Your Data Security : Cyber Essentials vs ISO 27001

Every single day a new story hits the headlines outlining the latest big data breach – be it British Airways, Marriott Hotels or TalkTalk. These stories are complex and multifaceted and can be difficult understand, especially for a small business owner.

As you run a business, understanding data security can seem daunting, but thanks to regulatory changes (the introduction of GDPR amongst others) there is a need to put data security front and centre within your business, for the sake of you and your customers.

Your company will be using data in many different ways. GDPR and the Data Protection Act all mean  staff records, customer data, CCTV and even emails are managed by legislative rules. The legislation means that if you don’t follow regulations, you could be in big trouble whether or not you are breached. This why your organisation needs a data security review – and why Cyber Essentials might not be enough for you (and your clients) and why ISO27001 is a better security framework for your organisation.

The Problem in More Detail

With more than 98% of UK companies operating online – be it from a simple website or social network page to a multifaceted app-based or cloud-based platform – it is fair to say that businesses of all shapes and sizes have embraced the internet. With so many businesses online, and with the economy dominated by Small and Medium sized Enterprises (SMEs), cyber-criminals are now targeting the small business owner as a viable and lucrative target. Your company’s data is more valuable than ever before and there are more threats than ever before. Put simply, you are at risk.

Risks of Being Breached

“More than half of British firms report[ed] cyber-attacks in 2019”. This was a BBC headline that highlights the true gravity of the risk of being breached in 2019 as a small business. The statistics from UK Government make for grim reading. The cost of a data breach for the average SME business is around £4,180 for lost data relating to recovery costs. Around a third of SMEs have been attacked – and successfully breached – in the past 12 months alone.

Business Ramifications

WorldPay really put the real-world business considerations into a nice and concise way, so that business owners can really understand what could happen: “Fines, fees and frustration.” The three F’s provide a clear format for outlining what the ramifications are for business. Any breach will result in regulatory fines, fees will be levied from debit and credit card providers and both your company and your beloved customers will face serious and brand-damaging frustration.

Legal Ramifications/Requirements (Even If Not Breached)

The Information Commissioner’s Office is very clear on this point. The legal ramifications, and therein requirements for businesses even if a breach has not occurred, highlights the onerous nature of the new regulatory environment. Personal data, and people’s right to safe personal data, has counterbalanced the personal data relationship away from being dominated by tech firms to being in the hands of individual EU citizens.

The ICO has a checklist for SMEs – available here – which outlines the scope of a company’s legal requirements within this new post-GDPR/DPA environment. From a legal perspective, cyber security obligations on small businesses do allow a greater degree of freedom in terms of achieving compliance and managing regulatory dynamics thereafter.

However, the growing dependency on Cyber Essentials, the Government’s approved cyber security accreditation scheme, highlights a problem. The self-assessment nature of Cyber Essentials can create problems if SME owners aren’t aware of their own cyber security foundations and how their IT system interacts with their business processes. Businesses need an overall information security management system aligned to the requirements of ISO 27001

The ICO is Turning its Attention to Smaller Businesses

The ICO has issued warnings to SMEs. From 2017 onwards, the ICO started clamping down on small businesses who played fast and loose with their cyber security. According to the ICO, between May 2018 and May 2019, they received nearly 14,000 personal data breach reports from businesses and organisations.

Most of these cases were from SME’s and not big business – which sounds misleading considering the media headlines around big data breaches.

Where Do You Turn?

Deploying a functioning cyber-security framework that simultaneously remains compliant with the UK’s patchwork data security and cyber security laws along with protecting your business against cyber attack is a big undertaking. That’s where we can help – the lack of overarching rules combined with the growth of cybersecurity obligations means you need a trusted cyber security partner. Bear in mind that cybersecurity is only part of the whole data security remit of your organisation.

Six out of 10 companies do not have any emergency plans in relation to what the company would do during a cyber attack or data breach incident. Many small business owners are confused about what course of action to take to help mitigate the dangers faced by their organisations by criminal cyber activity. Only 10% of businesses without a disaster recovery process survive as a trading business. 90% of businesses without a framework and a recovery system in place are impacted by a data breach/cyber attack to such a degree they cease trading altogether.

Cyber Essentials Is Not Enough

The problems with Cyber Essentials surround the self-assessment of the accreditation process. Failure to comply can be out of your hands.

The other problem is the time-consuming nature of Cyber Essentials. Many small businesses are working hard staying afloat and many business owners find it difficult to stop ‘doing the day job of selling’ to sit down and audit their own IT infrastructure.

Why Your Company Needs a Data Protection Officer

Small businesses who process special category data need a Data Protection Officer. This includes many seemingly mundane applications, so check!  However, the benefit of having a DPO within your ranks is having greater awareness of cyber security, the risks therein and improved access to data security protection methods and systems. The financial practicalities mean recruiting a DPO can be impractical … but there is help.

How We Can Help You

As you know, we provide you with a range of IT-related services – including data recovery – but it isn’t our responsibility to make sure you are GDPR/DPA ready. It is your responsibility and you need to become compliant. You are not alone – we can help you achieve this.

A Data Security Review

To begin your journey towards proper data security compliance and protection, you need to undertake a Data Security Review. This review involves an external data security specialist evaluating and testing your organisation’s entire IT network and wider infrastructure to identify the strengths and weaknesses faced by your company and then target the vulnerabilities for action.

You’ll receive an in-depth report detailing the health of your IT estate in relation to data protection and security. You will also get recommendations to help improve your security systems and also identify major weaknesses meaning you can trust the results and take decisive action going forward.

We suggest you bypass Cyber Essentials in favour of ISO/IEC:27001:2013 because it is a globally renowned accreditation which provides a much more comprehensive standard. It is widely recognised as a the leading cyber security accreditation available and organisations that choose to undertake the implementation process can trust the outcome and the impact ISO27001 has on improved data hygiene and cyber security culture within your organisation. Other stakeholders (buyers, suppliers, lenders, investors etc) will have greatly improved confidence in your organisation as well.

Organisations that have visible data security procedures in place (e.g. ISO27001) can win more tenders, close more business and reduce their competition

Conclusion

Our Information Security-As-A-Service will help your business become proactive, robust and legally-compliant. Remember, when it comes to being attacked, it is not a case of “if” but “when. Your data security review will help your business change the way your business understands and reacts to cyber security events and demonstrates to the ICO you are taking your security obligations seriously and taking demonstrable action.

Ultimately, getting ISO27001 accreditation signals to customers, prospective customers, suppliers and other stakeholders that you are taking their security seriously and are worth doing business with.

A data security review is a positive step in the right direction.