are the people who use it by a very wide margin. Here are some of the most likely mistakes that are made:
- Allowing auto-complete of email addresses
- CCing the wrong people
- Sending to the wrong person
- Falling for Phishing emails by clicking on a link or replying to them – some of them are very convincing see below for ideas to train yourself to be more aware
A few tips to help avoid these:
- To avoid the auto-complete or auto CCing, check the settings on your email platform and set them to disable this functionality unless you absolutely need it
- Have all of your emails go to your Outbox and have a second look before you press Send
- If there is the option to recall emails use it but bear in mind it won’t help by much e.g., Gmail’s recovery maximum is 30 seconds
- Try the Google Phishing quiz to show you what can happen and teach you to spot some of these dodgy emails. If you have cyber security some companies have free training that reduces your policy excess when you complete it (and keep your training up to date) e.g., Hiscox.
File transfer services
I’ve used WeTransfer for a few years and the service is encrypted. There are several similar platforms offering a generous file size transfer for free. Check how they work and if that suits you and your business and the risks you are working with.
Take care which one you use and what you use it for. Guess what you should have… passwords and 2FA – Facebook Messenger uses your Facebook login (2FA!). There are some services that are considered more secure than others e.g., Signal and Telegram are two, but these tend to be less widely used. Decide how comfortable you are with the risks involved for the data your business handles.
Video conferencing (Zoom)
Zoom is the most likely platform you will be using. Their support section is very helpful on security, and they have also built in some settings by default to help protect you and your users. Make sure you have the right settings in place for you and your business. Don’t forget to set up your own customised consent statement, although the automatic consent will also come up.
Other platforms have their own security settings e.g. Microsoft Teams, Skype, Google Meet, etc. You should follow your usual research process to make sure you’ve protected your business and the other users.
Out and about
If you are working whilst travelling don’t log in to unsecured (usually the free) wi-fi in cafes, railway stations, hotels, airports, etc., to work without taking the right precautions.
If you are working whilst travelling use a VPN. This will protect you if you have no choice but to use an unsecured wi-fi network but be sure the VPN is reliable. If you do this regularly then use a paid-for VPN service. Check comparison articles to see which best meets your business needs.
Use a privacy screen on your laptop so others can’t view your screen. There are screen privacy apps for smartphones and tablets to make overviewing difficult.
Phone – simple things like using a screen lock or a physical lock, not leaving your Bluetooth discoverable, leaving your mobile hotspot on or leaving the actual phone in an insecure place are worth bearing in mind as a matter of course.
Cyber safety and processing the data after collection
When you’ve done your initial supplier due diligence then it’s all about getting your cyber safety settings right.
You decide what level of security and privacy is acceptable and safe for your business based on how you use each platform.
It’s worth taking any security challenges that come up such as those for your Google and Facebook accounts. Don’t forget, your groups and business pages need at least one additional admin or you could lose them forever if you get hacked. As always, implement 2FA and have a separate recovery email address.
Facebook hacking is on the rise, and no one is excluded from the risk. One of the top global Facebook experts, Mari Smith had her Facebook Business Manager hacked recently and I have been hearing of more and more similar stories.
– refer to Mari Smith’s blog post on being hacked for some information on how she handled it.
The overriding moral of such tales is to get all the safeguards you can in place now. Regularly check for anything that looks a bit off, pay attention to any warning messages or emails and act on them (but do be aware of possible phishing!). It will take a lot of your time to recover an account and that’s ignoring the blind panic and stress it can cause when something bad happens.
Cyber safety and storing
Storing your data includes platforms, devices, portable storage media e.g., external hard drives or USB sticks, paper-based documents as well and devices, including your office/home.
Pay attention to:
- your due diligence
- using a password manager (get rid of notes and having to remember a lot of numbers)
- bio-metric locks such as fingerprints, patterns, PINs, etc.
- backing up your data onto an external hard drive or to the cloud e.g., MS OneDrive, Google Drive, etc.
- physical security.
Your Incident Recovery Plan
The first and most important point on this subject is to have one!
What you should end up with is a workable plan on how you can get up and running in the shortest time possible. If there’s only you, it should be a relatively simple document as you will be the person at the centre of the event.
Probably the most valuable section will be the contacts for various services, platforms and people that you work with. Taking the time to pull this information together and record it in advance will save you much time and stress. If you like to have more detail, include attachments or URLs (but do consider if losing access to the internet for any length of time is a real possibility re URLs).
To start, design your record (I use Excel – surprise!) and then add all your key platforms, people and services with their contact details. Then imagine all the catastrophes you consider as likely and record any other information that would help you/your team handle them.
Your lawful basis is Legitimate Interest as it’s necessary for you to hold any personal data to use in the event of an emergency. Not having an Incident Recovery Plan is a shortcoming identified in many organisations by the ICO.
You can see there are recurring cyber safety themes throughout your business. Good habits will set you and your business on the right road to safe success. Losing access to parts of your business could potentially destroy it but in any event, will cause you a great deal of stress and loss of revenue!