Managing privacy and security for small and micro businesses

Managing privacy and security for small and micro businesses

In March this year Gartner published a report forecasting that hybrid or fully remote workers will represent 67% of UK knowledge workforce. That is a staggering number when we consider that the report focuses on employees and does not include self-employed, small or micro businesses engaged in knowledge and also creative endeavours.

In this post we shine a light on the security implications of hybrid or fully remote working practices for small and micro businesses.

‍A joint study by Stanford University security firm Tessian has found that a whopping 88 percent of data breach incidents are caused by people mistakes but while businesses will have typically rich and robust practices, policies and education small and micro businesses are on their own.

‍What makes this an issue?

The statistics included here attract mal adjusted individuals and organisations seeking to profit by doing harm. Sadly, being ‘small’ is no longer a defence mechanism and misplaced trust or plain ignorance opens up significant risk to small businesses with no IT departments to protect them.

It can be difficult to prioritise. We may regard the risk as small and both the cost and time involved as an irritant with an endless list of tasks to be prioritised. So here we set out some Technical and Behavioural prompts to get you thinking about different aspects of privacy and security and taking steps to stay safe from ‘malfiends’, wherever they lurk. 

Technical

Most of our personal and business lives revolve around technology tools and platforms which function through the creation, utilisation and movement of huge volumes of data. That data can be targeted by malfiends for its direct commercial value or repurposed to meet alternative needs, legitimate or otherwise. 

‍Deploy a VPN.‍

A VPN hides your IP address and automatically encrypts data to stop malfiends. According to Comparitech, VPN usage is growing by 15% each year demonstrating the growing demand for such security tools. Here is a list of vendors compiled by Techradar: The best VPN service 2023.

Separate network

A further option is to deploy a dedicated network to separate business and home network activity. Perhaps this is an OTT option but may be a good move anyway if your business depends on live platforms or managing large files.

Back ups

Any data that has commercial, sentimental or utilitarian value should be backed up and passworded. These days it’s pretty difficult to use a major vendors platforms without including their cloud based storage capability. Personally, I also create physical backs which I may never use but they satisfy my utilitarian tendencies!

Application updates

Malfiends have sophisticated ways of finding out of date apps and most vendors deliver frequent security patches to combat such threats. Don’t assume the updates are made automatically. It’s best practice to manually check and install app updates and router software and firmware updates.

Password hygiene 

Here are three tips to help with password hygiene:

• Use a minimum of 12 characters and, ideally, a three word passphrase which is logical to you but devoid of any guessable sequence. 
• Password managers generate, store and retrieve passwords on demand. Very effective, just don’t expect to remember them!
• Two, or multi factor authentication (MFA), requiring a code to be retrieved from a secondary device, is now a standard layer of security. Typically mandated by online platforms, look for voluntary options to deploy MFA.

Preventative apps

Everyone is now familiar with anti-virus (AV) software. Operating systems work hard to raise barriers to malfiends but a dedicated anti-virus app is a good investment. There is also a growing market for anti-spam apps such as Incogni.  These apps will reduce the volume of spam and the risk of identity theft directly and by helping to remove your profile from data brokers who make money from acquiring and reselling data about you and your business.

Practice/behaviours

Harvard Business Review reports that human error is the root cause of more than 80% of IT related security incidents. The focus of the report is on artificial intelligence and big business but individuals can act to reduce the risk to their own business.

Video calls

Well publicised security breaches at the time of lockdown heralded a rapid acceleration of video platform innovation but users should still be aware of how much information we make visible in our workspace settings when we join video calls, especially if the call is impromptu.

No paper?

I read recently that we should stop using paper because of the inherent security risk of mislaying documents or exposing their contents, especially in public settings. Personally, I despair of a world with no paper (or stationery!) so I propose having a shredder. Do what you need to do, in the way you want to do it, but remember to clean up and lock up afterwards.

Situational awareness

Paper, online or offline, all have security implications in a public setting. Using free wifi is a huge security risk as hackers know full well how many people are now remote or hybrid working and may find it worth their while phishing in public.

I was always surprised by how much information people disclose out loud or on a screen during a commute or over a coffee. Whether it’s bravado or stupidity, be mindful and dial it down. Use screen guards and screen locks and refer back to the benefits of a VPN.

Customer data

On a related note, pay attention to customer data and a) the degree to which any breach would compromise their data and b) compliance with customer/supplier policies over and above GDPR law. As with many prompts here, this may not be very high on your priority list or you may trust you have relationships that will override any glitch. We recommend you take time, or professional advice, to compare with best practice, assess the risk, and gain control of the subject.

Margin notes

As a small or micro business working remotely from customers, partners, and suppliers it is your business to understand these risks and take action to protect yourself. This should include preventative steps because any incident will be a massive inconvenience even if the commercial or reputational impact is low.

Putting aside time and cost considerations, it may be worth engaging a specialist to advise you and perhaps run a vulnerability check so you can take targeted actions and provide peace of mind to customers, partners, investors and, most importantly, you.

For a free, initial discussion about your individual workspace, contact Wayne at wayne@mybridity.com.