Why SMEs should care about data breaches

Ash: (00:00)
There’s lots of stories in the press about data breaches from large multinationals, but increasingly data breaches are becoming a big issue for small business.

News report: (00:10)
Now, there’s never been a better time to download the British airways app. They promise convenience, but now it’s led to the very opposite. The value of the stolen data from BA could be huge. It includes customer addresses, phone numbers, and credit card details. Experts told ITV news they could normally be worth three pounds each, a maximum of just over a million pounds. But the BA hack includes numbers on the back of cards and that brings the potential criminal value to 9.5 million pounds.

Ash: (00:43)
Welcome to cybersecurity demystified where we explore the cybersecurity threats and risks that y our small and medium sized business can face and give you some easy actionable advice to make your business more secure. My name’s Ashley and I’m a small business owner who only really started taking cybersecurity seriously when my business got hacked.

Dom: (01:03)
And I’m Dominic. I’m using my cybersecurity experience from big corporates to help small businesses.

Ash: (01:09)
So Dom, this podcast, we’re talking about data breaches. So can you break down what that means for businesses?

Dom: (01:15)
Well, a data breach is when information that is expected to be kept private and confidential to the person processing that data is breached or is leaked to the public domain and is then available to either a criminal who steals it or made public for anybody to access.

Ash: (01:34)
I mean the stories you hear in the press are a lot about customer data, credit cards, etc. So a business like mine and agency, which doesn’t handle credit card information, but how is that relevant to me? I can understand if I was a retailer.

Dom: (01:48)
Sure. Well I mean data can broadly be split into two, right? There’s, there is your, your customer data as you just described, but there’s also your own company data information that is vital to the operation of your business, whether that is your own IP or your own intellectual property or maybe that sense of information from you and your stuff. So your salary information, your HR details, uh, that, that sort of thing.

Ash: (02:13)
Okay. And also, I mean, when I think about customer data with my company, I’m not handling credit card information, but I have customer data in Zero and in HubSpot I would have thought, you know, that that’s not my responsibility. The security of those services. Is it?

Dom: (02:29)
absolutely data that you are holding your processing is your responsibility, your customers trust you, uh, to manage the data they give you. And it doesn’t have to be credit card information. PII is as defined. GDPR is personally identifiable information. So that can be name, job title, company information or any other, anything else really that identifies you personally?

Speaker 2: (02:51)
A lot of people are saying BA is more vulnerable because it’s outsourced. Some of this it work. Do you think that is the case? It can do because you’re relying on the security of those outsourced organizations. So their security processes aren’t as good as yours then potentially because they’ve got access to the same information, the hackers might see them as an easier way in.

Ash: (03:12)
So this all relates into GDPR, this kind of hot topic that all businesses have had to take seriously. So the handling of data,

Dom: (03:20)
Data breaches are always been a serious matter even before a GDPR and even with the CCPA, the California consumer privacy act, which is the same thing for the Americans that’s come along and really made it, really brought it, to the front of people’s minds through the very large fines and punishments that can be, can get for not taking good care of company’s data.

News report: (03:40)
BA also stands to lose passengers trust and financially fines could run into millions under new data protection rules.

Ash: (03:47)
And so what could some of the consequences be of having a data breach?

Dom: (03:52)
Well, if the data stolen is personally identifiable, usernames, emails, passwords, then you’re looking at identity theft, you’re looking at fraud, people perhaps accessing services such as mail with your username, with your password, and then perhaps they’re purchasing things under your, under your account and not paying for them. Perhaps they are saying things publicly under your name and leaving you libel.

Ash: (04:19)
So time for some solutions done.

Dom: (04:21)
Should I be considering? Well, the first thing to consider is make sure you look after your data. Know what data you have, know where you’re keeping it. Always use reputable services. HubSpot’s a great one, but it has a, has a cost. There are cheaper services out there. You need to check those and balance that cost saving against the perhaps lower level of security that they may have. Make sure you update all your software so that it’s not open to vulnerabilities or or known weaknesses.

Ash: (04:50)
So this, this crosses back into what we talked about in another episode. So there is a kind of interlinking of all these things together, right?

Dom: (04:55)
Yeah. All of these things are connected. You can’t do security in just one area. You have to be looking at the whole security landscape. You also need to make sure you manage your passwords, as we talked about in a previous episode.

Ash: (05:08)
Any other key points?

Dom: (05:10)
Well, the last thing is to limit who has access to this data.

Ash: (05:13)
Right.

Dom: (05:14)
Limit the places you store it. So if everybody has access and you don’t have good controls over it, the chances of somebody accidentally leaking it or of a hacker or a cyber criminal being able to access it illegally are massively increased. So make sure it’s only available to those that need it. And it’s only available in this, in the places you want it to be. Don’t store backups of all of your customer information in a text file on your hard drive, for example.

Ash: (05:45)
Okay, so it’s time for that one line, uh Dom. What’s the, uh, what’s the wrap up here? What’s the key takeaway?

Dom: (05:52)
Understand what data you have and where it is,

Ash: (05:54)
Right.

Dom: (05:55)
Secondly, it is to turn on of the security features that are available to you in your, in your application.

Ash: (06:02)
So thanks for listening, Dom and I are co founders of a business called cyber alarm. It’s a burglar alarm for the internet, a cyber security service designed specifically for small and medium sized businesses. And in terms of data breaches, Dom, how does the service help?

Dom: (06:17)
Well, we’ve developed a feature we call in the GDPR token, uh, which is a, a bit of information that you can store within your databases or within your files or within your data. Uh, and we’d get notified if that data is leaked into the public domain and we can let you know that that data has been breached and give you some advice on what to do next.